Azure Firewall: Architecture, SKUs, Deployment, Best Practices, and Operational Guidance

Azure Firewall: Architecture, SKUs, Deployment, Best Practices, and Operational Guidance

Azure Firewall is a Cloud-Native Network Security Service designed to protect Azure Virtual Networks and Hybrid Environments. It provides Stateful Packet Inspection, Application-Level Filtering, Threat Intelligence Integration, and Centralized Network Security Management.

Azure Firewall is commonly deployed in Enterprise Environments using a Hub-and-Spoke Architecture where the Firewall resides in the Hub Network and Inspects Traffic Flowing Between Spokes, the Internet, and On-Premises Networks.

This article explains Azure Firewall SKUs, Configuration Best Practices, Deployment Steps using the Azure Portal, Azure CLI, and Terraform, and Operational Recommendations for Production Environments.

1.) Azure Firewall Overview

Azure Firewall is a Fully Managed, Highly Available, and Scalable Firewall Service that protects Azure Workloads.

Key capabilities include:

Stateful Packet Filtering
Application-Level Filtering
FQDN Filtering
Threat Intelligence Filtering
TLS Inspection (Premium)
Intrusion Detection and Prevention System (Premium)
High Availability without additional Load Balancers

Azure Firewall integrates with:

Azure Virtual Network
Azure Monitor
Azure Policy
Azure Sentinel
Azure Route Tables

In most Enterprise Environments, Azure Firewall is deployed inside a Dedicated Subnet Named:

AzureFirewallSubnet

This Subnet Must Exist before the Firewall is created.

 2.) Azure Firewall SKUs

Azure Firewall is available in three SKUs designed for different Security Requirements.

Basic
Standard
Premium

The following Table compares the capabilities of each SKU.

 Azure Firewall SKU Comparison

Most enterprise deployments use either the Standard or Premium SKU.

3.) Azure Firewall Architecture

A typical enterprise firewall deployment uses a Hub-and-Spoke Network Model.

- Hub Network

- Azure Firewall
- VPN Gateway
- Shared DNS
- Monitoring Services

- Spoke Networks

- Application workloads
- Database workloads
- Development environments

raffic Flow

Spoke → Hub Firewall → Internet
Spoke → Hub Firewall → Spoke
On-premises → VPN Gateway → Firewall → Spoke

User-Defined Routes Force Traffic through the Firewall for Inspection.

4.) Azure Firewall Best Practices

Follow these practices when designing Azure Firewall deployments:

- Use a Hub Network

- Always deploy Azure Firewall in a Hub Virtual Network where it can inspect traffic between

   Spokes and External Networks.

- Use Dedicated Firewall Subnet

- The Subnet must be named AzureFirewallSubnet and should be at least /26.

- Implement User Defined Routes

- Route Tables should Direct Outbound Traffic through the Firewall.

- Enable Diagnostic Logging

- Enable logs for Monitoring and Auditing.

- Use Azure Firewall Policy

- Manage Firewall Rules Centrally using Firewall Policies instead of direct Rule Configuration.

- Separate Rule Types

Use separate collections for:

- Network Rules
- Application Rules
- DNAT Rules

- Use Availability Zones

- Deploy Firewalls Across Availability Zones to improve Resiliency.

- Use Private IPs for Internal Traffic

Ensure Traffic between Internal Networks flows through the Firewall using Private Addressing.

5.) Azure Firewall Deployment Using Azure Portal

Step 1 Create Virtual Network

Navigate to Azure Portal
Create a Virtual Network

Address Space Example: 10.0.0.0/16

Create Subnet: AzureFirewallSubnet

Address Example: 10.0.1.0/26

Step 2 Create Public IP Address

Navigate to Public IP Addresses

Create a new Public IP

Name: Firewall-Public-IP

SKU: Standard

Assignment: Static

Step 3 Deploy Azure Firewall

Navigate to

Create Resource
Search Azure Firewall

Configure the following settings.

Firewall Name: contoso-firewall

Region: Same region as VNet

SKU: Standard or Premium

Firewall Management

Firewall Policy

Select the previously created Virtual Network and AzureFirewallSubnet.

Attach the Public IP Address.

Deployment will take approximately 5 to 10 minutes.

6. ) Azure Firewall Rule Configuration

After deployment, configure firewall rules.

Rule types include:

Network Rules: Layer 3 and Layer 4 Filtering Based on IP and Port.

Application Rules: Allow or Deny Outbound Access based on FQDN.

DNAT Rules: Allow Inbound Access to Internal Services.

Example Application Rule

Allow Outbound Access to Microsoft Update Services:

Source: 10.1.0.0/16

Protocol: HTTP/HTTPS

Destination: windowsupdate.microsoft.com

7.) Azure Firewall Deployment Using Azure CLI

reate Resource Group

az group create \
--name rg-firewall \
--location eastus

Create Virtual Network

az network vnet create \
--name vnet-hub \
--resource-group rg-firewall \
--address-prefix 10.0.0.0/16

Create Firewall Subnet

az network vnet subnet create \
--resource-group rg-firewall \
--vnet-name vnet-hub \
--name AzureFirewallSubnet \
--address-prefix 10.0.1.0/26

Create Public IP

az network public-ip create \
--resource-group rg-firewall \
--name firewall-pip \
--sku Standard

Create Firewall

az network firewall create \
--name contoso-firewall \
--resource-group rg-firewall \
--location eastus

Assign Public IP

az network firewall ip-config create \
--firewall-name contoso-firewall \
--name firewall-config \
--public-ip-address firewall-pip \
--resource-group rg-firewall \
--vnet-name vnet-hub

8.) Azure Firewall Deployment Using Terraform

Provider Configuration

provider "azurerm" {
  features {}
}

Create Resource Group

resource "azurerm_resource_group" "firewall_rg" {
  name     = "rg-firewall"
  location = "East US"
}

Create Virtual Network

resource "azurerm_virtual_network" "hub_vnet" {
  name                = "vnet-hub"
  location            = azurerm_resource_group.firewall_rg.location
  resource_group_name = azurerm_resource_group.firewall_rg.name
  address_space       = ["10.0.0.0/16"]
}

Create Firewall Subnet

resource "azurerm_subnet" "firewall_subnet" {
  name                 = "AzureFirewallSubnet"
  resource_group_name  = azurerm_resource_group.firewall_rg.name
  virtual_network_name = azurerm_virtual_network.hub_vnet.name
  address_prefixes     = ["10.0.1.0/26"]
}

Create Public IP

resource "azurerm_public_ip" "firewall_pip" {
  name                = "firewall-pip"
  location            = azurerm_resource_group.firewall_rg.location
  resource_group_name = azurerm_resource_group.firewall_rg.name
  allocation_method   = "Static"
  sku                 = "Standard"
}

Deploy Azure Firewall

resource "azurerm_firewall" "firewall" {
  name                = "contoso-firewall"
  location            = azurerm_resource_group.firewall_rg.location
  resource_group_name = azurerm_resource_group.firewall_rg.name

  ip_configuration {
    name                 = "configuration"
    subnet_id            = azurerm_subnet.firewall_subnet.id
    public_ip_address_id = azurerm_public_ip.firewall_pip.id
  }
}

9.) Monitoring Azure Firewall

Monitoring Tools Include:

Azure Monitor
Log Analytics
Network Watcher
Azure Sentinel

Logs include:

Application Rule Logs
Network Rule Logs
Threat Intelligence Logs

These Logs Help Identify Blocked Traffic and Potential Security Threats.

10.) Azure Firewall Do and Don'ts

Do

Deploy firewall in hub network
Use route tables to force traffic through firewall
Use Azure Firewall Policy for rule management
Enable diagnostics and monitoring
Use Premium SKU for advanced security requirements

 Don't

Do not deploy firewall in spoke networks
Do not use small firewall subnets
Do not allow unrestricted outbound traffic
Do not manage firewall rules manually across multiple firewalls
Do not disable logging

Conclusion

Azure Firewall provides a Powerful and Scalable Security Solution for protecting Azure Workloads and Hybrid Environments. By implementing Azure Firewall using a Hub-and-Spoke Architecture, Organizations can Centralize Network Security Controls and Enforce Consistent Policies across Multiple Application Networks.

Using Infrastructure as Code Tools such as Terraform allows organizations to Automate Firewall deployment and Maintain Consistent Configurations across Environments. When combined with Monitoring, Logging, and Security Best Practices, Azure Firewall becomes a Critical Component of Enterprise Cloud Security Architecture.

For readers interested in Deeper Technical Coverage of Azure Architecture, Infrastructure Automation, and Enterprise Cloud Security Deployment Strategies, additional resources and Books are available on ITCloudAcademy.net.