Azure Firewall Manager now supports virtual networks

We introduced Microsoft Azure Firewall Manager preview for Azure Firewall policy and route management in secured virtual hubs. This also included integration with key Security as a Service partners, Zscaler, iboss, and soon Check Point. These partners support branch to internet and virtual network to internet scenarios.

Today, we are extending Azure Firewall Manager preview to include automatic deployment and central security policy management for Azure Firewall in hub virtual networks.

Azure Firewall Manager preview is a network security management service that provides central security policy and route management for cloud-based security perimeters. It makes it easy for enterprise IT teams to centrally define network and application-level rules for traffic filtering across multiple Azure Firewall instances that spans different Azure regions and subscriptions in hub-and-spoke architectures for traffic governance and protection. In addition, it empowers DevOps for better agility with derived local firewall security policies that are implemented across organizations.

Figure one – Azure Firewall Manger Getting Started page

 

Hub virtual networks and secured virtual hubs

Azure Firewall Manager can provide security management for two network architecture types:

◉ Secured virtual hub—An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub-and-spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

◉ Hub virtual network—This is a standard Azure Virtual Network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. It is also possible to manage firewalls in standalone virtual networks that are not peered to any spoke.

Whether to use a hub virtual network or a secured virtual depends on your scenario:

◉ Hub virtual network— Hub virtual networks are probably the right choice if your network architecture is based on virtual networks only, requires multiple hubs per regions, or doesn’t use hub-and-spoke at all.

◉ Secured virtual hubs— Secured virtual hubs might address your needs better if you need to manage routing and security policies across many globally distributed secured hubs. Secure virtual hubs have high scale VPN connectivity, SDWAN support, and third-party Security as Service integration. You can use Azure to secure your Internet edge for both on-premises and cloud resources.

The following comparison table in Figure 2 can assist in making an informed decision:

	Hub virtual network	Secured virtual hub
Underlying resource	Virtual network	Virtual WAN hub
Hub-and-Spoke	Using virtual network peering	Automated using hub virtual network connection
On-prem connectivity	VPN Gateway up to 10 Gbps and 30 S2S connections; ExpressRoute	More scalable VPN Gateway up to 20 Gbps and 1000 S2S connections; ExpressRoute
Automated branch connectivity using SDWAN	Not supported	Supported
Hubs per region	Multiple virtual networks per region	Single virtual hub per region. Multiple hubs possible with multiple Virtual WANs
Azure Firewall – multiple public IP addresses	Customer provided	Auto-generated (to be available by general availability)
Azure Firewall Availability Zones	Supported	Not available in preview (to be available by general availability)
Advanced internet security with 3rd party Security as a service partners	Customer established and managed VPN connectivity to partner service of choice	Automated via Trusted Security Partner flow and partner management experience
Centralized route management to attract traffic to the hub	Customer managed UDR; Roadmap: UDR default route automation for spokes	Supported using BGP
Web Application Firewall on Application Gateway	Supported in virtual network	Roadmap: can be used in spoke
Network Virtual Appliance	Supported in virtual network	Roadmap: can be used in spoke

Figure two – Hub virtual network vs. secured virtual hub

Firewall policy

Firewall policy is an Azure resource that contains network address translation (NAT), network, and application rule collections as well as threat intelligence settings. It's a global resource that can be used across multiple Azure Firewall instances in secured virtual hubs and hub virtual networks. New policies can be created from scratch or inherited from existing policies. Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy. Policies work across regions and subscriptions.

Azure Firewall Manager orchestrates Firewall policy creation and association. However, a policy can also be created and managed via REST API, templates, Azure PowerShell, and CLI.

Once a policy is created, it can be associated with a firewall in a Virtual WAN Hub (aka secured virtual hub) or a firewall in a virtual network (aka hub virtual network).

Firewall Policies are billed based on firewall associations. A policy with zero or one firewall association is free of charge. A policy with multiple firewall associations is billed at a fixed rate.

The following table compares the new firewall policies with the existing firewall rules:

	Policy	Rules
Contains	NAT, Network, Application rules, and Threat Intelligence settings	NAT, Network, and Application rules
Protects	Virtual hubs and virtual networks	Virtual networks only
Portal experience	Central management using Firewall Manager	Standalone firewall experience
Multiple firewall support	Firewall Policy is a separate resource that can be used across firewalls	Standalone firewall experience
Pricing	Billed based on firewall association	Free
Supported deployment mechanisms	Portal, REST API, templates, PowerShell, and CLI	Portal, REST API, templates, PowerShell, and CLI
Release Status	Preview	General Availability

Figure three – Firewall Policy vs. Firewall Rules

Source: microsoft.com