π₯ Mastering Azure Firewall: A Complete Guide for Cloud Architects
Mostafa Elkattanπ Introduction
In todayβs cloud-first world, securing your network perimeter is no longer optionalβitβs critical. As workloads migrate to the cloud, the traditional security perimeter dissolves. You now need tools that offer deep visibility, intelligent filtering, and seamless integration with your hybrid and multi-cloud environments.
Azure Firewall is Microsoftβs answer to this challenge: a cloud-native, intelligent, scalable firewall-as-a-service (FWaaS) that helps protect your Azure infrastructure with advanced features like TLS inspection, threat intelligence, FQDN filtering, and network traffic logging.
In this post, weβll go beyond the basics to explore how Azure Firewall works, when to use it, how to configure it securely, and common mistakes to avoid.
𧱠What is Azure Firewall?
Azure Firewall is a stateful, managed, high-availability network security service that enables you to control and log all traffic flows using policies based on:
Application rules (e.g., block access to
*.socialmedia.com)Network rules (e.g., allow TCP port 443 to specific IPs)
DNAT rules (e.g., forward external requests to internal apps)
Unlike Azure Network Security Groups (NSGs), which work at the VM or subnet level and only filter based on Layer 3 & 4, Azure Firewall adds:
Layer 7 (application layer) filtering
Full stateful inspection
TLS decryption
Logging and analytics
Centralized rule management across regions
π Why Azure Firewall? β Key Use Cases
| Use Case | Description |
| π Perimeter Protection | Enforce rules for inbound, outbound, and inter-VNET traffic |
| π§ Threat Intelligence | Block traffic to/from known malicious IPs/domains |
| π Outbound FQDN Filtering | Allow outbound internet access only to trusted domains |
| π TLS Inspection | Inspect encrypted traffic for malware or leaks (Premium SKU) |
| π Network Visibility | Send logs to Sentinel for security event analysis |
| π Multi-region Governance | Centralize policy enforcement using Azure Firewall Manager |
π Azure Firewall vs NSG vs NVA
| Feature | NSG | NVA (3rd-party) | Azure Firewall |
| Layer 7 (App Rules) | β | β | β |
| TLS Inspection | β | β | β (Premium only) |
| Threat Intelligence | β | Depends | β |
| Auto Scaling | β | Manual | β |
| Central Policy Management | β | Manual | β (with Firewall Manager) |
| High Availability | Zonal, Manual | Needs config | Built-in |
| Cost | Low | High | MediumβHigh |
𧩠Azure Firewall SKUs β Standard vs Premium
| Feature | Standard | Premium |
| Stateful Firewall | β | β |
| Application/Network Rules | β | β |
| Threat Intelligence | β (Alert/Deny) | β |
| FQDN Filtering | β | β |
| TLS Inspection (SSL) | β | β |
| Intrusion Detection & Prevention | β | β |
| URL Filtering (Web Categories) | β | β |
| Ideal For | Most common use cases | Regulated, sensitive workloads |
π§ Architecture Patterns
π Hub-and-Spoke with Azure Firewall
The Hub-and-Spoke model is the most common architecture for Azure Firewall. Here's how it works:
Azure Firewall is deployed in the Hub VNET.
Spoke VNETs host applications or workloads.
All traffic (inbound/outbound/inter-VNET) is routed through the firewall using UDRs (User-Defined Routes).
You can optionally peer the hub with on-premises networks via VPN or ExpressRoute.
π Tip: Azure Firewall requires a dedicated subnet called AzureFirewallSubnet.
πΌ Diagram Overview
graphqlCopyEdit ββββββββββββββββ
β On-Premises β
ββββββββ¬ββββββββ
β VPN/ER
ββββββββΌβββββββ
β Hub VNET β
β Azure FW β
βββββββ¬ββββββββ
ββββββββββββΌβββββββββββββ
βΌ βΌ βΌ
Spoke 1 Spoke 2 Spoke 3
(App) (DB) (Mgmt)
π How to Deploy Azure Firewall
π Option 1: Azure Portal
Ideal for quick tests or proof of concept.
𧱠Option 2: ARM/Bicep
Best for enterprise deployments with declarative infrastructure.
π Option 3: Terraform
Here's a Terraform snippet for provisioning Azure Firewall:
hclCopyEditresource "azurerm_firewall" "fw" {
name = "azure-fw"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
sku_name = "AZFW_VNet"
sku_tier = "Premium"
ip_configuration {
name = "ipconfig"
subnet_id = azurerm_subnet.firewall_subnet.id
public_ip_address_id = azurerm_public_ip.fw_pip.id
}
}
π How to Configure Rules
Azure Firewall allows three rule types, organized into Rule Collections.
1. Network Rules
Layer 4 filtering based on:
Protocol (TCP, UDP)
Source IP / Destination IP
Ports
2. Application Rules
Layer 7 filtering based on:
FQDNs (e.g.,
*.microsoft.com)Protocols (HTTP, HTTPS)
TLS Inspection (Premium only)
3. NAT Rules
Used to forward external traffic to internal services (DNAT).
Example: Block Social Media Access
jsonCopyEdit{
"name": "block-social",
"rules": [
{
"ruleType": "ApplicationRule",
"name": "deny-facebook",
"protocols": [{ "protocolType": "Https" }],
"sourceAddresses": ["*"],
"targetFqdns": ["*.facebook.com"],
"action": "Deny"
}
]
}
π Monitoring & Diagnostics
Azure Firewall integrates with:
Log Analytics β Track rule hits, dropped packets
Azure Monitor β Visualize traffic
Microsoft Sentinel β SIEM for threat hunting
Storage/Event Hub β Export logs
Enable Diagnostic Settings
Make sure to log:
Application rule logs
Network rule logs
Threat intelligence logs
Firewall health metrics
β Best Practices
π― Always use Firewall Manager for multi-region governance
π Deploy in all availability zones for HA
π Enable TLS Inspection for outbound HTTPS traffic
π¦ Log everything and review regularly
π Use rule groups for better organization
π« Place a deny-all rule at the bottom
𧩠Combine with NSGs & ASGs for defense-in-depth
π‘ Avoid wildcard FQDNs unless necessary
β Common Pitfalls to Avoid
| Mistake | Impact |
| β Missing UDRs to route traffic | Traffic bypasses the firewall |
| β Forgetting to configure DNS | FQDN-based rules wonβt work |
| β Using Standard SKU for sensitive data | No TLS inspection |
| β No logging or diagnostics | No visibility into traffic patterns |
| β NAT misconfiguration | Inbound access broken or exposed |
πΈ Cost Breakdown
Azure Firewall charges for:
Deployment (per hour)
Data processing (per GB)
Example Estimate
| Cost Component | Amount |
| Base hourly rate | ~$1.25β$1.75/hr |
| Data processing | ~$0.016/GB |
| TLS Inspection (Premium) | Adds to hourly rate |
π Use Azure Pricing Calculator to simulate cost.
π Real-World Case Study
In a global retail company, Azure Firewall Premium was deployed across 3 Azure regions. With centralized policy enforcement, the security team could:
Detect and block outbound data exfiltration attempts using TLS inspection.
Automatically update rules via CI/CD pipelines using Bicep templates.
Reduce attack surface by 35% through FQDN allow lists.
Using Log Analytics and Sentinel, over 2,000 anomalous connections were flagged and investigated in the first month.
π Conclusion
Azure Firewall is more than a traditional firewall in the cloudβit's a scalable, intelligent security engine that fits seamlessly into Azure-native and hybrid architectures.
From application-layer filtering to TLS inspection and threat intelligence, itβs your cloud perimeter guardian. When deployed correctly, it offers deep visibility and protection, especially in regulated industries like finance, healthcare, and government.
If youβre building a zero-trust environment, Azure Firewall should be at the core of your network security strategy.
π Resources
Subscribe to my newsletter
Read articles from Mostafa Elkattan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Mostafa Elkattan
Mostafa Elkattan
Multi Cloud & AI Architect with 18+ years of experience Cloud Solution Architecture (AWS, Google, Azure), DevOps, Disaster Recovery. Forefront of driving cloud innovation. From architecting scalable infrastructures to optimizing. Providing solutions with a great customer experience.