Azure Well-Architected Framework perspective on Azure Firewall
Azure Firewall is a cloud-native and intelligent network firewall security service that provides best-of-breed threat protection for your cloud workloads that run in Azure. It's a fully stateful, managed firewall service that has built-in high availability and unrestricted cloud scalability. Azure Firewall provides both east-west and north-south traffic inspection.
This article assumes that as an architect, you've reviewed the virtual network security options and chosen Azure Firewall as the network security service for your workload. The guidance in this article provides architectural recommendations that are mapped to the principles of the Azure Well-Architected Framework pillars.
Important
How to use this guide
Each section has a design checklist that presents architectural areas of concern along with design strategies localized to the technology scope.
Also included are recommendations on the technology capabilities that can help materialize those strategies. The recommendations don't represent an exhaustive list of all configurations available for Azure Firewall and its dependencies. Instead, they list the key recommendations mapped to the design perspectives. Use the recommendations to build your proof-of-concept or optimize your existing environments.
Foundational architecture that demonstrates the key recommendations: Hub-spoke network topology in Azure.
Technology scope
This review focuses on the interrelated decisions for the following Azure resources:
- Azure Firewall
- Azure Firewall Manager
Reliability
The purpose of the Reliability pillar is to provide continued functionality by building enough resilience and the ability to recover fast from failures.
The Reliability design principles provide a high-level design strategy applied for individual components, system flows, and the system as a whole.
Design checklist
Start your design strategy based on the design review checklist for Reliability. Determine its relevance to your business requirements while keeping in mind the policies and the type of architecture that you use. Extend the strategy to include more approaches as needed.
Review the list of Azure Firewall known issues. Azure Firewall products maintain an updated list of known issues. This list contains important information about by-design behavior, fixes under construction, platform limitations, and possible workarounds or mitigation strategies.
Ensure that your Azure Firewall policy adheres to Azure Firewall limits and recommendations. The policy structure has limits, including the number of rules and rule collection groups, total policy size, source destinations, and target destinations. Be sure to compose your policy and stay below the documented thresholds.
Deploy Azure Firewall across multiple availability zones for a higher service-level agreement (SLA). Azure Firewall provides different SLAs depending on whether you deploy the service in a single availability zone or multiple zones. For more information, see SLAs for online services.
Deploy an Azure Firewall instance in each region in multi-region environments. For traditional hub-and-spoke architectures, see Multi-region considerations. For secured Azure Virtual WAN hubs, configure routing intent and policies to secure inter-hub and branch-to-branch communications. For failure-resistant and fault-tolerant workloads, consider instances of Azure Firewall and Azure Virtual Network as regional resources.
Monitor Azure Firewall metrics and the resource health state. Azure Firewall integrates with Azure Resource Health. Use the Resource Health check to view the health status of Azure Firewall and address service problems that might affect your Azure Firewall resource.
Deploy Azure Firewall in hub virtual networks or as part of Virtual WAN hubs.
Note
The availability of network services differs between the traditional hub-and-spoke model and the Virtual WAN-managed secured hubs model. For example, in a Virtual WAN hub, the Azure Firewall public IP can't come from a public IP prefix and can't have Azure DDoS Protection enabled. When you choose your model, consider your requirements across all five pillars of the Well-Architected Framework.
Recommendations
| Recommendation | Benefit |
|---|---|
| Deploy Azure Firewall across multiple availability zones. | Deploy Azure Firewall across multiple availability zones to maintain a specific level of resiliency. If one zone experiences an outage, another zone continues to serve traffic. |
| Monitor Azure Firewall metrics in a Log Analytics workspace. Closely monitor metrics that indicate the Azure Firewall health state, such as throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics. Use Azure Service Health to monitor Azure Firewall health. |
Monitor resource metrics and service health so you can detect when a service state degrades and take proactive measures to prevent failures. |
Security
The purpose of the Security pillar is to provide confidentiality, integrity, and availability guarantees to the workload.
The Security design principles provide a high-level design strategy for achieving those goals by applying approaches to the technical design of Azure Firewall.
Design checklist
Start your design strategy based on the design review checklist for Security. Identify vulnerabilities and controls to improve the security posture. Extend the strategy to include more approaches as needed.
Send all internet traffic from your workload through a firewall or a network virtual appliance (NVA) to detect and block threats. Configure user-defined routes (UDRs) to force traffic through Azure Firewall. For web traffic, consider using Azure Firewall as an explicit proxy.
Configure supported partner software as a service (SaaS) security providers within Firewall Manager if you want to use these providers to protect outbound connections.
Restrict the usage of public IP addresses that are directly tied to virtual machines so that traffic can't bypass the firewall. The Azure Cloud Adoption Framework model assigns a specific Azure policy to the CORP management group.
Follow the Zero Trust configuration guide for Azure Firewall and Application Gateway if your security needs require that you implement a Zero Trust approach for web applications, such as adding inspection and encryption. Follow this guide to integrate Azure Firewall and Application Gateway for both traditional hub-and-spoke and Virtual WAN scenarios.
For more information, see Apply firewalls at the edge.
Establish network perimeters as part of your workload segmentation strategy to control the blast radius, obfuscate workload resources, and block unexpected, prohibited, and unsafe access. Create rules for Azure Firewall policies based on the least-privilege access criteria.
Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in forced tunneling mode. This approach doesn't apply to Virtual WAN.
Use fully qualified domain names (FQDN) and service tags when you define network rules to simplify management.
Use detection mechanisms to diligently monitor for threats and signs of abuse. Take advantage of platform-provided detection mechanisms and measures. Enable the intrusion detection and prevention system (IDPS). Associate an Azure DDoS Protection plan with your hub virtual network.
For more information, see Detect abuse.
Recommendations
| Recommendation | Benefit |
|---|---|
| Configure Azure Firewall in forced tunneling mode if you need to route all internet-bound traffic to a designated next hop instead of directly to the internet. This recommendation doesn't apply to Virtual WAN. Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in forced tunneling mode. You can use the forced tunneling feature to add another /26 address space for the Azure Firewall Management subnet. Name the subnet AzureFirewallManagementSubnet. If you have an existing Azure Firewall instance that you can't reconfigure in forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. To maintain internet connectivity, associate the UDR with AzureFirewallSubnet. Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in forced tunneling mode. But the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks doesn't use that public IP. |
Use forced tunneling so you don't expose your Azure resources directly to the internet. This approach reduces the attack surface and minimizes the risk of external threats. To enforce corporate policies and compliance requirements more effectively, route all internet-bound traffic through an on-premises firewall or an NVA. |
| Create rules for Firewall policies in an hierarchical structure to overlay a central base policy. For more information, see Use Azure Firewall policies to process rules. Create your rules based on the least-privilege access Zero Trust principle |
Organize rules in a hierarchical structure so that granular policies can meet the requirements of specific regions. Each policy can contain different sets of Destination Network Address Translation (DNAT), network, and application rules that have specific priorities, actions, and processing orders. |
| Configure supported security partner providers within Firewall Manager to protect outbound connections. This scenario requires Virtual WAN with a S2S VPN gateway in the hub because it uses an IPsec tunnel to connect to the provider's infrastructure. Managed security service providers might charge extra license fees and limit throughput on IPsec connections. You can also use alternative solutions, such as Zscaler Cloud Connector. |
Enable security partner providers in Azure Firewall to take advantage of best-in-breed cloud security offerings, which provide advanced protection for your internet traffic. These providers offer specialized, user-aware filtering and comprehensive threat-detection capabilities that enhance your overall security posture. |
| Enable Azure Firewall DNS proxy configuration. Also configure Azure Firewall to use custom DNS for forwarding DNS queries. |
Enable this feature to point clients in the virtual networks to Azure Firewall as a DNS server. This feature protects internal DNS infrastructure that's not directly accessed and exposed. |
| Configure UDRs to force traffic through Azure Firewall in a traditional hub-and-spoke architecture for spoke-to-spoke, spoke-to-internet, and spoke-to-hybrid connectivity. In Virtual WAN, configure routing intent and policies to redirect private traffic or internet traffic through the Azure Firewall instance that's integrated into the hub. If you can't apply a UDR, and you only require web traffic redirection, use Azure Firewall as an explicit proxy on the outbound path. You can configure a proxy setting on the sending application, such as a web browser, when you configure Azure Firewall as a proxy. |
Send traffic through the firewall to inspect traffic and help identify and block malicious traffic. Use Azure Firewall as an explicit proxy for outbound traffic so that web traffic reaches the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the use of multiple firewalls without modifying existing network routes. |
| Use FQDN filtering in network rules. You must enable the Azure Firewall DNS proxy configuration to use FQDNs in your network rules. | Use FQDNs in Azure Firewall network rules so that administrators can manage domain names instead of multiple IP addresses, which simplifies management. This dynamic resolution ensures that firewall rules automatically update when domain IPs change. |
| Use Azure Firewall service tags in place of specific IP addresses to provide selective access to specific services in Azure, Microsoft Dynamics 365, and Microsoft 365. | Use service tags in network rules so you can define access controls based on service names rather than specific IP addresses, which simplifies security management. Microsoft manages and updates these tags automatically when IP addresses change. This method ensures that your firewall rules remain accurate and effective without manual intervention. |
| Use FQDN tags in application rules to provide selective access to specific Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for specific Azure services, such as Microsoft 365, Windows 365, and Microsoft Intune. |
Use FQDN tags in Azure Firewall application rules to represent a group of FQDNs that are associated with well-known Microsoft services. This method simplifies the management of network security rules. |
| Enable threat intelligence on Azure Firewall in Alert and deny mode. | Use threat intelligence to provide real-time protection against emerging threats, which reduces the risk of cyberattacks. This feature uses the Microsoft threat intelligence feed to automatically alert and block traffic from known malicious IP addresses, domains, and URLs. |
| Enable the IDPS in Alert or Alert and deny mode. Consider the performance impact of this feature. | Enable IDPS filtering in Azure Firewall provides real-time monitoring and analysis of network traffic to detect and prevent malicious activities. This feature uses signature-based detection to swiftly identify known threats and block them before they cause harm. For more information, see Detect abuse. |
| Use an internal enterprise certification authority (CA) to generate certificates when you use TLS inspection with Azure Firewall Premium. Use self-signed certificates only for testing and proof of concept (PoC) purposes. | Enable TLS inspection so that Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS. |
| Use Firewall Manager to create and associate an Azure DDoS Protection plan with your hub virtual network. This approach doesn't apply to Virtual WAN. | Configure an Azure DDoS Protection plan so that you can centrally manage DDoS protection alongside your firewall policies. This approach streamlines how you manage your network security and simplifies how you deploy and monitor processes. |
Cost Optimization
Cost Optimization focuses on detecting spend patterns, prioritizing investments in critical areas, and optimizing in others to meet the organization's budget while meeting business requirements.
The Cost Optimization design principles provide a high-level design strategy for achieving those goals and making tradeoffs as necessary in the technical design related to Azure Firewall and its environment.
Design checklist
Start your design strategy based on the design review checklist for Cost Optimization for investments. Fine-tune the design so that the workload is aligned with the budget that's allocated for the workload. Your design should use the right Azure capabilities, monitor investments, and find opportunities to optimize over time.
Select an Azure Firewall SKU to deploy. Choose from three Azure Firewall SKUs: Basic, Standard, and Premium. Use Azure Firewall Premium to secure highly sensitive applications, such as payment processing. Use Azure Firewall Standard if your workload needs a Layer 3 to Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Use Azure Firewall Basic if you use SMB and require up to 250 Mbps of throughput. You can downgrade or upgrade between Standard and Premium SKUs. For more information, see Choose the right Azure Firewall SKU.
Remove unused firewall deployments and optimize underused deployments. Stop Azure Firewall deployments that don't need to continuously run. Identify and delete unused Azure Firewall deployments. To reduce operational costs, monitor and optimize firewall instances usage, Azure Firewall Manager policies configuration, and the number of public IP addresses and policies that you use.
Share the same instance of Azure Firewall. You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same Azure Firewall instance across spoke virtual networks that connect to the same hub from the same region. Ensure that you don't have unexpected cross-region traffic in a hub-and-spoke topology.
Optimize traffic through the firewall. Regularly review traffic that Azure Firewall processes. Find opportunities to reduce the amount of traffic that traverses the firewall.
Decrease the amount of log data that you store. Azure Firewall can use Azure Event Hubs to comprehensively log the traffic's metadata and send it to Log Analytics workspaces, Azure Storage, or non-Microsoft solutions. All logging solutions incur costs to process data and provide storage. Large amounts of data can incur significant costs. Consider a cost-effective approach and alternative to Log Analytics, and estimate the cost. Consider whether you need to log traffic metadata for all logging categories.
Recommendations
| Recommendation | Benefit |
|---|---|
| Stop Azure Firewall deployments that don't need to continuously run. You might have development or testing environments that you only use during business hours. For more information, see Deallocate and allocate Azure Firewall. | Shut down these deployments during off-peak hours or when idle to reduce unnecessary expenses but maintain security and performance during critical times. |
| Regularly review traffic that Azure Firewall processes, and find originating workload optimizations. The top flows log, also known as the fat flows log, shows the top connections that contribute to the highest throughput through the firewall. | Optimize workloads that generate the most traffic through the firewall to reduce the volume of traffic, which decreases the load on the firewall and minimizes data-processing and bandwidth costs. |
| Identify and delete unused Azure Firewall deployments. Analyze monitoring metrics and UDRs that are associated with subnets that point to the firewall's private IP. Also consider other validations and internal documentation about your environment and deployments. For example, analyze any classic NAT, network, and application rules for Azure Firewall. And consider your settings. For example, you might configure the DNS proxy setting to Disabled. For more information, see Monitor Azure Firewall. |
Use this approach to detect cost-effective deployments over time and eliminate unused resources, which prevents unnecessary costs. |
| Review your Firewall Manager policies, associations, and inheritance carefully to optimize cost. Policies are billed based on firewall associations. A policy with zero or one firewall association is free. A policy with multiple firewall associations is billed at a fixed rate. For more information, see Firewall Manager pricing. |
Properly use Firewall Manager and its policies to reduce operational costs, increase efficiency, and reduce management overhead. |
| Review all the public IP addresses in your configuration, and disassociate and delete the ones that you don't use. Evaluate source network address translation (SNAT) port usage before you remove any IP addresses. For more information, see Monitor Azure Firewall logs and metrics and SNAT port usage. |
Delete unused IP addresses to reduce costs. |
Operational Excellence
Operational Excellence primarily focuses on procedures for development practices, observability, and release management.
The Operational Excellence design principles provide a high-level design strategy for achieving those goals for the operational requirements of the workload.
Design checklist
Start your design strategy based on the design review checklist for Operational Excellence for defining processes for observability, testing, and deployment related to Azure Firewall.
Use Firewall Manager with traditional hub-and-spoke topologies or Virtual WAN network topologies to deploy and manage instances of Azure Firewall. Use native security services for traffic governance and protection to create hub-and-spoke and transitive architectures. For more information, see Network topology and connectivity.
Migrate Azure Firewall classic rules to Firewall Manager policies for existing deployments. Use Firewall Manager to centrally manage your firewalls and policies. For more information, see Migrate to Azure Firewall Premium.
Maintain regular backups of Azure Policy artifacts. If you use an infrastructure-as-code approach to maintain Azure Firewall and all dependencies, you should have backup and versioning of Azure Firewall policies in place. If you don't, you can deploy a companion mechanism that's based on an external logic app to provide an effective automated solution.
Monitor Azure Firewall logs and metrics. Take advantage of diagnostic logs for firewall monitoring and troubleshooting and activity logs for auditing operations.
Analyze monitoring data to assess the overall health of the system. Use the built-in Azure Firewall monitoring workbook, familiarize yourself with Kusto Query Language (KQL) queries, and use the policy analytics dashboard to identify potential problems.
Define alerts for key events so that operators can quickly respond to them.
Take advantage of platform-provided detection mechanisms in Azure to detect abuse. Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel if possible. Integrate with Defender for Cloud so you can visualize the status of network infrastructure and network security in one place, including Azure network security across all virtual networks and virtual hubs in different regions in Azure. Integrate with Microsoft Sentinel to provide threat-detection and prevention capabilities.
Recommendations
| Recommendation | Benefit |
|---|---|
| Enable diagnostic logs for Azure Firewall. Use firewall logs or workbooks to monitor Azure Firewall. You can also use activity logs to audit operations on Azure Firewall resources. Use the structured firewall logs format. Only use the previous diagnostic logs format if you have an existing tool that requires it. Don't enable both logging formats at the same time. |
Enable diagnostic logs to optimize your monitoring tools and strategies for Azure Firewall. Use structured firewall logs to structure log data so that it's easy to search, filter, and analyze. The latest monitoring tools are based on this type of log, so it's often a prerequisite. |
| Use the built-in Azure Firewall workbook. | Use the Azure Firewall workbook to extract valuable insights from Azure Firewall events, analyze your application and network rules, and examine statistics about firewall activities across URLs, ports, and addresses. |
| Monitor Azure Firewall logs and metrics, and create alerts for Azure Firewall capacity. Create alerts to monitor Throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics. | Set up alerts for key events to notify operators before potential problems arise, help prevent disruptions, and initiate quick capacity adjustments. |
| Regularly review the policy analytics dashboard to identify potential problems. | Use policy analytics to analyze the impact of your Azure Firewall policies. Identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance. |
| Understand KQL queries so you can use Azure Firewall logs to quickly analyze and troubleshoot problems. Azure Firewall provides sample queries. | Use KQL queries to quickly identify events inside your firewall and check to see which rule is triggered or which rule allows or blocks a request. |
Performance Efficiency
Performance Efficiency is about maintaining user experience even when there's an increase in load by managing capacity. The strategy includes scaling resources, identifying and optimizing potential bottlenecks, and optimizing for peak performance.
The Performance Efficiency design principles provide a high-level design strategy for achieving those capacity goals against the expected usage.
Design checklist
Start your design strategy based on the design review checklist for Performance Efficiency. Define a baseline that's based on key performance indicators for Azure Firewall.
Optimize your Azure Firewall configuration in accordance with the Well-Architected Framework recommendations to optimize code and infrastructure and ensure peak operation. To maintain an efficient and secure network, regularly review and optimize firewall rules. This practice helps ensure that your firewall configurations remain effective and up to date with the latest security threats.
Assess policy requirements, and find opportunities to summarize IP ranges and URL lists. Use web categories to allow or deny outbound access in bulk to streamline management and enhance security. Evaluate the performance impact of IDPS in Alert and deny mode because this configuration can affect network latency and throughput. Configure public IP addresses to support your SNAT port requirements. Follow these practices to create a robust and scalable network security infrastructure.
Don't use Azure Firewall for intra-virtual network traffic control. Use Azure Firewall to control the following types of traffic:
- Traffic across virtual networks
- Traffic between virtual networks and on-premises networks
- Outbound traffic to the internet
- Incoming non-HTTP or non-HTTPS traffic
For intra-virtual network traffic control, use network security groups.
Warm up Azure Firewall properly before performance tests. Create initial traffic that isn't part of your load tests 20 minutes before your tests. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic so you can scale up Azure Firewall to the maximum number of instances.
Configure an Azure Firewall subnet with a /26 address space. You need a dedicated subnet for Azure Firewall. Azure Firewall provisions more capacity as it scales. A /26 address space ensures that the firewall has enough IP addresses available to accommodate the scaling. Azure Firewall doesn't require a subnet that's larger than /26. Name the Azure Firewall subnet AzureFirewallSubnet.
Don't enable advanced logging if you don't need it. Azure Firewall provides some advanced logging capabilities that can incur significant costs to keep active. Instead, you can use these capabilities for troubleshooting purposes only and for limited amounts of time. Disable capabilities when you don't need them. For example, top flows and flow trace logs are expensive and can cause excessive CPU and storage usage on the Azure Firewall infrastructure.
Recommendations
| Recommendation | Benefit |
|---|---|
| Use the policy analytics dashboard to identify ways to optimize Azure Firewall policies. | Use policy analytics to identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance. |
| Place frequently used rules early in a group to optimize latency for Azure Firewall policies that have large rule sets. For more information, see Use Azure Firewall policies to process rules. |
Place frequently used rules high in a rule set to optimize processing latency. Azure Firewall processes rules based on the rule type, inheritance, rule collection group priority, and rule collection priority. Azure Firewall processes high-priority rule collection groups first. Inside a rule collection group, Azure Firewall processes rule collections that have the highest priority first. |
| Use IP groups to summarize IP address ranges and avoid exceeding the limit of unique source or unique destination network rules. Azure Firewall treats the IP group as a single address when you create network rules. | This approach effectively increases the number of IP addresses that you can cover without exceeding the limit. For each rule, Azure multiplies ports by IP addresses. So, if one rule has four IP address ranges and five ports, you consume 20 network rules. |
| Use Azure Firewall web categories to allow or deny outbound access in bulk, instead of explicitly building and maintaining a long list of public internet sites. | This feature dynamically categorizes web content and permits the creation of compact application rules, which reduces operational overhead. |
| Evaluate the performance impact of IDPS in Alert and deny mode. For more information, see Azure Firewall performance. | Enable IDPS in Alert and deny mode to detect and prevent malicious network activity. This feature might introduce a performance penalty. Understand the effect on your workload so you can plan accordingly. |
| Configure Azure Firewall deployments with a minimum of five public IP addresses for deployments that are susceptible to SNAT port exhaustion. | Azure Firewall supports 2,496 ports for each public IP address that each back-end Azure Virtual Machine Scale Sets instance uses. This configuration increases the available SNAT ports by five times. By default, Azure Firewall deploys two Virtual Machine Scale Sets instances that support 4,992 ports for each flow destination IP, destination port, and TCP or UDP protocol. The firewall scales up to a maximum of 20 instances. |
Azure policies
Azure provides an extensive set of built-in policies related to Azure Firewall and its dependencies. Some of the preceding recommendations can be audited through Azure Policy. For example, you can check whether:
Network interfaces shouldn't have public IPs. This policy denies network interfaces that are configured with a public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources can communicate outbound to the internet.
All internet traffic should be routed via your deployed Azure Firewall instance. Azure Security Center identifies that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats. Use Azure Firewall or a supported next generation firewall to restrict access to your subnets.
For comprehensive governance, review the Azure Policy built-in definitions for Azure Firewall and other policies that might affect the security of the network.
Azure Advisor recommendations
Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Here are some recommendations that can help you improve the reliability, security, cost effectiveness, performance, and operational excellence of Azure Firewall.
Next steps
See the following resources that demonstrate the recommendations in this article.
Use the following reference architectures as examples of how to apply this article's guidance to a workload:
Use the following resources to improve your implementation expertise:
See other resources: