Does Azure Firewall encrypt all the network traffic sent from Azure to the Internet ?

Sweety Kothari 41 Reputation points
2022-12-25T16:28:35.63+00:00

According to https://azure.microsoft.com/en-us/products/azure-firewall/ it says ,
Azure Firewall decrypts outbound traffic, performs required security checks, and then encrypts the traffic to the destination. If it encrypt what kind of an algorithm is used internally ?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
780 questions
0 comments No comments
{count} vote

Accepted answer
  1. TP 125.1K Reputation points Volunteer Moderator
    2022-12-25T18:27:59.25+00:00

    Hi,

    Azure Firewall decrypts outbound TLS traffic, inspects it, then encrypts it again and sends it to the destination.

    For example, a user browses to a secure website such as amazon .com. Instead of the encrypted traffic going straight to amazon's server unchanged and being decrypted there, it is first decrypted by Azure Firewall, inspected for any malware/etc., then re-encrypted and sent on to amazon's server. This process is transparent to the user and is facilitated by Azure Firewall generating certificates on the fly for each destination server (amazon .com in this example).

    -TP


2 additional answers

Sort by: Most helpful
  1. msrini-MSFT 9,291 Reputation points Microsoft Employee
    2022-12-26T06:14:57.577+00:00

    A2A,

    No Azure Firewall doesn't encrypt or decrypt traffic inbound or outbound. If you are sending a traffic with HTTPS, how will Firewall know what is the destination as the hostname headers are encrypted. So it just decap the packet to find the Hostheader and then check that against the network and application rule and allow/deny the request.

    Regards,
    Karthik Srinivas

    2 people found this answer helpful.
    0 comments No comments

  2. KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator
    2022-12-27T13:39:58.06+00:00

    Hi @Sweety Kothari ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to understand more about TLS inspection in Azure Firewall.

    The document you have shared actually points to the TLS Inspection feature of Azure Firewall

    • Azure Firewall without TLS inspection has no visibility into the packet data.
    • This is achieved by using Azure Firewall Premium certificates
    • With TLS inspection, the idea here is simple. We establish two separate TLS sessions.
    • One with the web Server and another with the client
    • List item

    P.S :

    • The above feature is supported only with premium SKU
    • Azure Firewall supports Outbound TLS Inspection and East-West TLS Inspection
    • For Inbound TLS Inspection, please use Application gateway

    Please feel free to let us know should you require further information on this.

    Cheers,
    Kapil.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.