Azure Firewall Manager

  • Author: Ronald Fung

  • Creation Date: 17 May 2023

  • Next Modified Date: 17 May 2024

A. Introduction

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

  • Secured virtual hub

    An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

  • Hub virtual network

    This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

For a detailed comparison of secured virtual hub and hub virtual network architectures, see What are the Azure Firewall Manager architecture options?.

firewall manager

B. How is it used at Seagen

As a biopharma research company using Microsoft Azure, you can use Azure Firewall Manager to centrally manage and configure Azure Firewall instances across multiple Azure regions and subscriptions. Here are some ways you can use Azure Firewall Manager:

  1. Centralize firewall management: Azure Firewall Manager allows you to centralize the management of Azure Firewall instances across multiple Azure regions and subscriptions. You can use the Azure portal or APIs to create and manage firewall policies and apply them to multiple Azure Firewall instances.

  2. Simplify firewall deployment: Azure Firewall Manager allows you to simplify the deployment of Azure Firewall instances by providing templates and automation tools. You can use Azure Firewall Manager to deploy and configure Azure Firewall instances based on predefined templates and policies.

  3. Monitor firewall activity: Azure Firewall Manager provides monitoring and reporting capabilities to help you track firewall activity and identify security threats. You can use Azure Monitor or Azure Security Center to monitor firewall activity and configure alerts for any suspicious activity.

  4. Scale your security: Azure Firewall Manager allows you to scale your security based on your workload. You can use Azure Firewall Manager to manage and configure Azure Firewall instances across multiple Azure regions and subscriptions and provide advanced security features such as intrusion detection and prevention.

  5. Integrate with other Azure services: Azure Firewall Manager can be integrated with other Azure services such as Azure Virtual Network, Azure Application Gateway, and Azure Load Balancer. This allows you to secure your network and applications across different Azure services and applications.

C. Features

Azure Firewall Manager offers the following features:

Central Azure Firewall deployment and configuration

You can centrally deploy and configure multiple Azure Firewall instances that span different Azure regions and subscriptions.

Hierarchical policies (global and local)

You can use Azure Firewall Manager to centrally manage Azure Firewall policies across multiple secured virtual hubs. Your central IT teams can author global firewall policies to enforce organization wide firewall policy across teams. Locally authored firewall policies allow a DevOps self-service model for better agility.

Integrated with third-party security-as-a-service for advanced security

In addition to Azure Firewall, you can integrate third-party security as a service (SECaaS) providers to provide additional network protection for your VNet and branch Internet connections.

This feature is available only with secured virtual hub deployments.

  • VNet to Internet (V2I) traffic filtering

    Filter outbound virtual network traffic with your preferred third-party security provider. Leverage advanced user-aware Internet protection for your cloud workloads running on Azure.

  • Branch to Internet (B2I) traffic filtering

    Leverage your Azure connectivity and global distribution to easily add third-party filtering for branch to Internet scenarios.

For more information about security partner providers, see What are Azure Firewall Manager security partner providers?

Centralized route management

Easily route traffic to your secured hub for filtering and logging without the need to manually set up User Defined Routes (UDR) on spoke virtual networks.

This feature is available only with secured virtual hub deployments.

You can use third-party providers for Branch to Internet (B2I) traffic filtering, side by side with Azure Firewall for Branch to VNet (B2V), VNet to VNet (V2V) and VNet to Internet (V2I).

DDoS protection plan

You can associate your virtual networks with a DDoS protection plan within Azure Firewall Manager. For more information, see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.

Manage Web Application Firewall policies

You can centrally create and associate Web Application Firewall (WAF) policies for your application delivery platforms, including Azure Front Door and Azure Application Gateway. For more information, see Manage Web Application Firewall policies.

Region availability

Azure Firewall Policies can be used across regions. For example, you can create a policy in West US, and use it in East US.

D. Where Implemented

LeanIX

E. How it is tested

Testing Azure Firewall Manager involves ensuring that the service is functioning correctly and securely, and meeting the needs of all stakeholders involved in the project. Here are some steps to follow to test Azure Firewall Manager:

  1. Define the scope and requirements: Define the scope of the project and the requirements of all stakeholders involved in the project. This will help ensure that Azure Firewall Manager is designed to meet the needs of all stakeholders.

  2. Develop test cases: Develop test cases that cover all aspects of Azure Firewall Manager functionality, including creating and managing policies, monitoring network traffic, and setting up logging and analytics. The test cases should be designed to meet the needs of the organization, including scalability and resilience.

  3. Conduct unit testing: Test the individual components of Azure Firewall Manager to ensure that they are functioning correctly. This may involve using tools like PowerShell or Azure CLI for automated testing.

  4. Conduct integration testing: Test Azure Firewall Manager in an integrated environment to ensure that it works correctly with other systems and applications. This may involve testing Azure Firewall Manager with different operating systems, browsers, and devices.

  5. Conduct user acceptance testing: Test Azure Firewall Manager with end-users to ensure that it meets their needs and is easy to use. This may involve conducting surveys, interviews, or focus groups to gather feedback from users.

  6. Automate testing: Automate testing of Azure Firewall Manager to ensure that it is functioning correctly and meeting the needs of all stakeholders. This may involve using tools like Azure DevOps Pipelines to set up automated testing pipelines.

  7. Monitor performance: Monitor the performance of Azure Firewall Manager in production to ensure that it is meeting the needs of all stakeholders. This may involve setting up monitoring tools, such as Azure Monitor, to track usage and identify performance issues.

  8. Address issues: Address any issues that are identified during testing and make necessary changes to ensure that Azure Firewall Manager is functioning correctly and meeting the needs of all stakeholders.

By following these steps, you can ensure that Azure Firewall Manager is tested thoroughly and meets the needs of all stakeholders involved in the project. This can help improve the quality of Azure Firewall Manager and ensure that it functions correctly in a production environment.

F. 2023 Roadmap

????

G. 2024 Roadmap

Public peering is no longer available on new ExpressRoute circuits and is scheduled for retirement on March 31, 2024.

H. Known Issues

There are several known issues that can impact Azure Firewall Manager. Here are some of the most common issues to be aware of:

  1. Performance issues: Performance issues can arise when Azure Firewall Manager is under heavy load, leading to issues with network traffic and latency. It is important to monitor performance and address any issues that arise.

  2. Configuration issues: Configuration issues can arise when configuring Azure Firewall Manager, leading to issues with network traffic and connectivity. It is important to ensure that the service is properly configured to avoid these issues.

  3. Compatibility issues: Azure Firewall Manager may not be compatible with all platforms, devices, or languages. It is important to ensure that Azure Firewall Manager is compatible with the organization’s existing infrastructure before implementation.

  4. Security issues: Security is a critical concern when it comes to Azure Firewall Manager. It is important to ensure that Azure Firewall Manager is secured and that access to the solution is restricted to authorized personnel.

  5. Deployment issues: Deployment issues can arise when deploying Azure Firewall Manager in a complex environment. It is important to ensure that the deployment process is thoroughly tested and that all dependencies are accounted for.

  6. Logging and Analytics issues: Issues with logging and analytics can impact the effectiveness of Azure Firewall Manager. It is important to ensure that logging and analytics are properly configured and that the data is being properly analyzed.

  7. Licensing issues: Licensing issues can arise when using Azure Firewall Manager. It is important to ensure that the appropriate licensing is in place to avoid any legal issues.

Overall, Azure Firewall Manager requires careful planning and management to ensure that it is functioning correctly and meeting the needs of all stakeholders involved in the project. By being aware of these known issues and taking steps to address them, you can improve the quality of Azure Firewall Manager and ensure the success of your project.

[x] Reviewed by Enterprise Architecture

[x] Reviewed by Application Development

[x] Reviewed by Data Architecture