Azure firewall is a new managed, cloud-based network security service in Azure that offers stateful native firewall capabilities for Virtual Network resources. The main advantage is that it has built-in high availability and scalability being a managed service.

Announcement

Documentation

Preview features

Road Map

Limitations

Pricing

Operations

[code language=”bash”]
# Register
Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

# Verify
Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

# After the registration is complete, run the following command:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
[/code]

My thoughts

From an HA perspective, this is a great move by Microsoft BUT looking at the security features that are in this preview and even the features planned for GA, this is not even close to being enterprise ready in light of the security threat landscape that any enterprise has to protect itself against. There are only two security features offered by the Azure firewall service – FQDN filtering and Network traffic filtering. That’s it! No deep packet inspection with IDS/IPS, no malware protection against legitimate sites, no certificate validation, no file type filtering by mime-type, extension and active content types, e.t.c.

Microsoft recognizes this and the announcement page states the following:

Azure Firewall is a basic firewall service that can address certain customer scenarios. We expect customers to have a mix of 3rd party NVAs and Azure Firewall and are working with our partners on multiple better together opportunities.

An example of a great NVA appliance to use is the Sophos XG firewall. Also, from a scalability perspective, more details around how to work around the current single public IP address is needed. If limited to a single IP, how is ephemeral port exhaustion handled? (especially if the architecture recommendation is to use a central firewall for multiple vNets)

Leave a Reply

Your email address will not be published. Required fields are marked *