In this post, I will go through some of the reasons that one might use to choose a third-party firewall network virtualization appliance (NVA) in Azure instead of the Azure Firewall.<\/p>\n
You can read my take on choosing the Azure Firewall here<\/a>.<\/p>\n Let\u2019s say you use Firewall X for your on-premises network(s). You have two things:<\/p>\n Maybe you want to re-use those? Let\u2019s talk about that reasoning.<\/p>\n You have developed skills over the years to manage and troubleshoot Firewall X – well done! And now you want to bring those skills to Azure. At first, that seems logical. But what if I told you that there was an alternative that had the same functionality as (if not more than) Firewall X, scaled better than Firewall X, and was so easy that I could teach you to fully use it in 15 minutes? Hmm. Those years of skills don\u2019t really make much sense now, do they?<\/p>\n Centralized management \u2013 I\u2019ll give you some credit here. Azure Firewall does not have this right now. If I have 4 Azure Firewalls spread around the globe, I do not have 1 management experience. I have identical configuration experiences, but the global configurations have to be replicated \u2013 you could script that or use JSON templates. That\u2019s not the same as using a GUI and saying \u201cpush this rule to the following 4 firewalls\u201d. But let me ask you this: is this one feature genuinely a business reason to choose a third-party that has an unstable design and limited performance, high availability (if it even has it) or scale-out (most don\u2019t even have this)?<\/p>\n \u201cYou want me to use a MICROSOFT firewall?\u201d<\/em>. Get over yourself. You\u2019re in Azure and you\u2019re going to be relying on Microsoft security all over the place. Grab your Sony Walkman and return back to whatever decade you came from.<\/p>\n Now we\u2019re talking about something I can genuinely agree with \u2013 to a point. Azure sucks at end-user VPN. Azure\u2019s approach is that you should be changing the user experience to using HTTPS (TLS) connectivity to web apps or Citrix\/RDS gateways. But time and again, I do encounter customers who want\/need VPN. Windows Server mysteriously does not support any of its user connectivity in Azure. And the Azure VPN Gateway has a limited and unsatisfying user VPN experience. So if you want to use a modern \u201cSSL\u201d VPN client with a third-party firewall, I can understand that. BUT, I would limit that appliance to that role. I just cannot stand the mess to get HA working with some of the third party NVAs (if they bother documenting) and the near-absence of scale-out for performance. I would still use Azure Firewall for the firewall \ud83d\ude0a<\/p>\n And that\u2019s what you have left. And that\u2019s not a valid business reason.<\/p>\n I’ve done a good bit of reading. So far the only brand of third-party NVA that I would consider myself for an edge\/central firewall deployment is Palo Alto – but I’d rather use Azure Firewall over it anyway! All of the third-party solutions are compromised in some way:<\/p>\n In this post, I will go through some of the reasons that one might use to choose a third-party firewall network virtualization appliance (NVA) in Azure instead of the Azure Firewall. You can read my take on choosing the Azure Firewall here. Management Let\u2019s say you use Firewall X for your on-premises network(s). You have … Continue reading “Reasons To Use A Third Party Firewall In Azure”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":18385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[330,170,242,305],"class_list":["post-21486","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-appliance","tag-azure","tag-firewall","tag-nva"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/matt-icons_security-low1.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21486"}],"version-history":[{"count":2,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21486\/revisions"}],"predecessor-version":[{"id":21488,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21486\/revisions\/21488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/18385"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Management<\/h2>\n
\n
Trust<\/h2>\n
Client VPN<\/h2>\n
Emotion<\/h2>\n
Brand<\/h2>\n
\n