Securing network architectures is an aspect of fundamental importance even when adopting the public cloud and becoming mandatory to adopt a firewall solution to better protect and segregate network flows. The availability of Azure Firewall Premium was recently announced, Microsoft's next generation firewall with interesting features that can be useful in highly security-sensitive environments and that require a high level of regulation. This article reports the characteristics of this new solution and a comparison is made with the Network Virtual Appliances (NVA's) of third-party vendors, to evaluate the choice of an appropriate "Firewall Strategy".
New features in Azure Firewall Premium
Azure Firewall is the firewall-as-a-service solution (FWaaS) present in Microsoft's public cloud, which allows you to secure the resources present in the Azure Virtual Networks and to govern the related network flows.
Azure Firewall Premium uses Firewall Policy, a global resource that is used to centrally manage firewalls by using Azure Firewall Manager. All new features can only be configured through Firewall Policy.
The following chapters describe the new features introduced in Azure Firewall Premium.
TLS inspection
The standard security technology that allows you to establish an encrypted connection between a client and a server is the Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). This standard ensures that all data passing between clients and the server remains private and encrypted. Azure Firewall Premium is able to intercept and inspect TLS connections. To do this, a complete decryption of network communications is performed, the necessary security checks are performed and the traffic to be sent to the destination is re-encrypted.
The Azure Firewall Premium TLS Inspection solution is ideal for the following use cases:
- Outbound TLS termination.
- TLS termination between spoke virtual networks (east-west).
- Inbound TLS termination with Application Gateway. Azure Firewall communication flows can be deployed behind an Application Gateway. By adopting this configuration, incoming Web traffic passes both through the WAF of the Application Gateway and through the Azure Firewall. WAF provides Web application-level security, while Azure Firewall acts as a central control and logging point to inspect traffic between the Application Gateway and back-end servers. The Azure Firewall can in fact de-encrypt the traffic received from the Application Gateway for further inspection and encrypt it again before forwarding it to the destination Web server. For more details on this use case you can consult this Microsoft's document.
To enable TLS Inspection in Azure Firewall Premium it is advisable to use a certificate present in an Azure Key Vault. Azure Firewall is accessed to the key vault to retrieve certificates using a managed identity. For more information about using certificates, for this Azure Firewall Premium feature, you can see the Microsoft's official documentation.
These use cases allow customers to adopt a zero trust model and implement end-to-end network segmentation.
IDPS
An Intrusion Detection and Prevention System (IDPS) allows you to monitor network activities to detect malicious activities, record information about these activities, report them and, optionally, try to block them. Azure Firewall Premium provides signature-based IDPS and is able to enable attack detection by searching for specific patterns, as sequences of bytes in network traffic or known malicious instruction sequences used by malware. IDPS signatures are automatically managed and continuously updated.
This capability works for all ports and protocols, but despite some detections they can also run with encrypted traffic, enabling TLS Inspection is important to make the best use of the IDPS.
Filtering URL
URL filtering allows you to filter outbound access to specific URLs, and not just for certain FQDNs. In fact, the Azure Firewall FQDN filtering capability is extended to consider an entire URL. For example,, www.microsoft.com/a/b instead of just www.microsoft.com. This feature is also effective for encrypted traffic if TLS Inspection is enabled.
Filtering URL can also be used in conjunction with Web categorization to extend a particular category by explicitly adding multiple URLs, or to allow/deny access to URLs within your organization's intranet.
Web categorization
Web categorization in Azure Firewall policies allows you to allow or deny users access to the Internet based on specific categories, for example, social networks, search engines, gambling, etc.
This feature can be used as a target type in the application rules in both Standard and Premium Azure Firewall SKUs. The main difference is that the Premium SKU allows you to achieve a higher level of optimization, classifying traffic by full URL, using the functionality of TLS Inspection, while the standard SKU classifies traffic only by FQDN. This feature allows you to have visibility and control in the use of an organization's Internet traffic and is ideal for controlling Internet browsing for Windows Virtual Desktop clients.
Azure Firewall Premium vs Network Virtual Appliances (NVA's) of third party
The Network Virtual Appliances (NVA's) provided by third-party vendors and available in the Azure marketplace are numerous and can offer advanced features. Typically the configuration of these solutions is more articulated and the cost tends to be higher than the solutions provided by the Azure platform.
The gap between Azure Firewall features, thanks to Premium features, and the third party NVAs is now greatly reduced.
There is a high-level comparison between Azure Firewall Premium and NVAs:
The Azure Firewall feature set is therefore suitable for most customers and provides some key benefits being a cloud-native managed service, for example:
- Integration with DevOps templates and other Azure artifacts (ex. Tags, diagnostic settings).
- High availability is integrated into the service and no specific configurations or additional components are required to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
- Azure Firewall allows you to scale easily to adapt to any change of network streams.
- No maintenance activity required.
- Significant TCO savings for most customers. In fact,, for NVAs it is appropriate to consider:
- Computational costs (at least two virtual machines for HA)
- Licensing costs
- Costs for standard load balancers (interior and exterior)
- Maintenance costs
- Support costs
However, it is appropriate to specify that for some customers, third-party solutions are more suitable as they allow for continuity in the user experience compared to solutions already active in the on-premises environment.
Conclusions
With the release of the Premium SKU Azure Firewall becomes a next generation firewall fully integrated into the Azure fabric, that provides very interesting features, to the point of making it the ideal choice for customers with advanced control and security needs of their Azure networking.