Azure Firewall is a Microsoft’s fully managed, highly scalable, highly available firewall-as-a-service offering. In this blog post, we will discuss, how to deploy and configure Azure Firewall. An

Azure Firewall provides Following features:
- Stateful firewall As-a-Service
- Built-in high availability with unrestricted cloud scalability
- Ability to centrally create, enforce, and log application and network connectivity policies
- Outbound source network address translation (SNAT) support
- Inbound destination network address translation (DNAT) support
- Fully integrated with Azure Monitor for logging and analytics
- Supports Hybrid connectivity with Express Route and VPN
Azure Firewall Pricing
- Fixed fee: $1.25/firewall/hour
- Variable fee: $0.03/GB processed by the firewall (ingress or egress).
Azure Firewall supports following rules
Application and network rules are stored in a rule collection. A rule collection is a list of rules that share the same action and priority i.e Allow or Deny, you can’t mix both Allow and Deny rules in a single rule collection. Network rule collections are always processed before application rule collections.
- Application FQDN Filtering rules – this rule will help you limit the outbound traffic to a specific set of FQDNs
- Network traffic filtering rules – Centrally create allow/Deny network filtering rules
- FQDN Tags – Allow traffic to well known Microsoft online services, like Windows updates
- Outbound SNAT Support – All outbound traffic can be NAT through the firewall’s Public IP
- Inbound DNAT Support – All inbound traffic can be filtered to the private IP
Following configurations are used in this Lab
- A VNET configured with two Subnets – One Subnet named as AzureFirewallSubnet for Azure Firewall and another Subnet named as Corp subnet for workloads like VMs
- A Windows 2016 VM connected with Corp Subnet – VM IP 172.16.1.5
- A Route Table connected with Corp Subnet and forwarding all traffic to Azure Firewall IP
How to create an Azure Firewall
creation of an Azure Firewall is very straightforward, log on to the Azure portal and search Firewall – All Services > Firewalls > Add
In this example we are also creating a VNET along with the firewall, however, you can use an existing VNET with a subnet named – AzureFirewallSubnet

Once the firewall is created, you will find a Public

Now we will configure a DNAT rule to allow RDP access to a VM behind the firewall (VM doesn’t have Public IP address) and with this rule, we will connect to Firewall’s public IP and connect to Private IP of VM –
Firewall > Rules

Configured a Route Table to forward all the traffic from Corp Subnet to Azure firewall’s private IP – 172.16.0.4

Once the route table is attached to the VM Subnet, the Firewall rules will kick in and there wont be any outbound internet access

To allow internet access, Application rules needs to be configured
Configure Application rules to allow access to
These rules will only allow access to – Windows updates websites, Microsoft.com, Google.com and Github.com

Network rule collection can help allow and deny traffic between two different networks. In this example, I have enabled the AD traffic between all the networks.

Cheers!!