Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 8: Secure Your Networks with Azure Firewall Manager
Azure FW Manager is a security management that provides central policy/route management for cloud-based sec perimeters.
Azure FW Manager simplifies centrally defining network and app level rules for filtering across multiple Azure FWs. Span different Azure regions and subscriptions in hub/spoke architectures for governance and protection
If managing multiple FWs it can be difficult to keep them in sync. Central IT needs a way to define base FW policies and enforce across multiple biz units. Also, DevOps want to create local derived FW policies implemented across orgs. Azure FW Manager can help solve these
- FW Manager can provide sec mgmt for 2 network arch types
- Secured Virtual Hub
- Given to any Azure Virtual WAN Hub associated with security and routing policies
- Azure Virtual WAN Hub is MS managed resource to easily create hub/spoke archs
- Hub Virtual Network
- Given to any standard Azure VNet with associated security policies
- Standard VNet is a resource created and managed yourself
- Can peer spoke VNets that contain workload servers/services
- Also manage FWs in standalone VNets that arenn’t peered to a spoke
- Secured Virtual Hub
- Azure FW Manager features
- Key Features
- Central Azure FW deployment and config
- Centrally deploy/configure multiple FW instances even if they span regions and subscriptions
- Hierarchical policies (global/local)
- Use Azure FW Manager to centrally manage FW policies across multiple secure virtual hubs
- Central IT teams can write global firewall policies to enforce org FW policy across teams
- Local authored FW polocies allow DevOps self-service model
- Integrated with third-party security-as-a-service for advanced security
- In addition to Azure FW third party providers can integrate providing extra protection for VNet and branch Inet connections
- Only available with secured virtual hub deployments
- Centralized route management
- Easily route traffic to secured hub for filtering/logging without need for User Defined Routes on spoke VNets
- Available only with secured virtual hub deployments
- Region availability
- Use Azure FW Policies across regions
- DDoS protection plan
- Associate VNets with a DDoS protection plan within FW Manager
- Manage Web App Firewall policies
- Centrally create/associate WAF policies for app delivery platforms including Front Door and App Gateway
- Central Azure FW deployment and config
- Key Features
- Azure Firewall Manager Policies
- FW policy is Azure resource that contains
- NAT
- Network rule collections
- App rule collections
- Threat Intelligence settings
- Global resource that can be used over multiple FW instances in Secured Virtual Hubs and Hub VNets
- New policies can be created from scratch or inherited
- Inheritance allows DevOps to create local FW policies on top of org mandated base policy
- Work across regions and subscriptions
- Create FW Policy and associations using FW Manager
- Can also create/manage policy using
- REST API
- Templates
- Azure PowerShell
- Azure CLI
- Once created, can associate with FW in a Virtual. WAN Hub making it a Secured Virtual Hub
- And/Or associate with FW in a standard VNet making it a Hub Virtual Network
- FW policy is Azure resource that contains
- Deploying Azure FW Manager for Hub Virtual Networks
- Recommended Process
- Create FW Policy
- Create new
- Derived base policy and customize a local policy
- Import rules from existing FW (Ensure to remove NAT rules from policies applied across multiple FWs)
- Create hub & spoke architecture
- Create Hub Virtual Network using FW Manager and peering spoke VNets to it
- Or create VNet and add VNet connections/peering spoke VNet to peering
- Select security providers and associate FW Policy
- Currently, only Azure FW supported provider
- Create a Hub VNet or convert existing VNet to Hub Virtual Network
- Is possible to convert multiple VNets
- Configured User Defined Route
- For routing traffic to Hub VNet FW
- Create FW Policy
- Recommended Process
- Deploying Azure FW Manager for Secured Virtual Hubs
- Recommended Process
- Create hub/spoke architecture
- Create Secured Virtual Hub using FW Manager and add VNet connections
- Or create Virtual WAN Hub and add VNet connections
- Select security providers
- Create a Secured Virtual Hub
- Or convert existing Virtual WAN Hub to Secure Virtual Hub
- Create FW policy and associate it with hub
- Only applicable if using Azure FW
- Third-party security-as-a-service policies are configured via partners management
- Configure route settings to route to Secured Virtual Hub
- Route to secured hub for filtering/logging without User Defined Routes on spoke VNets using Secured Virtual Hub Route Setting page
- Create hub/spoke architecture
- Recommended Process