Microsoft recently announced new features for Azure Firewall, the managed network security service to protect Azure Virtual Network resources.
A highly available stateful firewall, Azure Firewall now supports auto-generated self-signed certificates for Azure Firewall Premium SKU and can be deployed without public IP in forced tunnel mode, with the ability to update existing firewalls using stop and start commands. Furthermore, secure virtual hubs can now span to multiple availability zones for an increased availability, and the service is available in three additional public regions: West 3, Jio India West, and Brazil Southeast.
Gopikrishna Kannan, principal program manager at Microsoft, explains the use case for self-signed certificates:
For non-production deployments, you can use the Azure Firewall Premium certification auto-generation mechanism, which automatically creates for you the following three resources, ties them together, and sets up transport layer security (TLS) inspection with a single click of a button: managed identity, key vault and self-signed intermediate CA certificate.
Joe Carlyle, Microsoft MVP and Azure practice lead at Evros Technology Group, tweets:
Some nice updates announced for Azure Firewall, especially like AV zones, and reconfigure to forced tunnel mode with a stop/start
As reported on InfoQ, last February Microsoft announced the preview of Azure Firewall Premium, a version with additional functionalities to target highly sensitive and regulated environments. Microsoft announced in July the general availability of the premium version and the support of TLS inspection, intrusion detection and prevention system and URL filtering.
Aidan Finn, principal consultant at Innofactor Norge, recently wrote an article on testing Azure Firewall IDPS, including test exploits, and explained why he prefers Azure Firewall over a virtual firewall appliance to create network and application-level rules:
Azure Firewall scales and it is highly available. (...) It was designed for how we should use the cloud, at scale. And that scale isn’t just about Mbps, but in terms of backend services and networks. From what I have seen so far, the same cannot be said for firewall NVAs.
Eliran Azulai, principal product manager in the Azure networking security team, recorded a presentation on how to utilize the new capabilities of Azure Firewall Premium to better protect cloud network resources.
Microsoft’s platform also includes Azure Web Application Firewall, a centralized protection from common exploits and vulnerabilities for web applications. Azure is not the only cloud provider offering a managed network firewall. Google has Google Cloud firewalls and Amazon offers AWS Network Firewall, a managed service to deploy network protections for VPCs.
The pricing of Azure Firewall is determined by two components: a data processing fee that depends on the amount of data processed by the firewall, and a fixed hourly fee that is charged for any firewall deployment and varies for standard and premium versions.