Posted in AZ Network Engineer, AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert

Azure Firewall Manager

   November 1, 2024

Azure Firewall Manager is a security management service provided by Microsoft Azure that simplifies managing and configuring network security policies for Azure Firewall instances across different Azure regions and subscriptions. Azure Firewall Manager enables centralized control over network traffic and security policies, making it ideal for organizations with large or complex network environments.

Here’s a detailed guide on Azure Firewall Manager, covering concepts, features, setup, configuration, management, monitoring, and examples.

1. Overview of Azure Firewall Manager

Azure Firewall Manager provides a centralized way to manage multiple Azure Firewall instances, apply consistent policies across regions, and integrate with secure hub-and-spoke network architectures. With Firewall Manager, administrators can set up security policies and deploy them consistently across their Azure Firewalls, manage policies at scale, and leverage Azure’s Threat Intelligence for better network security.

Key Use Cases for Azure Firewall Manager:

  • Centralized security management for large organizations with multiple networks.
  • Creating, deploying, and enforcing consistent security policies across regions.
  • Integrating Azure Firewall policies with secured Virtual WAN hubs for comprehensive security.

2. Core Concepts and Features

Key Components

  • Firewall Policy: A central set of rules and settings that define how traffic should be allowed, blocked, or monitored. Policies can be shared across multiple firewalls.
  • Firewall Manager: The service within Azure that lets you create, manage, and deploy firewall policies across multiple firewalls and regions.
  • Hub and Spoke Architecture: Firewall Manager can be used with Virtual WAN hubs to implement secure hub-and-spoke networks for centralized management.
  • Secured Virtual Hub: A Virtual WAN hub with built-in security configurations, like Azure Firewall and optional third-party services.

Features of Azure Firewall Manager

  • Centralized Policy Management: Create and apply policies to multiple Azure Firewall instances across regions and subscriptions.
  • Secured Virtual Hubs: Deploy security settings in Virtual WAN hubs to enforce network segmentation and traffic control.
  • Policy Hierarchy: Use parent and child policies for fine-grained control, enabling inheritance of common rules.
  • Threat Intelligence and Filtering: Incorporate Microsoft Threat Intelligence to block or alert on known malicious IP addresses.
  • Logging and Monitoring: Integration with Azure Monitor, Log Analytics, and other tools for monitoring firewall traffic and alerts.

3. Step-by-Step Guide to Setting Up Azure Firewall Manager

Step 1: Set Up Prerequisites

Before you start, make sure you have the following:

  • An Azure subscription with Azure Firewall enabled.
  • Permissions: You need at least the Firewall Policy Contributor role.

Step 2: Create a Firewall Policy

A Firewall Policy defines the rules and settings for controlling traffic. You can create policies once and apply them to multiple firewalls.

  1. Go to the Azure portal and search for Firewall Manager.
  2. Select Create Policy to start defining your firewall rules.
  3. Enter basic information:
  • Name: Give your policy a descriptive name (e.g., CorporatePolicy).
  • Subscription and Resource Group: Select your subscription and resource group.
  • Region: Choose a region for the policy (e.g., East US).
  1. Configure Rules: Azure Firewall Manager supports different rule types:
  • Network Rules: Control traffic based on IP addresses, ports, and protocols.
  • Application Rules: Manage web-based traffic based on URLs or FQDNs (Fully Qualified Domain Names).
  • NAT Rules: Configure Network Address Translation (NAT) rules to manage inbound connections.
  1. Add Threat Intelligence Filtering: Under Threat Intelligence, you can enable alerts or blocking for known malicious IP addresses.
  2. Select Review + Create to finalize the policy setup.

Step 3: Deploy Azure Firewall and Associate the Policy

If you haven’t deployed Azure Firewall yet, follow these steps:

  1. In the Azure portal, search for Firewall and select Create.
  2. Enter the required information:
  • Firewall Name: Choose a name for your firewall.
  • Resource Group and Region: Choose the same region and resource group as your firewall policy.
  • Virtual Network: Select a VNet with a dedicated subnet named AzureFirewallSubnet.
  1. Under Firewall Policy, select the policy you created (CorporatePolicy) to associate it with this firewall.
  2. Click Review + Create to deploy the firewall with the associated policy.

Step 4: Integrate with a Secured Virtual Hub (Optional)

For organizations using Virtual WAN for a hub-and-spoke model, a Secured Virtual Hub provides central security for spoke VNets.

  1. Go to Firewall Manager and select Virtual WAN Hubs.
  2. Choose to create a new Secured Virtual Hub or secure an existing Virtual WAN hub.
  3. Associate Firewall Policy: Select the firewall policy you want to apply to the secured hub.
  4. Complete the setup by defining the settings for the hub, such as enabling firewall and routing configurations.

4. Managing and Configuring Firewall Policies

Once Azure Firewall Manager and policies are in place, you can manage them to control traffic across your Azure environment.

Editing Firewall Rules and Policies

To modify policies:

  1. In Firewall Manager, go to Firewall Policies and select your policy (e.g., CorporatePolicy).
  2. Edit Rules:
  • Network Rules: Modify IP-based traffic rules to allow or block based on specific addresses, ports, and protocols.
  • Application Rules: Update application rules for URL filtering, such as allowing or blocking access to specific sites.
  • NAT Rules: Adjust NAT settings for inbound access.
  1. Save changes, and the policy updates automatically apply to all firewalls using it.

Policy Hierarchy: Parent and Child Policies

Azure Firewall Manager supports policy inheritance, allowing you to create a “Parent” policy with base rules and then define “Child” policies with additional rules for specific requirements. This hierarchy simplifies managing complex environments where different departments or regions may need custom rules in addition to global settings.

  • Parent Policy: Holds common rules for all firewalls (e.g., corporate-wide restrictions).
  • Child Policy: Inherits parent rules but can have additional rules (e.g., department-specific restrictions).

Policy Versioning and Rollbacks

Azure Firewall Manager provides versioning for policies. If a policy change causes issues, you can quickly roll back to a previous version.

  1. In Firewall Manager, select your policy and go to Version History.
  2. Select the version you want to revert to, then click Restore.

5. Monitoring and Logging with Azure Firewall Manager

Monitoring Firewall Policies and Logs

Azure Firewall Manager integrates with Azure Monitor and Log Analytics to monitor policy activity and traffic. Here’s how to set it up:

  1. In Firewall Manager, go to Diagnostic Settings and enable logging.
  2. Select a Log Analytics Workspace to send logs, or choose Azure Monitor for real-time alerting.
  3. Enable Application Rule Logging and Network Rule Logging for detailed traffic logs.

Setting Up Alerts for Security Incidents

You can set up alerts for various firewall events, such as traffic from suspicious sources or blocked requests.

  1. In Azure Monitor, go to Alerts > New Alert Rule.
  2. Select your firewall as the resource and choose a condition, such as Activity Log to trigger alerts on specific events.
  3. Define Alert Criteria based on log details (e.g., log level, event type) and set up notifications.

Viewing and Analyzing Logs

  1. In the Log Analytics Workspace, run queries to filter logs based on IP, domain, protocol, and actions (allow, block, etc.).
  2. Traffic Analysis: Use built-in traffic analytics to understand traffic patterns, sources, and blocked requests.

6. Working and Usage Examples

Example 1: Blocking Access to Social Media Sites Across Multiple Regions

Your organization has firewalls in three different Azure regions and wants to block access to social media sites like Facebook and Twitter across all locations.

  1. Create a Firewall Policy named GlobalSocialMediaBlock.
  2. Under Application Rules, add a rule to block access to *.facebook.com and *.twitter.com.
  3. Associate this policy with all three Azure Firewall instances using Firewall Manager.
  4. The policy automatically applies to all firewalls, ensuring consistent enforcement across regions.

Example 2: Allowing Internal Application Access with Secured Virtual Hubs

You have multiple VNets in different regions, each requiring access to an internal application hosted in a central VNet. Use a Secured Virtual Hub for centralized access:

  1. Create a secured Virtual Hub in Azure Firewall Manager and enable it in the central region.
  2. Associate a Firewall Policy with rules that allow only internal application IPs and block all other traffic.
  3. Connect VNets to the Secured Virtual Hub as spokes.
  4. Traffic from each VNet passes through the secured hub, where the firewall enforces the policy, ensuring that only application traffic is allowed.

Example 3: Enabling Threat Intelligence for Traffic Monitoring

You want to monitor traffic from known malicious IPs and receive alerts if they attempt to connect to your network.

  1. In your Firewall Policy, enable Threat Intelligence Mode and select Alert mode.
  2. Set up Azure Monitor alerts to notify the security team when suspicious IPs are detected.
  3. Monitor alerts in Log Analytics and take further action as needed, such as updating firewall rules to block specific IPs.

7. Best Practices for Azure Firewall Manager

  • Use Centralized Policies: Simplify management by using a single policy for common rules across regions.
  • Leverage Policy Hierarchies: Define Parent and Child policies to manage global and regional rules efficiently.
  • Enable Threat Intelligence: Use threat intelligence alerts to stay informed about potential security threats.
  • Monitor Regularly: Set up alerts in Azure Monitor and regularly review Log Analytics to stay updated on network activity and potential issues.
  • Apply Consistent Policies for Compliance: Use Firewall Manager’s central control to apply policies that meet your compliance requirements across different regions and environments.

Summary

Azure Firewall Manager provides an organized, centralized way to create, apply, and monitor firewall policies across Azure regions and subscriptions. It enhances network security by unifying policy management, providing advanced logging and monitoring, and integrating with Azure’s Threat Intelligence. By following the guide above, you can implement, manage, and monitor Azure Firewall policies effectively to enhance security across your organization’s Azure environment.

Share: XFacebookPinterestLinkedin
Author: tonyhughes