Azure Firewall Policy and Hub VNET

Overview

• Azure Firewall Manager

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types: Azure Virtual WAN Hub or standard Azure virtual network.

In this article, we cover standard Azure virtual network only, it is referenced as Hub virtual network.

• Azure Firewall Policy

Azure firewall policy is an Azure resource that contains NAT, network, and application rule collections, and Threat Intelligence settings. It’s a global resource that can be used across multiple Azure Firewall instances in Secured Virtual Hubs (Azure Virtual WAN Hub) and Hub Virtual Networks.

• Benefit of Azure Firewall Manager

Security administrators need to manage firewalls and ensure compliance across on-premise and cloud deployments. A key component is the ability to provide application teams with flexibility to implement CI/CD pipelines to create firewall rules in an automated way.

Azure Firewall policy allows you to define a rule hierarchy and enforce compliance, provides a hierarchical structure to overlay a central base policy on top of a child application team policy. The base policy has a higher priority and runs before the child policy.

System Diagram

In this article, you will explore Azure firewall manager, create IP group, create firewall policy, convert existing vnet to hub vnet.

Demonstration

1. Create a VNet with an Azure firewall

VNet and Azure Firewall

2. Configure DNS setting for the VNet, points to Azure firewall private IP

VNet DNS configuration points to Azure firewall private IP

3. This Azure firewall is managed by Azure firewall manager, no rules can be configured in the firewall

Azure firewall is managed by Azure firewall manager, no rules can be configured in the firewall

4. Under Azure firewall manager, you have managed hub VNet and Azure firewall policies

Firewall manager consists of managed hub vnet and firewall policy

5. Create a new hub VNet or convert existing VNet to be managed by Azure firewall manager, in this case, we convert an existing VNet to hub VNet

Create a new hub VNet or convert existing VNet to be managed by Azure firewall manager

6. This policy is root policy with parent, it has DNAT, Network and Application rule collections

This policy is root policy with parent, it has DNAT, Network and Application rule collections

7. The policy’s DNS configuration, including DNS servers and DNS proxy settings

DNS servers and DNS proxy setting for the policy

8. Threat intelligence configuration for the policy

Threat intelligence configuration for the policy

9. The VNet is associated with Azure firewall policy

The associated hub VNet

Pricing

https://azure.microsoft.com/en-us/pricing/calculator/?service=firewall-manager

Conclusion

Azure firewall manager helps to enforce security baseline rules across Azure firewall instances, you will have to assess how many polices are required, how many Azure firewall instances are required and cost optimization.

Reference Links

Use Azure Firewall policy to define a rule hierarchy

Azure Firewall policy DNS settings (preview)

Tutorial: Secure your hub virtual network using Azure Firewall Manager