CloudWiki
Resource
Get a free AWS Well-Architected Assessment ->

Microsoft Azure

Firewall

Azure Firewall is a cloud-based network security service that is fully managed, highly available, and scalable firewall service that provides network security to protect your Azure virtual network resources. Azure Firewall allows you to create and enforce outbound and inbound network traffic policies across multiple Azure subscriptions and virtual networks. You can define rules to allow or deny traffic based on source IP address, destination IP address, port, and protocol. It supports stateful network traffic filtering and network address translation (NAT) for outgoing traffic.‍
aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Terraform Name
terraform
azurerm_firewall
Firewall
attributes:

The following arguments are supported:

  • name - (Required) Specifies the name of the Firewall. Changing this forces a new resource to be created.
  • resource_group_name - (Required) The name of the resource group in which to create the resource. Changing this forces a new resource to be created.
  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
  • sku_name - (Required) SKU name of the Firewall. Possible values are AZFW_Hub and AZFW_VNet. Changing this forces a new resource to be created.
  • sku_tier - (Required) SKU tier of the Firewall. Possible values are Premium, Standard and Basic.
  • firewall_policy_id - (Optional) The ID of the Firewall Policy applied to this Firewall.
  • ip_configuration - (Optional) An ip_configuration block as documented below.
  • dns_servers - (Optional) A list of DNS servers that the Azure Firewall will direct DNS traffic to the for name resolution.
  • private_ip_ranges - (Optional) A list of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918.
  • management_ip_configuration - (Optional) A management_ip_configuration block as documented below, which allows force-tunnelling of traffic to be performed by the firewall. Adding or removing this block or changing the subnet_id in an existing block forces a new resource to be created. Changing this forces a new resource to be created.
  • threat_intel_mode - (Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert and Deny. Defaults to Alert.
  • virtual_hub - (Optional) A virtual_hub block as documented below.
  • zones - (Optional) Specifies a list of Availability Zones in which this Azure Firewall should be located. Changing this forces a new Azure Firewall to be created.

Please Note:

Availability Zones are only supported in several regions at this time.

  • tags - (Optional) A mapping of tags to assign to the resource.

An ip_configuration block supports the following:

  • name - (Required) Specifies the name of the IP Configuration.
  • subnet_id - (Optional) Reference to the subnet associated with the IP Configuration. Changing this forces a new resource to be created.

NOTE

The Subnet used for the Firewall must have the name AzureFirewallSubnet and the subnet mask must be at least a /26.

NOTE

At least one and only one ip_configuration block may contain a subnet_id.

  • public_ip_address_id - (Required) The ID of the Public IP Address associated with the firewall.

NOTE

When multiple ip_configuration blocks with public_ip_address_id are configured, terraform apply will raise an error when one or some of these ip_configuration blocks are removed. because the public_ip_address_id is still used by the firewall resource until the firewall resource is updated. and the destruction of azurerm_public_ip happens before the update of firewall by default. to destroy of azurerm_public_ip will cause the error. The workaround is to set create_before_destroy=true to the azurerm_public_ip resource lifecycle block. See more detail: destroying.md#create-before-destroy

NOTE

The Public IP must have a Static allocation and Standard SKU.

A management_ip_configuration block supports the following:

  • name - (Required) Specifies the name of the IP Configuration.
  • subnet_id - (Required) Reference to the subnet associated with the IP Configuration. Changing this forces a new resource to be created.

NOTE

The Management Subnet used for the Firewall must have the name AzureFirewallManagementSubnet and the subnet mask must be at least a /26.

  • public_ip_address_id - (Required) The ID of the Public IP Address associated with the firewall.

NOTE

The Public IP must have a Static allocation and Standard SKU.

A virtual_hub block supports the following:

  • virtual_hub_id - (Required) Specifies the ID of the Virtual Hub where the Firewall resides in.
  • public_ip_count - (Optional) Specifies the number of public IPs to assign to the Firewall. Defaults to 1.

Associating resources with a
Firewall
Resources do not "belong" to a
Firewall
Rather, one or more Security Groups are associated to a resource.
Create
Firewall
via Terraform:
The following HCL manages an Azure firewall
Syntax:

resource "azurerm_resource_group" "example" {
 name     = "example-resources"
 location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
 name                = "testvnet"
 address_space       = ["10.0.0.0/16"]
 location            = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
 name                 = "AzureFirewallSubnet"
 resource_group_name  = azurerm_resource_group.example.name
 virtual_network_name = azurerm_virtual_network.example.name
 address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_public_ip" "example" {
 name                = "testpip"
 location            = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name
 allocation_method   = "Static"
 sku                 = "Standard"
}

resource "azurerm_firewall" "example" {
 name                = "testfirewall"
 location            = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name
 sku_name            = "AZFW_VNet"
 sku_tier            = "Standard"

 ip_configuration {
   name                 = "configuration"
   subnet_id            = azurerm_subnet.example.id
   public_ip_address_id = azurerm_public_ip.example.id
 }
}

Create
Firewall
via CLI:
Parametres:

az network firewall create --name
                          --resource-group
                          [--allow-active-ftp {0, 1, f, false, n, no, t, true, y, yes}]
                          [--conf-name]
                          [--count]
                          [--dns-servers]
                          [--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
                          [--enable-fat-flow-logging {0, 1, f, false, n, no, t, true, y, yes}]
                          [--enable-udp-log-optimization {0, 1, f, false, n, no, t, true, y, yes}]
                          [--firewall-policy]
                          [--location]
                          [--m-conf-name]
                          [--m-public-ip]
                          [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                          [--private-ranges]
                          [--public-ip]
                          [--route-server-id]
                          [--sku {AZFW_Hub, AZFW_VNet}]
                          [--tags]
                          [--threat-intel-mode {Alert, Deny, Off}]
                          [--tier {Basic, Premium, Standard}]
                          [--vhub]
                          [--vnet-name]
                          [--zones]

Example:

az network firewall create -g MyResourceGroup -n MyFirewall --private-ranges 10.0.0.0 10.0.0.0/16 IANAPrivateRanges

Best Practices for
Firewall

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
Related blog posts
We haven't write about
Firewall
yet.
View all blog posts ->
More from
Microsoft Azure
AKS
Containers
Active Directory
Identity
App-Service Plan
App Services
Blob Storage
Storage
Bot
AI & Machine Learning
CDN Profile
App Services
Cache for Redis
Databases
Cosmos DB
Databases
Data Lake Storage
Storage
Disk Storage
Storage
Domain Service
Identity
Files
Storage
Firewall
Networking
Firewall Policy
Networking
Firewall Policy Rule Collection Group
Networking
Front Door
Networking
Function App
Compute
Group
Identity
Image
Compute
Network Interface
Networking
Network Security Group
Networking
PostgreSQL
Databases
Queue Storage
Storage
Resource Group
Management & Governance
Role Definition
Identity
Route Table
Networking
SQL Database
Databases
SQL Server
Databases
Snapshot
Compute
Storage Account
Storage
Subnet
Networking
User
Identity
Virtual Machine
Compute
Virtual Network
Networking