Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Deploy Azure Firewall Premium to control connectivity

  • September 16, 2021
  • 6 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.


Few weeks ago, Microsoft released the Premium SKU of Azure Firewall. This new SKU provides new functionalities, like TLS inspection, IDPS, Web categories and URL filtering:

Next-generation firewall capabilities with Azure Firewall Premium | Azure Blog and Updates | Microsoft Azure

Azure Firewall

The cost is approximatively 1077€ per months, plus 0.014€/GB processed:

Pricing – Azure Firewall | Microsoft Azure

To start, we will create a new Azure Firewall, with Premium SKU, in our HUB VNet. You need to create a dedicated subnet, AzureFirewallSubnet:

Create a firewall

After few minutes, you have your firewall deployed, with a basic configuration:

Firewall deployed

To manage the Firewall, you need to go to the firewall manager. You can see virtual network that are protected:

Firewall Manager

As you can see, I can now access many websites:

Many websites

I created a route table to forward all the traffic of my spoke subnet, to my hub Azure Firewall. To do that, get the private IP of your firewall:

Firewall Overview

And forward the traffic, to the virtual appliance Azure Firewall, with the IP that you get from it:

Forward the traffic

Now I have errors when I want to access something, because by default, the Azure Firewall is blocking everything:

Errors

If I want to allow a website, for example Facebook, I will create an allow rule, with Web Category Social Networking. All categories are mentioned here:

Azure Firewall web categories | Microsoft Docs

In the Rule Collections, create a new rule, with the following information:

Rule Collections

Apply it. After few seconds, the website is working again:

The website is working again

If you want to allow only a social website in the social networking category, create a rule with a priority 100 for example, with the url that you want and an allow, and after a rule with Deny, on the social networking category.

I can modify the rule, to allow for example only google.com. With the Premium SKU, it is possible to do the inspection in the URL, after the /, for example, google.com/example:

Edit rule collection

And it works:

Site works

If you go into Application Rules, you can see rules that we created before:

Application Rules

It is just an example of what you can do. But with Premium SKU, you can do more, like:

– TLS inspection to have an end-to-end encryption

– IDPS (Intrusion Detection and Prevention System) to monitor malicious traffic, log it (in Log Analytics), report it and block it

You will find more information here: Azure Firewall Premium features | Microsoft Docs

If you want to protect rapidly, without having Firewall knowledge, your Azure infrastructure, it is a great solution. But be careful, it has not the same full functionality as a real firewall, like Palo Alto, Checkpoint, etc. For example, a great feature will be to allow an Active Directory group to access to a specific category of URL, and deny for all others. But Azure Firewall is a young product, and I am sure that it will evolve in the near future.

Hey! Found Florent’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!