Azure Firewall is a managed cloud-based network security service to protect your Azure Virtual Network resources. It is a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. Log application and network connectivity policies across subscription and virtual networks can be created centrally by you.
Azure Firewall use static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
Azure Firewall includes the following features:
Built-in high availability
It is built in high availability, so no additional load balancers are required and there is nothing you need to configure.
Unrestricted cloud scalability
Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.
Application FQDN filtering rules
You can limit outbound HTTPS traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature does not require SSL termination.
Network traffic filtering rules
You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
FQDN tags make it easy for you to allow well known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.
Outbound SNAT support
All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations.
Inbound DNAT support
Inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
Azure Monitor logging
All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.
Outbound traffic from Azure environments can be routed to a particular next hop rather than the Internet to allow additional security inspection by perimeter-based solutions.
Tagging and Categorization
Traffics can be tagged and categorized to help with the development of firewall rules and traffic filtering.