Azure Firewall Public IP Addresses

Overview

• What’s Azure firewall?

Azure Firewall is a managed cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

• Why need multiple IP addresses

When you add more public IP addresses to your firewall, more SNAT ports are available, reducing the SNAT ports utilization. Additionally, when the firewall scales out for different reasons (for example, CPU or throughput) additional SNAT ports also become available. So effectively, a given percentage of SNAT ports utilization may go down without you adding any public IP addresses, just because the service scaled out. You can directly control the number of public IP addresses available to increase the ports available on your firewall. But, you can’t directly control firewall scaling.

Based on Azure official document, the minimum Azure firewall subnet size is /26. In order to support more outbound traffic from Azure firewall, you could either allocate a bigger CIDR to allow the service to scale out, or associate more public IP to the service. For more information about Azure standard load balancer SNAT port allocation, refer to https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#preallocatedports

For this article, we will discuss more on Azure firewall multiple public IP addresses.

System Diagram

Design Options

• Individual IP
• IP from IP prefix

When you create public IP, there are two options, create each individual public IP address, or first create IP prefix, then create pip based off the prefix.

You don’t have to use IP prefix, but if you have any downstream filtering on your network, for example, route traffic to SAAS which requires source IP restriction, you need to allow all public IP addresses associated with your firewall, it will simplify operation or maintenance to utilize IP prefix.

A public IP address prefix is a reserved range of IP addresses in Azure. When you assign addresses to your resources from a public IP address prefix, firewall rule updates aren’t required. The entire range is added to the rule.

Be aware of the product limits, Azure firewall can have up to 250 pip, https://docs.microsoft.com/en-us/azure/firewall/features#multiple-public-ip-addresses

IP prefix length is /28 network or 16 IP addresses.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#networking-limits

Deployment

Example #1, use ARM template to create a brand new Azure firewall with one public IP.

Example #2, Add two more public IP addresses from IP prefix to the existing Azure firewall.

Public IP Prefix shows two consecutive IP addresses are allocated.

The two new public IP addresses are added to Azure firewall IP configuration.

Azure Monitor Metric

• Workload

In order to generate Azure firewall metrics, you need some actual workload. I setup an environment to run the workload, more detail can be found from https://cloudjourney.medium.com/azure-firewall-and-standard-load-balancer-4466272d6466

To produce more workload, I have multiple terminals to logon to an Azure vm, and run following commands.

for ((;;)); do curl -s x.x.219.91?[1-100];done
for in in {1..100000}; do curl -s x.x.219.91?[1..100]; done

Besides http traffic, also create traffic on other tcp port, this traffic goes through Azure firewall as well, so you add a network rule in Azure firewall to allow load balancer destination x.x.219.91:33893.

for ((;;)); do echo quit| telnet x.x.219.91 33893;done

• Analyze, Visualize and Alert

In metrics explorer, adding two metrics, SNAT port utilization and Firewall health state.

In dashboard, shows two metrics.

Register resource provider Microsoft.AlertsManagement if you haven’t done it. Create alert and set the condition to whenever max SNAT port utilization is over 25%.

Alert is fired as expected when the metric goes over the threshold.

• Export

Once the metrics are sent over to log analytics workspace, you will be able to query the metrics data, keep in mind, there is lag before the data is available, in my environment, it’s more than five minutes.

Here is one example query, showing the max SNATPortUtilization goes up around 50%, then goes down.

• Azure Firewall Workbook

Besides metrics explorer and Azure dashboard, workbook is another way to visualize Azure firewall metrics data.
Create a workbook to combine with multiple sets of data in an interactive report.

Workbook can be created via ARM template, or import gallery template via portal in workbook editing blade.

You may utilize the github Azure firewall workbook. This workbook allows you to filter your Firewalls and Resource Groups, provides report or chat on throughput, SNAT port utilization, application rule log statistics, network rule log statics, DNS proxy logs and ThreatIntel logs.

https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Azure%20Monitor%20Workbook

• Microsoft Azure document for metrics

https://docs.microsoft.com/en-us/azure/firewall/logs-and-metrics#metrics

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metrics

Monitor logs using Azure Firewall Workbook

References

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#preallocatedports (explicit outbound rule or automatic allocation)