Does Azure Firewall encrypt all the network traffic sent from Azure to the Internet ?

Question

Does Azure Firewall encrypt all the network traffic sent from Azure to the Internet ?

Sweety Kothari 41

According to https://azure.microsoft.com/en-us/products/azure-firewall/ it says ,
Azure Firewall decrypts outbound traffic, performs required security checks, and then encrypts the traffic to the destination. If it encrypt what kind of an algorithm is used internally ?

Accepted answer

2 additional answers

Your answer

Answer 1

TP 125.1K Volunteer Moderator

Hi,

Azure Firewall decrypts outbound TLS traffic, inspects it, then encrypts it again and sends it to the destination.

For example, a user browses to a secure website such as amazon .com. Instead of the encrypted traffic going straight to amazon's server unchanged and being decrypted there, it is first decrypted by Azure Firewall, inspected for any malware/etc., then re-encrypted and sent on to amazon's server. This process is transparent to the user and is facilitated by Azure Firewall generating certificates on the fly for each destination server (amazon .com in this example).

-TP

Sweety Kothari 41 Reputation points

2022-12-26T05:59:54.35+00:00

Thanks for explanation .
So it means it will encrypt all traffic sent from azure to internet only . Is that right ?
All local azure resource communication can happen without encryption too.
TP 125.1K Reputation points Volunteer Moderator

2022-12-26T06:10:12.157+00:00

It is NOT going to encrypt all traffic going to the internet.

This is for traffic that would already be encrypted regardless if Azure Firewall was there or not. Traditionally, this type of outbound traffic wouldn't be able to be inspected by the firewall, since it is encrypted.

For example, if an Azure VM connects to something on the internet using an unencrypted connection, such as http on port 80, then that traffic will remain unencrypted. Please read this article, it has nice diagram that helps explain things: https://techcommunity.microsoft.com/t5/azure-network-security-blog/building-a-poc-for-tls-inspection-in-azure-firewall/ba-p/3676723

Thanks.

Answer 2

msrini-MSFT 9,291 Microsoft Employee

A2A,

No Azure Firewall doesn't encrypt or decrypt traffic inbound or outbound. If you are sending a traffic with HTTPS, how will Firewall know what is the destination as the hostname headers are encrypted. So it just decap the packet to find the Hostheader and then check that against the network and application rule and allow/deny the request.

Regards,
Karthik Srinivas

Answer 3

Hi @Sweety Kothari ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand more about TLS inspection in Azure Firewall.

The document you have shared actually points to the TLS Inspection feature of Azure Firewall

Azure Firewall without TLS inspection has no visibility into the packet data.
This is achieved by using Azure Firewall Premium certificates
With TLS inspection, the idea here is simple. We establish two separate TLS sessions.
One with the web Server and another with the client

P.S :

The above feature is supported only with premium SKU
Azure Firewall supports Outbound TLS Inspection and East-West TLS Inspection
For Inbound TLS Inspection, please use Application gateway

Please feel free to let us know should you require further information on this.

Cheers,
Kapil.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Does Azure Firewall encrypt all the network traffic sent from Azure to the Internet ?

2 additional answers

Your answer