Next-generation firewall capabilities with Azure Firewall Premium
This post was co-authored by Gopikrishna Kannan, Principal Program Manager, Azure Networking and Suren Jamiyanaa, Program Manager 2, Azure Networking.
Following the preview release announced in February 2021, we are announcing the general availability release of Microsoft Azure Firewall Premium.
Key features in this release include:
- TLS inspection: Azure Firewall Premium terminates outbound and east-west transport layer security (TLS) connections. Inbound TLS inspection is supported in conjunction with Azure Application Gateway allowing end-to-end encryption. Azure Firewall performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
- IDPS: Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
- Web categories: Allows administrators to filter outbound user access to the internet based on categories (for example, social networking, search engines, gambling, and so on), reducing the time spent on managing individual fully qualified domain names (FQDNs) and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
- URL filtering: Allow administrators to filter outbound access to specific URLs, not just FQDNs. This capability works for both plain text and encrypted traffic if TLS inspection is enabled.
Azure Firewall Premium benefits
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the payment and healthcare industries. Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium utilizes a more powerful Virtual Machine SKU. Like Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrates with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
To simplify migration for Standard SKU customers, we used a common configuration approach using Azure Firewall Policy. This approach allows reusing existing API integration with minimal changes and continues managing Azure Firewall using Firewall Manager. Customers using firewall rules (Classic) will take an additional step for the migration to Azure Firewall Policy first. Azure Firewall Policy offers several advantages such as sharing common configuration across multiple firewalls, grouping rules using rule collection groups, and managing rules over time using policy analytics (Private Preview). For more information, see the Azure Firewall Policy documentation page.
The Azure Firewall Premium SKU is optimally priced to provide the best value for state-of-the-art cloud-native firewall service. Premium SKU, with its advanced threat protection capabilities, offers compelling reasons to migrate on-premise high-security perimeter networks to the cloud. This approach helps avoid latency incurred back-hauling internet traffic to on-premises perimeter networks.
Figure 1: Azure Firewall Premium capabilities.
Migration from Azure Firewall Standard to Premium
As part of this general availability release, we are offering two new capabilities to allow smooth migration:
- Convert the existing Azure Firewall rules (Classic) to Azure Firewall Policy.
Figure 2: Migrate classic rules to Azure Firewall Policy.
2. Create a new Azure Firewall Premium and associate it to an existing policy.
Figure 3: Create a new Azure Firewall Premium and associate an Azure Policy.
After exporting the Azure Firewall configuration and decommissioning your existing Azure Firewall Standard, you can deploy a new Azure Firewall Premium while associating to it the standard firewall configuration and maintaining its public IP.
For more details go to Migrate to Azure Firewall Premium documentation.
Azure Firewall Premium pricing
Like the Standard SKU, Azure Firewall Premium pricing includes both deployment and data processing charges.
The deployment charge is 40 percent higher than Azure Firewall Standard and the data processing charge remains the same as Azure Firewall Standard.
For more details, visit the Azure Firewall pricing page.
Next steps
For more information on everything we covered in this blog post, see the following:
- Azure Firewall documentation.
- Azure Firewall Manager documentation.
- What is Azure Firewall Premium?
- Azure Network Security technical community blog.
- Azure Network Security GitHub Repository.
- Deploy and configure Azure Firewall Premium.
- Using Application Gateway with Azure Firewall.
- Optimize security with Azure Firewall solution for Azure Sentinel.
- Use Azure Firewall for secure and cost-effective Windows Virtual Desktop protection.
Source: Azure Blog Feed