Azure Firewall & Azure

Firewall Manager
 Azure networking services

DDoS Protection
Virtual Network 
Azure WAF
Virtual WAN
Azure Firewall
ExpressRoute
Azure Firewall Manager
VPN
Network Security Groups
DNS
Service Endpoints/Private Link

CDN
Network Watcher Front Door
ExpressRoute Monitor Traffic Manager
Azure Monitor Application Gateway
Virtual Network TAP Load Balancer

©Microsoft Corporation Azure

 Protection services enabling zero trust

DDoS protection Web Application Firewall Azure Firewall Network Security Groups VNET Integration

DDOS protection tuned to Centralized inbound web Advanced Network and Distributed inbound & Restrict access to Azure
your application traffic application protection Application threat outbound network (L3-L4) service resources (PaaS) to
patterns from common exploits protection for Azure cloud traffic filtering on VM, only your Virtual Network
and vulnerabilities Infrastructure. Container or subnet using VNET Injection, Private
Link and Service Endpoints

Application protection Segmentation

©Microsoft Corporation Azure
Azure Firewall
Azure Firewall
Cloud native stateful Firewall as a service
User configuration Microsoft Threat Intelligence
L3-L7 connectivity policies Known malicious IPs and FQDNs
A first among public cloud providers
Spoke 1
Central governance of all traffic flows
Built-in high availability and auto scale
Threat intel, NAT,
Network and application traffic filtering Central VNet network and
application traffic
Centralized policy across VNets and subscriptions filtering rules
allows inbound/
outbound access

Complete VNET protection

Filter Outbound, Inbound, Spoke-Spoke and Hybrid
Connections traffic (VPN and ExpressRoute) Spoke 2
Azure Firewall
Traffic is denied
by default
Centralized logging
Archive logs to a storage account, stream events to
your Event Hub, or send them to Log Analytics or Security Azure to on-prem
Integration and Event Management (SIEM) system of choice traffic filtering

Best for Azure

Spoke VNets
DevOps integration, integration with Sentinel and ASC,
FQDN Tags, Service Tags, Integration with ASE, Backup and On-premises
other Azure services
©Microsoft Corporation Azure
 Azure Firewall
Key features
Application rules Monitoring
FQDN Filtering (HTTP/S, MSSQL) Azure monitor logging
FQDN Tags (e.g., Windows Update, Azure monitor metrics
Azure Backup, ASE,HDI) Network watcher
Default infrastructure rule collection
Scale and availability
Fully stateful network rules Built-in auto scale (30 Gbps) and HA
Service Tags Multiple public IPs – up to 250
Availability Zones (99.99% SLA)
NAT support
Default Source Network Address
Translation (SNAT) Recently released
GA: FQDN filtering in network rules (all ports
Destination Network Address
and protocols)
Translation (DNAT)
GA: Custom DNS and DNS Proxy
Threat Intel GA: Web Categories (based on FQDN)
Deny and Alert on known malicious GA: Premium SKU
IPs and domains

©Microsoft Corporation Azure

 NDA
Standard SKU Q1/Q2
FY22 Roadmap (Tentative)
Fundamentals:
Network rule name in logs
Data path optimization to support 50000 network rules!
Packet capture
Logging SYN/ACK packet drops
Logging Top 10 flows
Additional Health metrics - Latency
Features:
SQL FQDN filtering – redirect mode
Explicit proxy support
Auto discovery of SNAT private ranges
Backlogs for prioritization:
Learning mode
IPV6 support
Explicit SNAT configuration
Application awareness in rules (i.e. app id)
©Microsoft Corporation Azure
Azure Firewall Premium
Cloud native Next-Gen Firewall as a service
TLS Inspection
URL
Built-in TLS Inspection for Outbound and East-West traffic IDPS Filtering
Inbound TLS termination is supported with Azure Application
Gateway
TLS Web
Customer provided key pair via Azure Key Vault integration Inspection Categories

Intrusion Detection Prevention System (IDPS)

Detect alert and block inbound/outbound malicious traffic Spoke 1
Supported for both encrypted and plain text protocols
Signature-based detection that is continuously updated
URL Filtering
Restrict user access to HTTP/HTTPS Web content
Support for URL wildcards Spoke 2
Azure Firewall
Traffic is denied
Web Categories by default
Internet

Allow or deny user access to website categories such as gambling, Central VNet
social media and others
Azure to on-prem
Web categories maintained and continuously updated Spoke VNets traffic filtering

URL based category matching

Azure Firewall Standard

Including all standard firewall capabilities
©Microsoft Corporation Azure
On-premises
Azure Firewall Premium Threat Blocked Statistics

Top 10 network exploits (July 2021)

• Azure Firewall Premium has blocked millions of attempted exploits.
tor
web_client

• Our signals show that attackers used malware, phishing and web exploit

applications (July 2021). adware_pup

policy
coinminer
• The protocols leveraged most often in attacks were HTTP, TCP, and mobile_malware

DNS, as they are open to the internet. web_specific_apps

phishing
malware
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

©Microsoft Corporation Azure

Get Started on Premium

Setup Premium SKU lab in minutes! Deploy and configure Azure Firewall Premium | Microsoft Docs

Migrate to Premium SKU Migrate Azure Firewall Standard to Premium using Terraform | Microsoft Docs

©Microsoft Corporation Azure

 NDA
Premium SKU Roadmap
Features:
IDPS exclusion list
URL Filtering based on Threat Intelligence
Packet capture
Data Loss Prevention
Backlogs for prioritization:
Bring your own threat intel
User awareness/authentication

©Microsoft Corporation Azure

 Pricing

Fixed Cost Variable Cost

$1.25/standard firewall/hour $0.016/GB processed by the firewall
$1.75/premium firewall/hour

Most customers save 30%–50% in comparison to NVAs

When comparing with NVAs, consider the full TCO including
licensing, multiple VMs and 2 standard load balancers (traffic + rules charge)

Throughput limit 30 Gbps

Assume at least one firewall per region

©Microsoft Corporation Azure

Azure Firewall versus Network Virtual Appliances – Cost comparison

Cost Azure Firewall NVAs

Compute Two plus VMs to meet peak requirements

Licensing $1.25 $1.75 Per NVA vendor billing model

/standard firewall/hour /premium firewall/hour

Standard Public Load Balancer

$0.016 First five rules: $0.025/hour
Additional rules: $0.01/rule/hour
/GB processed
$0.005 per GB processed
(30%-50% cost saving)

First five rules: $0.025/hour

Standard Internal Load Balancer Additional rules: $0.01/rule/hour
$0.005 per GB processed

Ongoing/Maintenance Included Customer responsibility

Support Included in your Azure Support plan Per NVA vendor billing model

©Microsoft Corporation Azure

 Growing Azure Firewall ecosystem

GA GA GA

Support for partner security policy Easy integration for partners using
management tools standard Azure REST APIs

©Microsoft Corporation Azure

Feature Firewall Standard Firewall Premium AWS Firewall NVAs
Feature
Application level FQDN filtering (SNI based) for HTTPS/SQL HTTP/s only

Network level FQDN filtering – all ports and protocols

Stateful firewall (5 tuple rules)

Network Address Translation (SNAT+DNAT) NAT GW

Threat intelligence-based filtering (known malicious IP address/ domains)

Web content filtering (web categories)

DNS Proxy + Custom DNS Vendor Dependent

Full logging including SIEM integration

Built-in HA with unrestricted cloud scalability (auto scale as traffic grows)

Availability zones Firewall per AZ

Service Tags and FQDN Tags for easy policy management

Cloud service model with Integrated monitoring and management

Easy DevOps integration using REST/PS/CLI/Templates Templates

Central management

Inbound TLS termination (TLS reverse proxy) Using App GW Using ALB

Outbound TLS termination (TLS forward proxy)

Fully managed IDPS BYO signatures

URL filtering (full path - incl. SSL termination)

Application and user aware traffic filtering rules Roadmap

IPSEC and SSL VPN gateway VPN Gateway VPN Gateway Transit Gateway

Advanced Next
©Microsoft Generation Firewall features (e.g. DLP)
Corporation Roadmap Azure Vendor Dependent
Azure Firewall vs. NVAs – Value proposition summary
• Protection against sophisticated attacks like Phishing, Malware & Trojans using Azure Firewall Premium

• Deploy in minutes: Azure Firewall is auto scalable and highly available

• SaaS service with 99.99% availability: Zero maintenance - service model

• Azure specialization: Service Tags and FQDN tags

• Best for Azure: Ideal fit for DevOps integration – Support for Terraform, ARM templates, CLI, PS, REST APIs

• Significant cost saving for most customers

• Centralized management using Firewall Manager – Configure multiple Firewalls simultaneously

• Sentinel Integration for monitoring and playbook support

©Microsoft Corporation Azure

Azure Firewall Manager
 Enterprise challenges
Complex network architecture and constantly changing threat environment

Need complete visibility into the network Centralized management and administration

Enforcing consistent security policies across multiple firewalls Simplify rule management across multiple firewalls

Compliance using a zero-trust security model Networks are automatically secured and protected

Rapidly push firewall protection policy to respond

Respond to internet attacks
to new threats

©Microsoft Corporation Azure

Azure Firewall Manager Overview

Centralized Firewall Management & Administration

Create policy and apply across multiple firewalls
Supports DevOps model - Hierarchical policy & governance
Works across regions/subscription/deployments

Support Two Deployment Architectures

Hub Virtual Network - a standard Azure virtual network with
security (and routing in future) policies

Secured Virtual Hub - an Azure Virtual WAN Hub with

security and routing policies

Roadmap
Extend support to additional cloud native network security
services

©Microsoft Corporation Azure

Azure Firewall Manager Global admin

Azure region 1 Azure region N

Key features
Global policy
Local admin

Hub Virtual Networks

Brings centralized firewall management goodness to VNETs
VNet
Secure existing hub-and-spoke VNET deployments seamlessly Azure Firewall
Azure Firewall
Update configuration across multiple firewall instances

Secure Virtual Hub Secured vHub Hub VNET

Centralized security for virtual WAN hubs
Automated routing - secures V2I, B2I, V2V, B2V with just few clicks
Advanced security with 3rd party SECSaaS partners
Virtual WAN VPN
ER/VPN ER / VPN

HQ/ End-user Datacenter

branch devices
©Microsoft Corporation Azure
Hub Virtual Networks vs. Secured Virtual Hubs
Hub Virtual Network Secured Virtual Hub

Underlying resource Virtual network Virtual WAN Hub

Hub & Spoke Using Virtual network peering Automated using hub virtual network connection

VPN Gateway up to 10 Gbps and 30 S2S connections; More scalable VPN Gateway up 20 Gbps and 1000 S2S
On-prem connectivity
ExpressRoute connections; Express Route

Automated branch connectivity using SDWAN Not supported Supported

Single Virtual Hub per region. Multiple hubs possible with

Hubs per region Multiple Virtual Networks per region
multiple Virtual WANs

Azure Firewall – multiple public IP addresses Customer provided Auto generated

Azure Firewall Availability Zones Supported Not available

Advanced internet security with 3rd party Security as a Customer established and managed VPN connectivity to Automated via Security Partner Provider flow and partner
Service partners partner service of choice. management experience

Customer managed UDR

Centralized route management to attract traffic to the hub Supported using BGP
Roadmap: UDR default route automation for spokes

Support two security providers – Azure Firewall for east-west

Multiple security provider support Not supported
traffic filtering and 3P for north-south internet filtering

Web Application Firewall on Application Gateway Supported in Virtual Network Roadmap; can be used in spoke

Network Virtual Appliance Supported in Virtual Network Roadmap; can be used in spoke.

©Microsoft Corporation Azure

Central security and policy management

Deploy and configure multiple Azure Firewall instances

Span different Azure regions and subscriptions from a single Global
pane of glass Azure Firewall Admin
Manager

Enforce consistent configuration across Azure Firewall Local

Admin
Manage Network address translation (NAT), network, and
application rule collections, as well as threat intelligence and
DNS settings.

VNet VNet VNet

DevOps optimized hierarchical Azure Firewall policies VNet VNet VNet VNet VNet VNet

Global firewall policies authored by Central IT with local derived Secured Secured Secured

firewall policies for DevOps self-service for better agility

VNet vHub VNet VNet vHub VNet VNet vHub VNet

VNet VNet VNet VNet VNet VNet

VNet VNet VNet

Manage Azure Firewall Policy independent of Azure Firewall

Prod Hub: Staging hub: Dev Hub:
Azure Firewall Policy is a top-level resource with independent Global Policy Global Policy Global Policy + Local Policy

access control and activity tracking.

©Microsoft Corporation Azure

Multi security provider support (secure hub only)

Combine best of breed security

Azure Firewall for east-west (virtual network to virtual VNet 1 Secured vHub
network/branch to virtual network) traffic filtering
3rd Party
Security partner of your choice for north-south (virtual network Sec-aaS
to Internet/branch to Internet) traffic filtering
IPSec
VNet 2
Tunnel
Use Azure for Edge security
Avoids routing internet traffic to on-premise Azure VPN
Internet
Firewall Gateway
Route internet traffic directly from Azure
Partners VNet 3

• Zscaler (currently runs on ZIA cloud, roadmap to run on Azure)

• Check Point (runs on Azure) Virtual WAN
/VPN
• iboss (runs on Azure) Express

Route

Simplifies connectivity and security Private traffic B2V +

V2V via Azure Firewall
Easily attract traffic to your secured virtual hub for filtering and Internet traffic via 3P
logging without manipulating User Defined Routes Branch 1 Branch 2

©Microsoft Corporation Azure

Firewall Manager GA Pricing

Azure Firewall in Secured Virtual Hubs

Fixed fee: $1.25/firewall/hour
Variable fee: $0.016/GB processed by the firewall

Azure Firewall Manager policies

Fixed fee: $100/Policy/Region
Policies that are associated with a single hub are free of charge

Azure Firewall Manager 3rd party integration

Fixed fee: $0.4/Secured hub/hour
Virtual WAN VPN GA charges apply

©Microsoft Corporation Azure

 Azure Firewall Manager
Trusted security partners

Use Azure as your Secured Internet Edge

Use best-in-breed third-party

Breakout Office 365 traffic directly
Security-as-a-Service Protect VNet-to-Internet or Combine with Azure Firewall for
at branch; filter rest of Internet
(SECaaS) partners with Azure Branch-to-Internet user traffic layered security
traffic using SECaaS on Azure
Firewall Manager 

General availability Public preview

©Microsoft Corporation Azure

 NDA
Firewall Manager Q3/Q4 FY2022
(Tentative)
Prioritized:
• Policy Analytics – Flow insights, Rule Management over time, Rule
insights!
• Centralized WAF management
• Centralized DDOS protection management
• Interhub Filtering support for Virtual WAN – B2B via Firewall, V2V
across hubs, V2B across hubs
• Firewall Policy: Change tracking in activity logs

Backlog for prioritization:

• Enable/disable rules
• Rule priority changes
• Rule scheduling
• Route advertisement using BGP.
• Publishing Learned Routes using BGP.
• Micro segmentation – Support tags, port groups, protocol groups

©Microsoft Corporation Azure

Thank you.

© Copyright Microsoft Corporation. All rights reserved.