Microsoft AZ-700: Design and Implement Azure Firewall

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 6: Design and Implement Azure Firewall

Azure. FW is managed, cloud based security service protecting VNet resources. Fully stateful FWaaS with build-in HA and unrestricted cloud scalability.

  • Azure Firewall Features
    • Built-in HA
      • HA so no extra load balancers required or configuration needed
    • Unrestricted cloud scalability
      • Azure FW can scale out as much as needed. No need to budget for peak traffic
    • App FQDN filtering rules
      • Limit outbound HTTP/S or Azure SQL traffic to specific list of FQDNs including wildcard
      • Doesn’t require TLS term
    • Net traffic filtering rules
      • Centrally create allow/deny rules by
        • Source/Dest IP
        • Port
        • Protocol
      • Azure FW is fully stateful
      • Rules enforced and logged across multiple subscriptions and VNets
    • FQDN tags
      • Make it easy to allow well-known Azure service traffic through FW
      • Create an app rule and include Windows Update tag for example
    • Service tags
      • Represents group of IP address prefixes minimizing complexity for rule creation
      • Cannot create personal service tag or specify which IP addrs included in tag
      • MS manages prefixes by tag and auto updates as addrs change
    • Threat intelligence
      • Threat intelligence-based filtering (IDPS) possible to alert and deny traffic from/to known malicious IP/Domains
      • IP addrs/domains sources from MS Threat Intelligence feed
    • TLS inspection
      • FW can decrypt outbound traffic, process, reqncrypt and send to DST
    • Outbound SNAT support
      • All outbound VNet traffic Ips translate to Azure FW public IP (Source Network Address Translatioin (SNAT))
      • Identify and allow traffic originating from VNet to remote Inet DSTs
    • Inbound DNAT support
      • Inbound Inet traffic to FW public IP translated (Destination Network Addr Translation) filtered to. Private IP on VNet
    • Multiple public IP addrs
      • Associate multiple (up to 250) with FW for specific DNAT/SNAT scenarios
    • Azure Monitor Logging
      • All events integrated to Azure Monitor
      • Allows archival of logs to storage account
      • Stream events to Event Hubs
      • Send to Azure Monitor Logs
    • Forced tunneling
      • Configure Azure FW to route all Inet bound traffic to a next hop instead of direct to Inet
      • Example to send to on-prem FW or NVA to process
    • Web categories
      • Allow or deny user access to web site categories
      • Categories included in Azure FW Standard
      • Categories more fine-tuned in Premium Preview
      • Standard matches FQDN, in Prekmium match on entire URL for HTTP or HTTP/S
    • Certs
      • Azure FW is PCI, SOC, ISO, and ICSA Labs compliant
  • Rule processing in Azure Firewall
    • In Azure FW, Possible to configure NAT rules, network rules, app rules. FW denies all traffic by default until manual rules configured to allow
  • Rule processing with classic rules
    • Rule collections are processed according to type in priority order
      • Lower numbers to higher from 100 – 65000
    • A rule collection name is only letters, numbers, underscores, period and hyphens
    • Must being with a letter or number
    • Must end with letter,number,underscore
    • Max name – 80 chars
    • Increments of 100 for priority allowing additional rules in between later
  • Rule processing with Firewall Policy
    • FW Policy, rules organized inside Rule Collections contained in Rule Collectioin Groups
    • Rule Collection types
      • DNAT
      • Network
      • Application
    • Define multiple types in single group
    • Can define zero+ rules in a collection
    • Rules in collection MUST be SAME type
    • FW Policy – rules processed on Rule Collection Group Priority
      • Number between 100 (highest) and 65000 (lowest)
      • Highest rule in group processed first
    • Application rules always processed after network rules which are always processed after DNAT rules
  • Deploying and configuring Azure FW
    • Consideration Factors
      • FW centrally create,enforce,log app/network connectivity policies across subscriptions and VNets
      • FW uses static, public IP for VNet resources
      • FW fully integrated with. Azure Monitor for log/analytics
    • Steps for deployment
      • Create resource group
      • Create VNet and subnets
      • Create workload VM in subnet
      • Deploy FW and Policy to VNet
      • Create default outbound route
      • Configure app rule
      • Configure network rule
      • Configure DNAT rule
      • Test
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-and-implement-azure-firewall/

Leave a Reply

Your email address will not be published.