Microsoft Azure — Azure Firewall & Firewall Manager
Azure Firewall, firewall policies, threat intelligence, DNAT/SNAT, and Firewall Manager..
20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.
- ✓Azure subscription with Contributor access, Azure CLI 2.50+, Terraform 1.5+, basic understanding of Azure networking (VNets, subnets, peering), familiarity with hub-and-spoke architecture, and experience with Infrastructure as Code concepts.
Azure Firewall & Firewall Manager is like having a specialized tool that handles firewall in the Microsoft cloud — you manage the configuration, Azure handles the infrastructure.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers azure firewall & firewall manager with production-ready configurations, best practices, and hands-on examples.
Azure Firewall vs. Network Security Groups: When to Use Which
Azure Firewall is a managed, cloud-native network security service that protects your Azure Virtual Network resources. It's a stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Network Security Groups (NSGs) filter traffic at the subnet or NIC level using 5-tuple rules (source, destination, port, protocol, direction). The key difference: NSGs are distributed, stateless (for inbound) or stateful (for outbound) access control lists, while Azure Firewall is a centralized, fully stateful inspection engine with application (FQDN) and network (L3-L4) filtering, threat intelligence, and DNS proxy. Use NSGs for simple east-west traffic segmentation within a VNet (e.g., blocking port 3389 between subnets). Use Azure Firewall for north-south traffic (internet ingress/egress), hybrid connections, and when you need centralized logging, threat intelligence feeds, or FQDN-based rules. In production, never rely solely on NSGs for internet-facing workloads; always place an Azure Firewall in the hub for inspection. A common failure mode is assuming NSGs provide the same logging depth—they don't. Azure Firewall logs full session details, while NSG flow logs require additional setup and lack application-level visibility.
Azure Firewall Manager: Centralized Policy Management at Scale
Azure Firewall Manager provides a single pane of glass to manage multiple Azure Firewalls across different regions and subscriptions. It introduces the concept of firewall policies—a reusable, versioned set of rule collections (network, application, NAT, and threat intelligence) that can be applied to one or more firewalls. This is a game-changer for enterprises with hub-and-spoke topologies or multiple VNets. Instead of configuring each firewall individually, you create a policy in Firewall Manager and associate it with firewalls. Policies support inheritance: a parent policy can be applied to a root management group, and child policies can override specific rule collections. This aligns with Azure's governance model. Firewall Manager also integrates with Azure Virtual WAN for secured virtual hubs, enabling automatic routing and inspection. In production, use Firewall Manager to enforce baseline rules (e.g., block all inbound RDP) across all environments, then allow per-application teams to manage their own rule collections via delegated policies. A common pitfall is not using policy analytics—Firewall Manager provides insights into rule hits and idle rules, which are critical for cleanup. Without it, rule bloat leads to performance degradation and security gaps.
Designing a Hub-and-Spoke Network with Azure Firewall
The hub-and-spoke model is the de facto standard for enterprise networking in Azure. The hub VNet contains shared services like Azure Firewall, VPN/ExpressRoute gateways, and DNS. Spoke VNets connect to the hub via VNet peering and route all traffic to the firewall for inspection. To force traffic through the firewall, you must configure User-Defined Routes (UDRs) on each spoke subnet with the next hop as the firewall's private IP. For internet-bound traffic, the firewall's public IP is used for SNAT. For on-premises traffic, the firewall inspects and forwards to the gateway. Key design considerations: (1) The firewall subnet must be named 'AzureFirewallSubnet' with a /26 or larger. (2) Use Azure Firewall Manager policies to enforce consistent rules across spokes. (3) For high availability, deploy at least two firewalls in an active-active configuration (Standard or Premium SKU). (4) Monitor firewall metrics like SNAT port utilization—exhaustion causes connection failures. In production, we learned the hard way that spoke VNets must not have a default route (0.0.0.0/0) pointing to the internet; always route through the firewall. Also, ensure the firewall's outbound SNAT ports are sized correctly: each firewall instance provides 2,496 ports per public IP. Use multiple public IPs if needed.
Application Rules: FQDN Filtering and TLS Inspection
Azure Firewall's application rules allow or deny outbound traffic based on fully qualified domain names (FQDNs), not just IP addresses. This is critical for controlling which external services your workloads can access. For example, you can allow only .microsoft.com and block everything else. Application rules support HTTP/HTTPS and TLS inspection (Premium SKU). TLS inspection decrypts outbound traffic, inspects the payload, and re-encrypts it. This enables detection of malware in encrypted traffic. However, TLS inspection introduces latency and requires certificate management—you must install the firewall's CA certificate on clients. In production, use TLS inspection selectively: for traffic to untrusted destinations, not for internal services or well-known trusted endpoints (e.g., Office 365). A common mistake is creating overly permissive application rules with wildcards (e.g., .com). This defeats the purpose. Instead, use FQDN tags for Azure services (e.g., AzureCloud, WindowsUpdate) and specific FQDNs for third parties. Monitor application rule hit counts to identify unused rules. Also, be aware that application rules are evaluated after network rules; if a network rule allows traffic to an IP, the application rule is not checked. So, to enforce FQDN filtering, ensure no network rule allows the same traffic.
Network Rules: Fine-Grained IP and Port Control
Network rules in Azure Firewall allow or deny traffic based on source/destination IP addresses, ports, and protocols (TCP, UDP, ICMP). They are stateless in definition but stateful in execution—the firewall automatically allows return traffic. Network rules are ideal for controlling traffic to on-premises networks via VPN/ExpressRoute, or to specific Azure services that don't support FQDN tags. For example, you can allow traffic from a spoke to a specific on-premises IP range on port 443. Network rules are evaluated before application rules. If a network rule matches, the traffic is allowed without application rule inspection. This is important: if you want to enforce FQDN filtering, do not create a network rule that allows the same traffic. In production, use network rules sparingly and prefer application rules for outbound internet traffic. Network rules are also used for DNAT (destination NAT) to expose internal services via the firewall's public IP. For DNAT, you create a NAT rule collection that translates the destination IP and port. A common failure mode is forgetting to add a corresponding network rule to allow the translated traffic. Also, be mindful of SNAT port exhaustion: each firewall public IP provides 2,496 ports. Monitor SNAT port usage in Azure Monitor and add more public IPs if utilization exceeds 80%.
Threat Intelligence and IDPS: Proactive Threat Detection
Azure Firewall includes threat intelligence based on Microsoft's Threat Intelligence feeds, which block traffic to/from known malicious IPs and domains. This is enabled at the policy level with three modes: Off, Alert only, and Alert and Deny. In production, always use Alert and Deny for internet-facing traffic. Additionally, the Premium SKU includes Intrusion Detection and Prevention System (IDPS) with signature-based inspection. IDPS can detect and block exploits, malware, and other attacks in real-time. It supports both inbound and outbound inspection. You can configure IDPS to alert or block traffic matching signatures. A key feature is the ability to bypass IDPS for trusted traffic (e.g., from specific IPs) to reduce false positives. In production, start with IDPS in alert mode to understand your traffic patterns, then switch to block mode after tuning. Monitor IDPS logs for signature hits—they often reveal compromised workloads. A common failure mode is not updating threat intelligence feeds; they are updated automatically by Microsoft, but you must ensure your firewall policy has threat intelligence enabled. Also, be aware that IDPS can impact performance; test in a non-production environment first.
Logging and Monitoring: Azure Firewall Diagnostics
Azure Firewall integrates with Azure Monitor for logging and metrics. You must enable diagnostic settings to send logs to Log Analytics, Storage Account, or Event Hub. Key log categories: AzureFirewallApplicationRule (application rule hits), AzureFirewallNetworkRule (network rule hits), AzureFirewallDnsProxy (DNS queries), and AzureFirewallThreatIntel (threat intelligence matches). Metrics include SNAT port utilization, throughput, and firewall health. In production, send logs to a centralized Log Analytics workspace for cross-resource analysis. Use KQL queries to detect anomalies: e.g., sudden spikes in denied traffic, or high SNAT port usage. Set up alerts for SNAT port exhaustion (>80%), firewall health degradation, and threat intel hits. A common mistake is not enabling DNS proxy logs—these are essential for troubleshooting FQDN resolution failures. Also, be aware that log ingestion costs money; estimate your log volume and set a daily cap. For long-term retention, export logs to a storage account with a lifecycle policy. In a recent incident, we traced a breach to a firewall rule that was too permissive; the logs showed the attacker's IP hitting an application rule that allowed *.com. We immediately tightened the rule and blocked the IP.
Automating Azure Firewall Deployments with Infrastructure as Code
Azure Firewall and Firewall Manager can be fully automated using Terraform, ARM templates, Bicep, or Azure CLI. Infrastructure as Code (IaC) ensures consistent deployments across environments and enables version control. Key resources to define: firewall, firewall policy, rule collection groups, and diagnostic settings. Use modules to encapsulate common patterns (e.g., hub-and-spoke with firewall). In Terraform, use the azurerm_firewall_policy resource with rule_collection_group blocks. For Firewall Manager, use azurerm_firewall_policy_rule_collection_group. Always store state files securely (e.g., Azure Storage with encryption). In production, integrate IaC with CI/CD pipelines (Azure DevOps, GitHub Actions) to deploy changes after peer review. A common pitfall is not handling rule collection group priorities correctly—they must be unique within a policy. Also, be careful with Terraform's state: if you manually add a rule via the portal, Terraform will detect drift and may overwrite it. Use lifecycle policies to prevent accidental deletion. Another tip: use policy inheritance to reduce duplication; define base rules in a parent policy and only override in child policies. This makes changes easier and reduces the risk of misconfiguration.
| File | Command / Code | Purpose |
|---|---|---|
| main.tf | resource "azurerm_firewall" "fw" { | Azure Firewall vs. Network Security Groups |
| create-policy.sh | az network firewall policy create \ | Azure Firewall Manager |
| hub-spoke.tf | resource "azurerm_virtual_network" "hub" { | Designing a Hub-and-Spoke Network with Azure Firewall |
| app-rule.sh | az network firewall policy rule-collection-group collection add-filter-collectio... | Application Rules |
| network-rule.sh | az network firewall policy rule-collection-group collection add-filter-collectio... | Network Rules |
| threat-intel.sh | az network firewall policy update \ | Threat Intelligence and IDPS |
| diagnostics.sh | az monitor diagnostic-settings create \ | Logging and Monitoring |
| firewall-policy.tf | resource "azurerm_firewall_policy" "policy" { | Automating Azure Firewall Deployments with Infrastructure as |
Key takeaways
Common mistakes to avoid
3 patternsNot planning firewall properly before deployment
Ignoring Azure best practices for firewall
Overlooking cost implications of firewall
Interview Questions on This Topic
Explain Azure Firewall & Firewall Manager and its use cases.
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.
That's Azure. Mark it forged?
6 min read · try the examples if you haven't