Reasons To Use A Third Party Firewall In Azure

In this post, I will go through some of the reasons that one might use to choose a third-party firewall network virtualization appliance (NVA) in Azure instead of the Azure Firewall.

You can read my take on choosing the Azure Firewall here.

Management

Let’s say you use Firewall X for your on-premises network(s). You have two things:

  • A skillset
  • A management tool

Maybe you want to re-use those? Let’s talk about that reasoning.

You have developed skills over the years to manage and troubleshoot Firewall X – well done! And now you want to bring those skills to Azure. At first, that seems logical. But what if I told you that there was an alternative that had the same functionality as (if not more than) Firewall X, scaled better than Firewall X, and was so easy that I could teach you to fully use it in 15 minutes? Hmm. Those years of skills don’t really make much sense now, do they?

Centralized management – I’ll give you some credit here. Azure Firewall does not have this right now. If I have 4 Azure Firewalls spread around the globe, I do not have 1 management experience. I have identical configuration experiences, but the global configurations have to be replicated – you could script that or use JSON templates. That’s not the same as using a GUI and saying “push this rule to the following 4 firewalls”. But let me ask you this: is this one feature genuinely a business reason to choose a third-party that has an unstable design and limited performance, high availability (if it even has it) or scale-out (most don’t even have this)?

Trust

“You want me to use a MICROSOFT firewall?”. Get over yourself. You’re in Azure and you’re going to be relying on Microsoft security all over the place. Grab your Sony Walkman and return back to whatever decade you came from.

Client VPN

Now we’re talking about something I can genuinely agree with – to a point. Azure sucks at end-user VPN. Azure’s approach is that you should be changing the user experience to using HTTPS (TLS) connectivity to web apps or Citrix/RDS gateways. But time and again, I do encounter customers who want/need VPN. Windows Server mysteriously does not support any of its user connectivity in Azure. And the Azure VPN Gateway has a limited and unsatisfying user VPN experience. So if you want to use a modern “SSL” VPN client with a third-party firewall, I can understand that. BUT, I would limit that appliance to that role. I just cannot stand the mess to get HA working with some of the third party NVAs (if they bother documenting) and the near-absence of scale-out for performance. I would still use Azure Firewall for the firewall 😊

Emotion

And that’s what you have left. And that’s not a valid business reason.

Brand

I’ve done a good bit of reading. So far the only brand of third-party NVA that I would consider myself for an edge/central firewall deployment is Palo Alto – but I’d rather use Azure Firewall over it anyway! All of the third-party solutions are compromised in some way:

  • Don’t do active-active clustering (scale-out)
  • Don’t even offer HA!
  • Have hack solutions (“we’ll edit your route tables for you”) for failover that you know will do more damage than an outage
  • Their documentation pure stinks
Please follow and like us:

4 Replies to “Reasons To Use A Third Party Firewall In Azure”

  1. Performance and Redundancy are indeed very important for your production operations but from a pure security features and capabilities the Azure firewall is still a baby considering other 3rd party vendors like Check Point Software Technologies that has been building security products for the last 25 years!
    Another reason to strongly consider using 3rd party NVA’s is the multi-cloud and Hybrid cloud approach which most organizations are implementing. The Azure Firewall will probably not be able to protect my AWS, GCP, OCI, NSX, ACI deployments while a 3rd party NVA could!
    Unified management (which was mentioned by you) becomes even a stronger argument when Multi-Clouds and Hybrid Clouds are involved

    The company I work for (Check Point) has those capabilities and more

  2. Thanks Aidan for another great post!
    I’m feeling very frustrated with Azure P2P VPN options. We have a Expressroute and the Azure P2P can’t work with this due to Gateway transit restrictions allowing only one gateway on a vnet peer and p2p VPN and Expresroute won’t work on single Vnet. RRAS feature not supported in Azure so this leaves me with 3rd party NVA which I would rather not use 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.