In a recent blog post, Microsoft announced that Azure Firewall Manager now supports virtual networks. This new capability allows organizations to centrally manage security policies and route management for cloud-based security perimeters. This is based on two network architectures, including "secured virtual hub" and "hub virtual network". In addition, Azure Firewall Manager can orchestrate Azure Firewall policy creation and association.
This announcement is a follow-up from the November 2019 preview announcement, in which Microsoft announced Azure Firewall Manager support with security partners like Zscaler and iboss, and future support for Check Point.
Centrally managing firewalls is a core requirement for many organizations that are managing infrastructure in many regions and using many subscriptions. Gopikrishna Kannan, a senior product manager at Microsoft, explains how Azure Firewall Manager provides centralized firewall management:
It makes it easy for enterprise IT teams to centrally define network and application-level rules for traffic filtering across multiple Azure Firewall instances that spans different Azure regions and subscriptions in hub-and-spoke architectures for traffic governance and protection. In addition, it empowers DevOps for better agility with derived local firewall security policies that are implemented across organizations.
Azure Firewall Manager supports two different network architecture types including:
- Secured virtual hub – by leveraging an Azure Virtual WAN Hub, which is a Microsoft-managed resource that allows administrators to create hub-and-spoke architectures. Security and routing policies can be applied to this hub, creating a secured virtual hub.
- Hub virtual network – which is a standard Azure Virtual Network that you create and manage yourself. When security policies are applied, it becomes a hub virtual network. Multiple spoke virtual networks can be peered or firewalls can be managed in standalone virtual networks.
When trying to determine which architecture to use, Kannan suggests the following:
Hub virtual networks are probably the right choice if your network architecture is based on virtual networks only, requires multiple hubs per regions, or doesn’t use hub-and-spoke at all.
However, if organizations have a global presence, Secured virtual hubs may be a better fit. Kannan explains:
Secured virtual hubs might address your needs better if you need to manage routing and security policies across many globally distributed secured hubs. Secure virtual hubs have high scale VPN connectivity, SDWAN support, and third-party Security as Service integration. You can use Azure to secure your Internet edge for both on-premises and cloud resources.
In addition to managing virtual networks, Azure Firewall Manager also supports managing the creation of Azure Firewall policies. Azure Firewall is a service that provides network address translation (NAT), application rule collections and threat intelligence settings.
Once a firewall policy has been created, it can be associated with a firewall in Virtual WAN Hub. This includes either a secured virtual hub or hub virtual network. There is no charge for creating policies, but as soon as they are associated with more than one firewall, consumption charges apply.
To better understand the differences between the new firewall policies (left column) and previous firewall rules (right column), please refer to the following table.
Image source: https://azure.microsoft.com/en-us/blog/azure-firewall-manager-now-supports-virtual-networks/