Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 6: Design and Implement Azure Firewall
Azure. FW is managed, cloud based security service protecting VNet resources. Fully stateful FWaaS with build-in HA and unrestricted cloud scalability.
- Azure Firewall Features
- Built-in HA
- HA so no extra load balancers required or configuration needed
- Unrestricted cloud scalability
- Azure FW can scale out as much as needed. No need to budget for peak traffic
- App FQDN filtering rules
- Limit outbound HTTP/S or Azure SQL traffic to specific list of FQDNs including wildcard
- Doesn’t require TLS term
- Net traffic filtering rules
- Centrally create allow/deny rules by
- Source/Dest IP
- Port
- Protocol
- Azure FW is fully stateful
- Rules enforced and logged across multiple subscriptions and VNets
- Centrally create allow/deny rules by
- FQDN tags
- Make it easy to allow well-known Azure service traffic through FW
- Create an app rule and include Windows Update tag for example
- Service tags
- Represents group of IP address prefixes minimizing complexity for rule creation
- Cannot create personal service tag or specify which IP addrs included in tag
- MS manages prefixes by tag and auto updates as addrs change
- Threat intelligence
- Threat intelligence-based filtering (IDPS) possible to alert and deny traffic from/to known malicious IP/Domains
- IP addrs/domains sources from MS Threat Intelligence feed
- TLS inspection
- FW can decrypt outbound traffic, process, reqncrypt and send to DST
- Outbound SNAT support
- All outbound VNet traffic Ips translate to Azure FW public IP (Source Network Address Translatioin (SNAT))
- Identify and allow traffic originating from VNet to remote Inet DSTs
- Inbound DNAT support
- Inbound Inet traffic to FW public IP translated (Destination Network Addr Translation) filtered to. Private IP on VNet
- Multiple public IP addrs
- Associate multiple (up to 250) with FW for specific DNAT/SNAT scenarios
- Azure Monitor Logging
- All events integrated to Azure Monitor
- Allows archival of logs to storage account
- Stream events to Event Hubs
- Send to Azure Monitor Logs
- Forced tunneling
- Configure Azure FW to route all Inet bound traffic to a next hop instead of direct to Inet
- Example to send to on-prem FW or NVA to process
- Web categories
- Allow or deny user access to web site categories
- Categories included in Azure FW Standard
- Categories more fine-tuned in Premium Preview
- Standard matches FQDN, in Prekmium match on entire URL for HTTP or HTTP/S
- Certs
- Azure FW is PCI, SOC, ISO, and ICSA Labs compliant
- Built-in HA
- Rule processing in Azure Firewall
- In Azure FW, Possible to configure NAT rules, network rules, app rules. FW denies all traffic by default until manual rules configured to allow
- Rule processing with classic rules
- Rule collections are processed according to type in priority order
- Lower numbers to higher from 100 – 65000
- A rule collection name is only letters, numbers, underscores, period and hyphens
- Must being with a letter or number
- Must end with letter,number,underscore
- Max name – 80 chars
- Increments of 100 for priority allowing additional rules in between later
- Rule collections are processed according to type in priority order
- Rule processing with Firewall Policy
- FW Policy, rules organized inside Rule Collections contained in Rule Collectioin Groups
- Rule Collection types
- DNAT
- Network
- Application
- Define multiple types in single group
- Can define zero+ rules in a collection
- Rules in collection MUST be SAME type
- FW Policy – rules processed on Rule Collection Group Priority
- Number between 100 (highest) and 65000 (lowest)
- Highest rule in group processed first
- Application rules always processed after network rules which are always processed after DNAT rules
- Deploying and configuring Azure FW
- Consideration Factors
- FW centrally create,enforce,log app/network connectivity policies across subscriptions and VNets
- FW uses static, public IP for VNet resources
- FW fully integrated with. Azure Monitor for log/analytics
- Steps for deployment
- Create resource group
- Create VNet and subnets
- Create workload VM in subnet
- Deploy FW and Policy to VNet
- Create default outbound route
- Configure app rule
- Configure network rule
- Configure DNAT rule
- Test
- Consideration Factors