Category Archives: Azure Firewall

Next-Generation Firewall functionality with Azure Firewall Premium

The adoption of an effective Azure environment protection strategy is essential and also requires a careful assessment of the features provided by the firewall solution you intend to use. Azure Firewall has been available for some time, Microsoft's managed and fully integrated public cloud service, that allows you to secure the resources present on the Virtual Networks of Azure. In specific business realities, particularly sensitive to security and requiring a high level of regulation, advanced features typical of a next generation firewall are required. For this reason, Microsoft has released Azure Firewall Premium, the firewall-as-a-service solution (FWaaS) which guarantees several advanced features to better protect Azure environments. This article explores the features of Azure Firewall Premium.

Azure Firewall is a network security service, managed and cloud-based, able to protect the resources attested on the Azure Virtual Networks and to centrally govern the related network flows. Furthermore, it has inherent features of high availability and scalability.

The Premium version allows you to get an additional level of protection from security threats, through features such as TLS Inspection and IDPS that guarantee greater control of network traffic in order to intercept and block the spread of malware and viruses. The features of TLS Inspection and IDPS require more performance, reason why Azure Firewall Premium, compared to the Standard tier, uses more powerful SKUs for its instances and is able to guarantee high levels of performance. Like the Standard SKU, Premium SKU can scale up to 30 Gbps and integrates with availability zones to guarantee a service level agreement (SLA) equal to 99,99 %. Azure Firewall got ICSA Labs certification, in addition, the Premium version complies with the PCI DSS security standard (Payment Card Industry Data Security Standard).

The functionality of Azure Firewall Premium

The new features of Azure Firewall Premium are configurable only through Firewall Policy. Firewall rules in "classic" mode continue to be supported and can only be used to configure the Standard version of Azure Firewall. Firewall Policies can be managed independently or with Azure Firewall Manager.

Azure Firewall Premium guarantees all the features present in the Azure Firewall Standard tier and in addition adds the following features typical of a next generation firewall.

Figure 1 - Azure Firewall Premium overview

The following chapters describe the new features introduced in Azure Firewall Premium.

TLS inspection

The standard security technology that allows you to establish an encrypted connection between a client and a server is the Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). This standard ensures that all data passing between clients and the server remains private and encrypted. Azure Firewall Premium is able to intercept and inspect TLS connections. To do this, a complete decryption of network communications is performed, the necessary security checks are performed and the traffic to be sent to the destination is re-encrypted.

The Azure Firewall Premium TLS Inspection solution is ideal for the following use cases:

  • Outbound TLS termination.

Figure 2 - Azure Firewall TLS Inspection for outbound traffic

  • TLS termination between spoke virtual networks (east-west).
  • Inbound TLS termination with Application Gateway. Azure Firewall communication flows can be deployed behind an Application Gateway. By adopting this configuration, incoming Web traffic passes both through the WAF of the Application Gateway and through the Azure Firewall. WAF provides Web application-level security, while Azure Firewall acts as a central control and logging point to inspect traffic between the Application Gateway and back-end servers. The Azure Firewall can in fact de-encrypt the traffic received from the Application Gateway for further inspection and encrypt it again before forwarding it to the destination Web server. For more details on this use case you can consult this Microsoft's document.

Figure 3 – Implementation of the Application Gateway before Azure Firewall

To enable TLS Inspection in Azure Firewall Premium it is advisable to use a certificate present in an Azure Key Vault. Azure Firewall is accessed to the key vault to retrieve certificates using a managed identity. For more information about using certificates, for this Azure Firewall Premium feature, you can see the Microsoft's official documentation.

These use cases allow customers to adopt a zero trust model and implement end-to-end network segmentation.

IDPS

An Intrusion Detection and Prevention System (IDPS) allows you to monitor network activities to detect malicious activities, record information about these activities, report them and, optionally, try to block them. Azure Firewall Premium provides signature-based IDPS and is able to enable attack detection by searching for specific patterns, as sequences of bytes in network traffic or known malicious instruction sequences used by malware. IDPS signatures are automatically managed and continuously updated.

This capability works for all ports and protocols, but despite some detections they can also run with encrypted traffic, enabling TLS Inspection is important to make the best use of the IDPS.

Figure 4 – IDPS mode

Filtering URL

URL filtering allows you to filter outbound access to specific URLs, and not just for certain FQDNs. In fact, the Azure Firewall FQDN filtering capability is extended to consider an entire URL. For example,, www.microsoft.com/a/b instead of just www.microsoft.com. This feature is also effective for encrypted traffic if TLS Inspection is enabled.

Filtering URL can also be used in conjunction with Web categorization to extend a particular category by explicitly adding multiple URLs, or to allow/deny access to URLs within your organization's intranet.

Figure 5 – URL filtering in application rules

Web categorization

Web categorization in Azure Firewall policies allows you to allow or deny users access to the Internet based on specific categories, for example, social networks, search engines, gambling, etc.

This feature can be used as a target type in the application rules in both Standard and Premium Azure Firewall SKUs. The main difference is that the Premium SKU allows you to achieve a higher level of optimization, classifying traffic by full URL, using the functionality of TLS Inspection, while the standard SKU classifies traffic only by FQDN. This function allows you to have visibility and control in the use of an organization's Internet traffic and is ideal for controlling web browsing for Azure Virtual Desktop clients.

Figure 6 – Web categorization in an access rule

The transition from version Standard to version Premium

For those who use the Azure Firewall Standard SKU and need to upgrade to the Premium SKU, they can migrate using the following steps.

  • First thing, in case they are not already in use, Azure Firewall Policy must be adopted. To do this, it is possible to transform the Azure Firewall rules (Classic) existing:

Figure 7 - Migration of classic rules to Azure Firewall Policy

  • Create a new Azure Firewall Premium by associating it with the existing Azure Firewall Policy:

Figure 8 - Creation of a new Azure Firewall Premium by associating an existing Azure Policy

Note: an important aspect to consider when migrating is maintaining the IP address or IP addresses assigned to Azure Firewall.

The cost of Azure Firewall Premium

Same as for the Standard SKU, the prices of Azure Firewall Premium are given both by the deployment, both from data processing. The cost for deployment is higher than 40% compared to Azure Firewall Standard, while the costs for data processing are the same as for Azure Firewall Standard. For more details on costs please visit the Microsoft's official page.

Conclusions

The adoption of a firewall solution to better protect and segregate network flows is now an obligatory choice to ensure effective protection and management of the network infrastructure in Azure environments. For companies with advanced control and security needs, they can use the Azure Firewall Premium SKU to expand the set of features available. Azure Firewall Premium can compete, in terms of functionality, with Network Virtual Appliances (NVAs) provided by well-known third-party vendors, for which, however, more articulated configurations are required and generally higher costs are expected.

Azure Networking: comparison between the new Azure Firewall and third-party virtual appliances

Securing network architectures is an aspect of fundamental importance even when adopting the public cloud and becoming mandatory to adopt a firewall solution to better protect and segregate network flows. The availability of Azure Firewall Premium was recently announced, Microsoft's next generation firewall with interesting features that can be useful in highly security-sensitive environments and that require a high level of regulation. This article reports the characteristics of this new solution and a comparison is made with the Network Virtual Appliances (NVAs) of third-party vendors, to evaluate the choice of an appropriate "Firewall Strategy".

New features in Azure Firewall Premium

Azure Firewall is the firewall-as-a-service solution (FWaaS) present in Microsoft's public cloud, which allows you to secure the resources present in the Azure Virtual Networks and to govern the related network flows.

Figure 1 – Azure Firewall Premium Overview

Azure Firewall Premium uses Firewall Policy, a global resource that is used to centrally manage firewalls by using Azure Firewall Manager. All new features can only be configured through Firewall Policy.

The following chapters describe the new features introduced in Azure Firewall Premium.

TLS inspection

The standard security technology that allows you to establish an encrypted connection between a client and a server is the Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). This standard ensures that all data passing between clients and the server remains private and encrypted. Azure Firewall Premium is able to intercept and inspect TLS connections. To do this, a complete decryption of network communications is performed, the necessary security checks are performed and the traffic to be sent to the destination is re-encrypted.

The Azure Firewall Premium TLS Inspection solution is ideal for the following use cases:

  • Outbound TLS termination.

Figure 2 – Azure Firewall TLS Inspection for Outbound Traffic

  • TLS termination between spoke virtual networks (east-west).
  • Inbound TLS termination with Application Gateway. Azure Firewall communication flows can be deployed behind an Application Gateway. By adopting this configuration, incoming Web traffic passes both through the WAF of the Application Gateway and through the Azure Firewall. WAF provides Web application-level security, while Azure Firewall acts as a central control and logging point to inspect traffic between the Application Gateway and back-end servers. The Azure Firewall can in fact de-encrypt the traffic received from the Application Gateway for further inspection and encrypt it again before forwarding it to the destination Web server. For more details on this use case you can consult this Microsoft's document.

Figure 3 – Implementation of the Application Gateway before Azure Firewall

To enable TLS Inspection in Azure Firewall Premium it is advisable to use a certificate present in an Azure Key Vault. Azure Firewall is accessed to the key vault to retrieve certificates using a managed identity. For more information about using certificates, for this Azure Firewall Premium feature, you can see the Microsoft's official documentation.

These use cases allow customers to adopt a zero trust model and implement end-to-end network segmentation.

IDPS

An Intrusion Detection and Prevention System (IDPS) allows you to monitor network activities to detect malicious activities, record information about these activities, report them and, optionally, try to block them. Azure Firewall Premium provides signature-based IDPS and is able to enable attack detection by searching for specific patterns, as sequences of bytes in network traffic or known malicious instruction sequences used by malware. IDPS signatures are automatically managed and continuously updated.

This capability works for all ports and protocols, but despite some detections they can also run with encrypted traffic, enabling TLS Inspection is important to make the best use of the IDPS.

Figure 4 – IDPS mode

Filtering URL

URL filtering allows you to filter outbound access to specific URLs, and not just for certain FQDNs. In fact, the Azure Firewall FQDN filtering capability is extended to consider an entire URL. For example,, www.microsoft.com/a/b instead of just www.microsoft.com. This feature is also effective for encrypted traffic if TLS Inspection is enabled.

Filtering URL can also be used in conjunction with Web categorization to extend a particular category by explicitly adding multiple URLs, or to allow/deny access to URLs within your organization's intranet.

Figure 5 – URL filtering in application rules

Web categorization

Web categorization in Azure Firewall policies allows you to allow or deny users access to the Internet based on specific categories, for example, social networks, search engines, gambling, etc.

This feature can be used as a target type in the application rules in both Standard and Premium Azure Firewall SKUs. The main difference is that the Premium SKU allows you to achieve a higher level of optimization, classifying traffic by full URL, using the functionality of TLS Inspection, while the standard SKU classifies traffic only by FQDN. This feature allows you to have visibility and control in the use of an organization's Internet traffic and is ideal for controlling Internet browsing for Windows Virtual Desktop clients.

Figure 6 – Web categorization in an access rule

Azure Firewall Premium vs Network Virtual Appliances (NVAs) of third party

The Network Virtual Appliances (NVAs) provided by third-party vendors and available in the Azure marketplace are numerous and can offer advanced features. Typically the configuration of these solutions is more articulated and the cost tends to be higher than the solutions provided by the Azure platform.

The gap between Azure Firewall features, thanks to Premium features, and the third party NVAs is now greatly reduced.

There is a high-level comparison between Azure Firewall Premium and NVAs:

Figure 7 – Azure Firewall Premium vs NVAs Feature Comparison

The Azure Firewall feature set is therefore suitable for most customers and provides some key benefits being a cloud-native managed service, for example:

  • Integration with DevOps templates and other Azure artifacts (examples. Tags, diagnostic settings).
  • High availability is integrated into the service and no specific configurations or additional components are required to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
  • Azure Firewall allows you to scale easily to adapt to any change of network streams.
  • No maintenance activity required.
  • Significant TCO savings for most customers. In fact, for NVAs it is appropriate to consider:
    • Computational costs (at least two virtual machines for HA)
    • Licensing costs
    • Costs for standard load balancers (interior and exterior)
    • Maintenance costs
    • Support costs

However, it is appropriate to specify that for some customers, third-party solutions are more suitable as they allow for continuity in the user experience compared to solutions already active in the on-premises environment.

Conclusions

With the release of the Premium SKU Azure Firewall becomes a next generation firewall fully integrated into the Azure fabric, that provides very interesting features, to the point of making it the ideal choice for customers with advanced control and security needs of their Azure networking.