In this post, I will explain why you should choose Azure Firewall over third-party firewall network virtual appliances (NVAs) from the likes of Cisco, Palo Alto, Check Point, and so on.
Microsoft’s Opinion
Microsoft has a partner-friendly line on Azure Firewall versus third-parties. Microsoft says that third-party solutions offer more than Azure Firewall. If you want you can use them side-by-side.
Now that’s out of the way, let me be blunt … like I’d be anything else! 😊
The NVA Promise
At their base, a firewall blocks or allows TCP/UDP/etc and does NAT. Some firewalls offer a “security bundle” of extra features such as:
- Malware scanning based on network patterns
- Download scanning, including zero-days (detonation chamber)
- Browser URL logging & filtering
But those cool things either make no sense in Azure or are just not available from the NVA vendors in their cloud appliances. So what you are left with is central logging and filtering.
Documentation
With the exception of Palo Alto (their whitepaper for Azure is very good – not perfect) and maybe Check Point, the vendors have pretty awful documentation. I’ve been reading a certain data centre mainstay’s documents this week and they are incomplete and rubbish.
Understanding of Azure
It’s quite clear that some of the vendors are clueless about The Cloud and/or Azure. Every single vendor has written docs about deploying everything into a single VNet – if you can afford NVAs then you are not putting all your VMs into a single VNet (see hub & spoke VNet peering). Some have never heard of availability zones – if you can afford NVAs then you want as high an SLA as you can get. Most do not offer scale-out (active/active clusters) – so a single VM becomes your bottleneck on VM performance (3000 Mbps in a D3_v2). Some don’t even support highly available firewall clusters – so a single VM becomes the single point of failure in your entire cloud network! And their lack of documentation or understanding of VNet peering or route tables in a large cloud deployment is laughable.
The Comparison
So, what I’m getting at is that the third-party NVAs suck. Azure Firewall isn’t perfect either, but it’s a true cloud platform service and it is improving fast – just last night Microsoft announced Threat Intelligence-Based Filtering and Service Tags Filtering (this appeared recently). I know more things are on the way too 😊
Here is my breakdown of how Azure Firewall stacks up against firewall NVAs:
| Azure Firewall | NVA | |
| Deployment | Platform | Linux VM + Software |
| Licensing | Consumption: instance + GB | Linux VM + Software |
| Scaling | Automatic | Add VMs + Software |
| Ownership | Set & monitor | Manage VM / OS / Software |
| Layer -7 | Logging & filtering | Potentially* deep inspection |
| Networking | 1 subnet & PIP | 1+ subnets & 1 PIP |
| Complexity | Simple | Difficult |
I know: you laugh when you hear “Microsoft” and “Firewall” in the same sentence. You think of ISA Server. Azure Firewall is different. This is baked into the fabric of Azure, the strategic future of Microsoft. It is already rapidly improving, and it does more than the third parties.
Heck, what does the third-party offer compared to NSGs? NSGs filter TCP/UDP, they can log to a storage account, you can centrally log using Event Hubs, and does advanced reporting/analysis using NSG Flo Logs with Azure Monitor Logs (Log Analytics). Azure Firewall takes that another step with a hub deployment, an understanding of HTTP/S, and is now using machine learning for dynamic threat prevention!
My Opinion
Some people will always prefer a non-Microsoft firewall. But my counter would be, what are you getting that is superior – really? With Azure Firewall, I create a firewall, set my rules, configure my logging, and I’m done. Azure Firewall scales and it is highly available. Logging can be done to storage accounts, event hubs (SIEM), and Azure Monitor Logs. And here’s the best bit … it is SIMPLE to deploy and there is almost no cost of ownership. Compare that to some of the HACK solutions from the NVA vendors and you’d laugh.
The Azure Firewall was designed for The Cloud. It was designed for the way that Azure works. And it was designed for how we should use The Cloud … at scale. And that scale isn’t just about Mbps, but in terms of backend services and networks. From what I have seen so far, the same cannot be said for firewall NVAs. For me, the decision is easy: Azure Firewall. Every time.
I like that you’re being honest and blunt (read: unbiased) in your opinions and definitely think you are right in this case. Keep writing! 🙂
Very well said, keep up the good work. i definitely agree that Azure Firewall is the way to go. NVA carry additional overhead in the cloud for nothing.
Palo Alto firewalls offer way way more than MS Azure firewalls, the most important difference is that PaloAlto FWs are true application based firewall and not just layer 4 firewalls.
What exactly do the Palo Alto virtual appliances in Azure offer that is more than the Azure Firewall? Do they use more than core 0 for processing – not so, according to Checkpoint. Do they offer zero maintenance? Nope. Do they offer config sync between clustered appliances – no brand odes yet that I have found. And will they improve at the same speed as the Azure Firewall?
https://blog.paloaltonetworks.com/2018/08/cloud-understanding-differences-azure-firewall-vm-series/
I have taken note that Azure Firewall now has URL/Domain based Threat intelligence-based filtering, but what about advanced malware protection, Contextual Threat Intelligence, etc…
Microsoft has Azure App Gateway for layer7 application level filtering load balancer. You dont need firewall to do everything. App gateway can also protect from internal attacks.
Not 100% true. Yes, it has a role beside the Azure Firewall, but Azure Firewall plays a role in anything larger than a point solution, especially in hub & spoke architectures. Not everything is HTTPS, and bad guys (once in) aren’t going to limit themselves to HTTPS either.
I do not understand the comment “… it is SIMPLE to deploy and there is almost no cost of ownership” My calculator puts the Azure firewall cost at $912.50/month. What am I doing wrong?
You’re confusing cost of purchase with cost of ownership.
Thanks Aidan, Really interesting read. I’ve been looking at some of your other posts on creating an Azure DMZ and wondering if I would be able to use Azure Firewall instead of an NVA for additional security besides NSG’s ? So far I’m impressed with what I’ve seen from Azure firewall and think it makes sense from an Azure cloud perspective. I’m thinking about implementing your design from the bottom of this post but with Azure firewall if possible ? https://www.petri.com/designing-a-dmz-for-azure-virtual-machines
Yeah, you can use Azure Firewall to do that – I do. Note that NSGs still provide basic Layer-4 security and Traffic Analytics (with Log Analytics Workspace) for protected subnets/VNets. And no matter what firewall service/appliance that you use, you better get comfortable with routing first: https://aidanfinn.com/?p=21480
Thanks for the advice Aidan, I will definitely give it a read!
Very confused with this statement:
“But those cool things either make no sense in Azure or are just not available from the NVA vendors in their cloud appliances.”
Pretty sure a Palo Alto Firewall has those functions even when deployed in Azure and why would it not make sense? In the end of the day, isn’t running IaaS VM in Azure just running VMs in another data center? With ExpressRoute connectivity to on-prem and workloads publicly exposed, I would think those similar level of protection should be applied to the entire network?
I am really trying to understand what you mean by ‘those cool things make no sense’? What am I missing that is making Azure different from any data center?
So far, I’ve seen very little beyond basic filtering being enabled in NVAs. And things like IDS, etc, I’d rather run across the entire subscription (Azure Security Center Std) than a single appliance.
With a Palo Alto you get a fully functional NVA as you can use on-premises as a virtual machine. The cluster also has a sync-config (2 node appliance). However, if an appliance goes down, you have about 2 minutes of downtime until the public-ip is bound to the other NIC.
It just depends on the security requirements of the company. I’m of the opinion that classic Layer 4 firewalls don’t bring anything nowadays. In a attack the data will be transported to the outside via e.g. DNS port. A Layer 4 firewall allows such a connection while a full NVA detects these packets and blocks the non DNS traffic.
Likewise, you may not want your IaaS service (VMs) to be able to establish HTTP/HTTPS connections directly to the outside without inspection. At least this is the case with almost all enterprise customers. Also the azure firewall does not offer vulnerbility scanning for non azure services (except for web applications -> Application GW). As you can see, an NVA has its right to exist. You can also connect your NVA to a SIEM solution (sentinel).
Both solutions have their advantages and disadvantages.
For Layer-7, we use Azure WAF. That saves the precious 1 core of compute that is might be available in a Palo Alto NVA (source: CheckPoint) 🙂 And Azure Firewall natively plugs into Azure Sentinel. And we don’t need to deploy ServiceBus or any other junk that needs to be maintained – we simply create a HA firewall and it automatically scales without long-term or expensive burst licensing.
So what you’re saying is that you need to use additional products to make sure the network is fully protected. That the Azure firewall, on its own, isn’t good enough?
Therefore, wouldn’t a fairer cost comparison also include the costs of the application gateway with a WAF? As that wouldn’t necessarily be required with a palo-Alto.
The other aspect is that the documentation on using the app gateway with WAF and the Azure FW is non-existent. I’m sure it’s straight forward, but where’s the docs to show ref architecture? It doesn’t exist as far as I can tell.
If the Azure FW was ‘cheap’ I’d give it the benefit of the doubt, but it isn’t really. It’s a great idea, but it’s not mature enough yet.
I am not saying that. My argument is that if you want to run Dev/Sec/Ops, you run Azure Firewall for traditional networking and a WAF (Azure WAF) for hosted Layer-7 HTTPS services.
I’m not sure I get the objections to the advanced features of firewalls like Palo Alto. How can they “..make no sense in Azure“?
Surely, services deployed in Azure still require the advanced protection that firewalls like Palo Alto offer? I’ve nothing against Auzre FW, it’s a breeze to deploy and manage. But that shouldn’t ever be the only consideration.
Azure FW is okay, but it definitely needs other stuff working with it to meet many of the features most security guys I know would insist on.
So features like threat protection, Drop v deny, protocol validation, URL category filtering etc are all useful features that many enterprises insist on and as far as I know not yet available in Azure FW.
I don’t think it’s fair to just dismiss these as not required in cloud environments.
Microsoft has priced Azure Firewall too high for businesses to make a default deployment option, and that’s a shame. With blueprints, ARM templates, CAF Terraform, etc. all maturing into excellent boilerplate cloud infrastructures, AZFW should have been the de facto standard. Instead, we have a hodgepodge of NVA’s, VPN Gateways, and foolish customers with no protection at all. I’m all for free markets and making a profit, but I don’t think Microsoft has struggled in that department. Hopefully, they’ll reconsider the $1K per year deployment charges soon.
So, to start, obviously AndyC works for Palo… lol As for pricing, have you ever priced a Palo NVA with ALL the licensing costs for ALL those juicy PAN features and subscription services???
Problem with Microsoft firewall is it can only pass TCP/UDP and nothing else. You will not be able to make IPSEC connections if an Azure firewall is in the middle.
With the current features in Azure Firewall Premium — Would you revisit this comparison? https://docs.microsoft.com/en-us/azure/firewall/premium-features