Filtering EAST-WEST Traffic - Azure Firewall

nirmal kumar 1 Reputation point
2024-05-06T12:47:58.6266667+00:00

Does azure firewall support east-west traffic filtering or it should only be used for north-south traffic filtering.

In some doc I read for inbound http & https we need to use web application firewall.(Application gateway)

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,195 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
85 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,988 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee
    2024-05-06T22:44:12.47+00:00

    @nirmal kumar

    Thank you for reaching out.

    Based on your question above.

    Does azure firewall support east-west traffic filtering or it should only be used for north-south traffic filtering.

    The answer is Yes although the recommended method is to use Network security groups for internal network segmentation and filtering, as documented here

    "However, configuring the UDRs to redirect traffic between subnets in the same VNET requires more attention. While using the VNET address range as a target prefix for the UDR is sufficient, this also routes all traffic from one machine to another machine in the same subnet through the Azure Firewall instance. To avoid this, include a route for the subnet in the UDR with a next hop type of VNET. Managing these routes might be cumbersome and prone to error. The recommended method for internal network segmentation is to use Network Security Groups, which don't require UDRs."

    In some doc I read for inbound http & https we need to use web application firewall.(Application gateway)

    This will regarding TLS inspection feature of Azure Firewall

    Azure Firewall supports Outbound TLS Inspection and if there is a requirement for Inbound TLS Inspection like to protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption and should be used for Inbound TLS Inspection

    You can go through this article to understand different scaneraios where Application Gateway can be deployed with Azure Firewall.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments