Speaker: Yair Tor, Principal Program Manager
Azure Firewall
Cloud native stateful firewall as a service. A first among public cloud providers.
- Central governance of all traffic flows
- Built in high availability and auto scale
- Network and application traffic filtering
- Centralized policy across VNets and subscriptions
- Complete VNet protection
- Filter outbound, inbound, spoke-spoke
- Centralized logging
- Best for Azure
Key Features
- Application Rules
- Fully stateful network rules
- NAT support
- Threat Intelligence (GA this week)
- Monitoring
- Support for inbound and hybrid connections
- Network Watcher integration
Azure Firewall Updates
- Recently released
- Multiple public IPs GA – up ot 100
- Availability zones now GA (99.99% SLA)
- Threat Intelligence based filtering now GA
- Azure HDInsight (HDI) FQDN tag GA
- TDS (SQL) FQDN filtering in Preview
- Sovereign Clouds
- US Gov
- China
- Coming soon: tentative ETA H2 CY 2019
- FQDN filtering for all ports and protocols
- Native forced tunnelling support
- IP groups in Azure Firewall rules – coming to NSG and UDR too.
Azure Firewall Manager – See Previous Post
Preview
- Central deployment and configuration
- Automated routing
- Advanced security with 3rd party SECaaS
Roadmap:
- Virtual network support – this is the legacy form of Azure Firewall that is not the new Azure vWAN Hub Azure Firewall.
- Split routing
Public Preview
- Extend your security edge to Azure with Secured Virtual Hubs.
- A secured virtual hub is an azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.
- Easily create hub-and-spoke architectures with cloud native security services for traffic governance and protection.
- Azure Firewall now integrated with Virtual WAN Hubs.
- Secured virtual hub can be used as a managed central network with no on-prem connectivity.
- There is no resource called Security Virtual Hub – it’s more of a deployment/concept. If you did a JSON deployment, it would use legacy resources.
Getting Started with Secured Virtual Hubs
One method:
- Create your hub and spoke architecture
- Select security providers: Done by secured virtual hub creation or by converting a Virtual WaN hub to secure virtual hub.
- Create a firewall policy and associate it with your hub: applicable only if using Azure Firewall
- Configure route settings on your secured hub to attract traffic: Easily attract traffic to the firewall from the spoke VNets – BGP!
Demo
Network rules are always processed before application rules in Azure Firewall. Inherited policy cannot allow stuff that parent policy denies.
Central Security and Route Policy Management
- Deploy and configure multiple Azure Firewall instances
- DevOps optimized hierarchical Azure Firewall Policies
- Centralized routing configuration
GA Pricing
- Preview has 50% discount
- Azure Firewall in secure virtual hubs will be the same price as normal Azure Firewall
- $100 per policy for policies that are associated with multiple hubs. No cost with policies associated with single hubs.
- Fixed fee for outbound VPN to SECaaS partners in addition to a VPN scale unit charge.