Azure Firewalls

  1. Home
  2. Azure Firewalls

Go back to AZ-304 Tutorials

Azure Firewalls refers to a managed, cloud-based network security service that protects your Azure Virtual Network resources. Moreover, it is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

In this, you can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources that allows outside firewalls for identifying traffic originating from your virtual network. However, the service has full integration with Azure Monitor for logging and analytics.

Known issues

Some of the Azure Firewall known issues:

  • Firstly, Network filtering rules for non-TCP/UDP protocols don’t work for Internet-bound traffic. However, the Non-TCP/UDP protocols are in support between spoke subnets and VNets. For this, Azure Firewall uses the Standard Load Balancer, which doesn’t support SNAT for IP protocols today. 
  • Secondly, Missing PowerShell and CLI support for ICMP.  That is to say, Azure PowerShell and CLI do not support ICMP as a valid protocol in network rules. However, It’s still possible to use ICMP as a protocol via the portal and the REST API. 
  • Thirdly, FQDN tags require a protocol that means port to be set. In other words, Application rules with FQDN tags require port: protocol definition. For this, you can use https as the port: protocol value.
  • Fourthly, it does not allow to move a firewall to a different resource group or subscription. Supporting this functionality is on our road map. However, for moving a firewall to a different resource group or subscription, first, you need to delete the current instance. After that, recreate it in the new resource group or subscription.
  • Fifthly, threat intelligence alerts may get masked. That means network rules with destination 80/443 for outbound filtering masks threat intelligence alerts when configured to alert the only mode. However, create outbound filtering for 80/443 using application rules. 
AZ-304 Practice tests
Further it includes more issues like:
  • Azure Firewall uses Azure DNS only for name resolution. That is to say, Azure Firewall resolves FQDNs using Azure DNS only. However, it does not support a custom DNS server. So, there’s no impact on DNS resolution on other subnets. 
  • Then, Azure Firewall DNAT doesn’t work for private IP destinations. In other words, Azure Firewall DNAT support is finite for the Internet egress/ingress. So, DNAT doesn’t currently work for private IP destinations.
  • Lastly, it cannot remove the first public IP configuration. As each Azure Firewall public IP address is assigned to an IP configuration. So, the first IP configuration is assigned during the firewall deployment, and typically also contains a reference to the firewall subnet. Moreover, you can’t delete this IP configuration as it will deallocate the firewall. But, you can still change or remove the public IP address associated with this IP configuration if the firewall has at least one other public IP address available to use.
Azure firewalls concept in Az-304 online course

Reference: Microsoft Documentation

Go back to AZ-304 Tutorials

Menu