In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011
Azure Firewall pricing
Azure Firewall Standard
- Stateful firewall as a service
- Built-in high availability with unrestricted cloud scalability
- Centralized network and application level connectivity policy
- Threat intelligence-based filtering
- Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways
Azure Firewall Premium (Public Preview)
- Built-in TLS Inspection for customer’s selected encrypted applications
- Ability to detect and block malicious traffic through advanced IDPS engine
- Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
- Web Categories provide enhanced content filtering capabilities
- IDPS signatures and Web categories are fully managed and constantly updated
Initial I setup a Azure Firewall premium
Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.
As you can see there is an option standard or premium and use the Firewall policy or the Classic. In premium there is no classic any more the only option is firewall policy.
Choosing the Premium and the option firewall management is gray out.
As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .
Keep in mind that the firewall must be in the same resource group as your vnet.
Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place
# Create the firewall
$Azfw = New-AzFirewall `
-Name $FirewallName `
-ResourceGroupName $rgNamevnet `
-Location $Location `
-VirtualNetworkName $VnetName `
-PublicIpName $pip01 `
Now that The Firewall I created We can see the policy’s attached in the Firewall manager.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
Firewall Manager can provide security management for two network architecture types:
Secured virtual hub
An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.
Hub virtual network
This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.
So now that the firewall is in place and we already had an policy attached but you can change that real quick.
Go to the Firewall blade and her you can see the policy and change it directly
Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet
Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s
Looking at the firewall policys from here you can add them to a hub or a vnet
here you see an overview of the firewall policy’s
When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.
Adding the Policy to a network,
The firewall manager blade with all the rules and options
You can add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group
Also new is the application rules here you can set web category’s that are allowed or denied.
using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD
Setting up the web categories is easy selectable in the destination type. and then select one or multiple.
Remember the naming if you want to find this later in your rules, keep it clean and neat
Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that
Removing the Firewall does not mean that you will loose the policy’s or removing the policy and loose the firewall unless…
Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached
Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile