Azure Firewall Premium Becomes Generally Available
- By John K. Waters
Microsoft has announced the general availability of the Premium edition of Azure Firewall, its managed, cloud-based network security service. Redmond announced the public preview back in February.
The company debuted its first firewall-as-a-service in 2018, billing it as "a managed, cloud native network security service to protect application resources with built-in high availability and unrestricted cloud scalability." Azure Firewall is a fully stateful firewall designed to allow users to create, enforce and log application and network connectivity policies across subscriptions and virtual networks.
Azure Firewall Premium adds a number of features and capabilities to what is now the Standard edition, including:
- TLS inspection: The Premium edition terminates outbound and east-west transport layer security (TLS) connections. Inbound TLS inspection is supported in conjunction with Azure Application Gateway (Web traffic load balancer), allowing end-to-end encryption. The firewall performs the required value-added security functions and re-encrypts the traffic, which is sent to the original destination.
- IDPS: This edition provides a signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks based on specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
- Web Categories: This feature gives administrators the ability to allow or deny user access to the Internet based on web categories (e.g., social networking, search engines, gambling), reducing the time spent on managing individual fully qualified domain names (FQDNs) and URLs. (This capability is also available for Azure Firewall Standard based on FQDNs only.) Redmond has provided a list of Web categories here.
- URL Filtering: This capability allows users to access specific URLs for both plain text and encrypted traffic. It's typically used in conjunction with Web Categories, Microsoft says.
Azure Firewall Premium utilizes Firewall Policy, a global resource that can be used to centrally manage firewalls using the Azure Firewall Manager. Starting with this release, all new features will be configurable via Firewall Policy only, the company says, including TLS Inspection, IDPS, URL Filtering and Web Categories.
"To simplify migration for Standard SKU customers, we used a common configuration approach using Azure Firewall Policy," explained Azure team members Eliran Azulai, Gopikrishna Kannan and Suren Jamiyanaa in a blog post. This approach allows reusing existing API integration with minimal changes and continues managing Azure Firewall using Firewall Manager. Customers using firewall rules (Classic) will take an additional step for the migration to Azure Firewall Policy first.
Azure Firewall Policy offers several advantages such as sharing common configuration across multiple firewalls, grouping rules using rule collection groups, and managing rules over time using policy analytics (Private Preview). For more information, see the Azure Firewall Policy documentation page.
Microsoft is providing two ways to migrate from Azure Firewall Standard to the new Premium edition: an Azure PowerShell script that creates a new Premium policy from an existing Standard policy, and a step-by-step process using the Azure portal.
Azure has long supported a second feature for managing both inbound and outbound traffic to resources. Azure Network Security Groups (NSGs) provide distributed network-layer traffic filtering to limit traffic to resources within virtual networks in each subscription. As a stateful, centralized network firewall-as-a-service, Azure Firewall provides both network- and application-level protection across different subscriptions and virtual networks. You could say that NSGs are a basic firewall, while Azure Firewall is a more comprehensive service for regulating traffic.
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].