Few weeks ago, Microsoft released the Premium SKU of Azure Firewall. This new SKU provides new functionalities, like TLS inspection, IDPS, Web categories and URL filtering:
The cost is approximatively 1077€ per months, plus 0.014€/GB processed:
Pricing – Azure Firewall | Microsoft Azure
To start, we will create a new Azure Firewall, with Premium SKU, in our HUB VNet. You need to create a dedicated subnet, AzureFirewallSubnet:
After few minutes, you have your firewall deployed, with a basic configuration:
To manage the Firewall, you need to go to the firewall manager. You can see virtual network that are protected:
As you can see, I can now access many websites:
I created a route table to forward all the traffic of my spoke subnet, to my hub Azure Firewall. To do that, get the private IP of your firewall:
And forward the traffic, to the virtual appliance Azure Firewall, with the IP that you get from it:
Now I have errors when I want to access something, because by default, the Azure Firewall is blocking everything:
If I want to allow a website, for example Facebook, I will create an allow rule, with Web Category Social Networking. All categories are mentioned here:
Azure Firewall web categories | Microsoft Docs
In the Rule Collections, create a new rule, with the following information:
Apply it. After few seconds, the website is working again:
If you want to allow only a social website in the social networking category, create a rule with a priority 100 for example, with the url that you want and an allow, and after a rule with Deny, on the social networking category.
I can modify the rule, to allow for example only google.com. With the Premium SKU, it is possible to do the inspection in the URL, after the /, for example, google.com/example:
And it works:
If you go into Application Rules, you can see rules that we created before:
It is just an example of what you can do. But with Premium SKU, you can do more, like:
– TLS inspection to have an end-to-end encryption
– IDPS (Intrusion Detection and Prevention System) to monitor malicious traffic, log it (in Log Analytics), report it and block it
You will find more information here: Azure Firewall Premium features | Microsoft Docs
If you want to protect rapidly, without having Firewall knowledge, your Azure infrastructure, it is a great solution. But be careful, it has not the same full functionality as a real firewall, like Palo Alto, Checkpoint, etc. For example, a great feature will be to allow an Active Directory group to access to a specific category of URL, and deny for all others. But Azure Firewall is a young product, and I am sure that it will evolve in the near future.