Cloud service providers make their resources available to users over the public internet. While this ensures that the services are available to everyone, the internet is accessible to anyone can make the workflows in the cloud vulnerable to attackers. Security on the cloud is, therefore, critical and special attention is needed to make sure that it is not breached.
In this blog about cloud security, we will discuss Azure Firewall through the following topics.
Check out this YouTube video on Azure full course to learn more:
What is Azure Firewall?
According to the Shared Responsibilities for Cloud Computing, while Microsoft is responsible for maintaining the security of the infrastructure on which their cloud runs, users are also responsible for the resources that they use on the cloud. Users are, thus, required to make use of services that ensure the security of the resources on the cloud.
There are measures to tackle security challenges in the cloud as well, just like the firewall in your Windows PC that you might have encountered, on multiple occasions, warning you about blocking certain applications, deemed a threat, from accessing the network.
Azure Firewall is one such network security service from Microsoft Azure that monitors and takes action for unwanted network activities on the cloud.
Since Azure Firewall is a cloud-based service, it has the capabilities to be highly available and scaled-up as and when required. Azure Firewall is also integrated with Azure Monitor so that the latter’s abilities in logging and analytics can be used for maintaining strict security.
Azure Firewall gives a unified solution to create and enforce policies for secure network connection across services and subscriptions in Azure.
There is also an Azure Web Application Firewall that is specific to Application Gateway in Azure. While the Azure Firewall looks over the whole cloud against exploitations, the Azure Web Application Firewall works specifically to protect the web apps against vulnerabilities.
Features of Azure Firewall
The features of Azure Firewall that make it stand out are:
- High availability: No extra configuration or additional services are required for Azure Firewall. It has very high uptime and is fully managed.
- Availability zones: A firewall can be made available across multiple availability zones or it can be restricted to particular zones based on your requirements. There is no additional charge for this, however, the data transfer rates can change depending on the zones.
- Scalability: The firewall can be scaled for adjusting to the varying network requirements.
- Traffic filtering rules: Rules can be specified based on IP address, ports, etc., for allowing or preventing connections. Azure Firewall can distinguish among packets from different connections and enforce the rules to allow or deny them.
- FQDN tags: Fully qualified domain name (FQDN) tags can be given to trusted sources that need to be allowed through the firewall. Rules can be created based on this, which will filter traffic from qualified domains to pass through.
- Service tags: These are labels that indicate a range of IP addresses for Azure Key Vault, Container Registry, and other services. These are Microsoft-managed and cannot be changed. The firewall allows filtering rules based on these.
- Threat intelligence: Microsoft has a maintained threat intelligence field that lists sources and domains deemed as malicious. Azure Firewall can filter connections to deny them or alert the users based on this.
- Multiple public IP addresses: Multiple IP addresses, up to 250, can be added to Azure Firewall. This enables the features of DNAT and SNAT in your firewall.
- Azure Monitor logging: Azure Firewall is tightly integrated with Azure Monitor. Hence, all events are logged and these logs can be archived to storage accounts or streamed to event hubs, etc.
- Web categories: The administrators can allow or deny access to certain websites based on the category to which they belong. This can be social media websites, gaming websites, and others.
- Certifications: Payment card industry (PCI,) service organization controls (SOC,) International Organization for Standardization (ISO,) and ICSA Labs certifications are all available for Azure Firewall.
Azure Firewall vs NSG
First of all, you need to know what an NSG is. NSG stands for network security group; it can be used in filtering network traffic in the Azure cloud. NSG contains rules based on IP addresses, ports, etc., which can allow or deny connections to and from Azure Resources.
Azure Firewall and NSG seem pretty similar; so, let us compare them side by side.
Features | Azure Firewall | NSG |
Rule-based filtering | Firewall supports rule-based filtering | NSG also supports rule-based filtering |
FQDN tags | Firewall supports FQDN tags | NSG does not support FQDN tags |
Service tags | Firewall supports service tags | NSG also supports service tags |
Threat-intelligence-based filtering | Firewall supports threat-intelligence-based filtering | NSG does not support threat-intelligence-based filtering |
Destination and source network address translation (DNAT and SNAT) | Firewall supports DNAT and SNAT | NSG does not support DNAT and SNAT |
Azure Monitor integration | The firewall is well-integrated with Azure Monitor | NSG also has Azure Monitor integration |
From the comparison, it can be inferred that NSG lacks some features that Firewall has, and this makes Azure Firewall a more robust solution for cloud security.
Even though NSG lacks a few features, Azure Firewall and NSG are not mutually exclusive, but they can complement each other in providing the best protection for your Azure cloud resources.
Get 100% Hike!
Master Most in Demand Skills Now!
Azure Firewall Limitations
Even though Azure Firewall is a rich and robust feature, it still has some limitations. The limitations are:
- Although it supports threat-intelligence-based filtering, Azure Firewall does not have IPS support, which many organizations require.
- Azure Firewall uses public DNS servers to look up domains, and it cannot be configured to use internal DNS servers.
- Azure Firewall can also be costly for some businesses.
Azure Firewall Pricing
Azure Firewall is available in standard and premium tiers and the pricing can change based on the region.
In the central US, for the deployment of a firewall, Azure Firewall costs $1.25 per deployment hour for the standard tier and $0.875 per deployment hour for the premium tier. The cost for data processing is $0.016 per GB for the standard tier and $0.008 per GB for the premium tier.
In central India, for the deployment of a firewall, Azure Firewall costs ₹90.057 per deployment hour for the standard tier and ₹63.040 per deployment hour for the premium tier. The cost for data processing is ₹1.153 per GB for the standard tier and ₹0.577 per GB for the premium tier.
Conclusion
Azure Firewall provides a one-stop solution for your cloud networking security needs. It has a wide range of features that makes it a robust firewall for your resources in Azure.