Optimize Azure Firewalls
Azure Firewall is a fundamental security service for protecting your cloud workloads in Azure. By adhering to the following recommendations based on the Azure Well-Architected Framework, you can ensure that your Azure Firewall implementation is robust, secure, cost-effective, and operationally efficient.
This guide provides a comprehensive set of recommendations across different pillars of the Well-Architected Framework, covering reliability, security, cost optimization, performance efficiency, and operational excellence.
Talk to an Azure expert! Email us or schedule a 30-minute consultation and let's optimize your Azure environment together!
Stay ahead with actionable insights for Azure optimization. Subscribe to updates and unlock the full potential of Azure!
Cost Optimization Recommendations
Delete unused Azure Firewall deployments
Audit your environment and remove unused Azure Firewall deployments to eliminate unnecessary costs.
Establish an audit process to identify firewalls with zero or minimal traffic and validate with stakeholders before deletion.
Deallocate idle Azure Firewalls
Deallocate Azure Firewall deployments for development, testing, or other non-production environments during off-peak hours or idle periods to save costs.
Regularly assess non-production workloads to determine idle periods. Utilize automation to start (create) and stop (delete) deployments as needed.
Review Azure Firewall traffic
Analyze traffic patterns and identify opportunities to optimize workloads that generate the most traffic through the firewall, potentially reducing bandwidth and data processing costs.
Use monitoring tools to identify high-traffic sources and evaluate workload optimizations to minimize unnecessary traffic.
Optimize Firewall Manager policies
Efficiently manage Firewall Manager policies and associations to reduce costs, as policies with multiple firewall associations incur charges.
Consolidate policies where possible to reduce the number of associations and review inheritance settings to avoid redundancy.
Disassociate unused public IPs
Review and delete unused public IP addresses to minimize costs. Ensure to evaluate SNAT port usage before removing IP addresses.
Track public IP usage and implement a process for reviewing configurations periodically.
Performance Recommendations
Use the policy analytics dashboard
Use the policy analytics dashboard to identify areas for policy optimization, leading to improved security posture and rule-processing performance.
Analyze metrics and adjust rules based on usage patterns to improve firewall efficiency.
Prioritize frequently used rules
Place frequently used rules early in a group to optimize latency for Azure Firewall policies that have large rule sets.
Organize rules logically and monitor their impact on latency to optimize performance.
Use IP groups for rule management
Leverage IP groups to manage large numbers of IP addresses efficiently and prevent exceeding rule limits.
Consolidate IP ranges using IP groups to simplify management and enhance scalability.
Implement web categories
Simplify management by using web categories to control outbound access to broad categories of websites rather than managing individual URLs.
Regularly update web categories to align with business needs and security policies.
Note: Only available in the Premium SKU
Evaluate IDPS performance impact
While enabling IDPS in "Alert and deny" mode enhances security, it may impact performance. Carefully assess the impact on network latency and throughput before enabling it.
Conduct performance testing in staging environments before enabling IDPS in production.
Address SNAT port exhaustion
Configure Azure Firewall deployments with a minimum of five public IP addresses for deployments that are susceptible to SNAT port exhaustion.
Monitor SNAT port utilization and adjust configurations as needed to maintain performance.
Reliability Recommendations
Deploy across multiple availability zones
Deploying Azure Firewall across multiple availability zones enhances the service-level agreement (SLA) and ensures higher resilience.
Configure zone-redundant firewalls to protect against zone-level outages.
Ensure multi-region availability
Deploy an Azure Firewall instance in each region in multi-region environments to ensure traffic security and high availability across regions.
Evaluate regional traffic patterns and distribute instances accordingly.
Monitor health metrics
Closely monitor key metrics to ensure Azure Firewall health.
Set up alerts to proactively address potential issues.
Key metrics to ensure Azure Firewall health are:
- Throughput
- Firewall health state
- SNAT port utilization
- AZFW latency probe metrics
Use Azure Service Health
Utilize Azure Service Health to monitor the health status of your Azure Firewall resources and take proactive measures to address any service issues.
Subscribe to health alerts to stay informed about outages or maintenance.
Security Recommendations
Configure forced tunneling
Forced tunneling enhances security by routing all internet-bound traffic through a designated next hop, typically an on-premises firewall or NVA.
Implement forced tunneling to centralize traffic inspection and enforce policies.
Deploy a fully private data plane
Setting the public IP address to "None" in forced tunneling mode creates a fully private data plane, reducing the attack surface and minimizing exposure to external threats.
Validate configurations and ensure the management plane retains access for administration.
Note that the management plane will still require a public IP address for management purposes.
Structure firewall rules hierarchically
Organize your firewall rules in a hierarchical structure to adhere to the principle of least-privilege access.
Organize your firewall rules in a hierarchical structure, starting with a central base policy and adding more granular policies for specific regions or workloads, adhering to the principle of least-privilege access.
Avoid "Any to Any" / Allow All Rules
Using "Any to Any" or Allow All rules will allow unrestricted traffic, effectively bypassing all security controls.
Avoid creating overly permissive rules such as "Any to Any." Instead, define specific source, destination, and protocol criteria for your rules to ensure only necessary traffic is allowed. Regularly review and refine rules to adhere to the principle of least privilege.
Use Application Rules for HTTPS Traffic
Using Network Rules for HTTPS traffic logs IP addresses instead of domain names, making it harder to analyze traffic patterns.
Use Application Rules instead of Network Rules for HTTPS traffic, particularly for web traffic or website filtering. Application Rules provide visibility into domain names or URLs in the logs, improving diagnostics and traffic management.
Supported Security Partner Providers
Failure to integrate security partner providers can limit the security capabilities of your Azure Firewall deployment.
Integrate supported security partner providers into your Azure Firewall deployment via Firewall Manager. This often requires using a Virtual WAN with a Site-to-Site (S2S) VPN gateway in the hub.
Enable DNS Proxy Configuration
Routing DNS traffic directly to external DNS servers bypasses the firewall, exposing your network to potential DNS-based threats.
Enable the Azure Firewall DNS proxy configuration to route DNS queries through the firewall, protecting your internal DNS infrastructure and enabling features like FQDN filtering.
UDRs in a Hub-and-Spoke Architecture
Traffic bypassing the firewall reduces centralized visibility and control, leading to potential security risks.
Configure User Defined Routes (UDRs) to ensure all traffic (spoke-to-spoke, spoke-to-internet, and spoke-to-hybrid) passes through Azure Firewall in a hub-and-spoke architecture.
Use Routing Intent in Virtual WAN
Incorrect routing in Virtual WAN can lead to unintended traffic bypassing the firewall.
For Virtual WAN, configure routing intent and policies to direct both private and internet traffic through the Azure Firewall instance integrated into the hub.
Use Azure Firewall as an Explicit Proxy
Without UDRs, some traffic may bypass the firewall, limiting security coverage.
Configure Azure Firewall as an explicit proxy for outbound web traffic when UDRs cannot be applied. This can be done by setting the proxy configuration in the sending application.
Use FQDN Filtering in Network Rules
Hardcoding IP addresses in rules can lead to broken configurations when IPs change.
Use Fully Qualified Domain Names (FQDNs) in network rules for dynamic management. Enable the Azure Firewall DNS proxy to use FQDNs effectively.
Use Azure Firewall Service Tags
Managing individual IP addresses for Azure services is time-consuming and prone to errors.
Replace specific IP addresses with Azure Firewall service tags to simplify rule management and ensure up-to-date access to Azure services.
Use FQDN Tags in Application Rules
Hardcoding domains for Microsoft services can lead to configuration drift and errors.
Use FQDN tags in application rules to selectively allow traffic to Microsoft services like Microsoft 365, Windows 365, and Intune.
Threat Intelligence "Alert and Deny"
Without threat intelligence, the firewall cannot automatically block known malicious sources.
Enable threat intelligence in "Alert and deny" mode to leverage Microsoft's threat intelligence feed, providing real-time protection against malicious IPs, domains, and URLs.
IDPS "Alert" or "Alert and Deny"
Using IDPS may affect network performance, but it provides enhanced security against intrusions.
Enable the Intrusion Detection and Prevention System (IDPS) in "Alert" or "Alert and deny" mode to monitor and block malicious traffic. Test performance impact in your environment before widespread deployment.
Enterprise CA TLS Inspection Certificates
Using self-signed certificates in production can lead to trust issues and security vulnerabilities.
Generate certificates using an internal enterprise Certificate Authority (CA) for TLS inspection in Azure Firewall Premium. Limit self-signed certificates to testing purposes only.
DDoS Protection with Hub VNETs
Hub VNETs without DDoS protection are vulnerable to volumetric attacks.
Use Firewall Manager to create and associate an Azure DDoS Protection plan with your hub virtual network. \
Note: This is not applicable to Virtual WAN.
Operational Excellence Recommendations
Enable Diagnostic Logs
Without diagnostic logs, you lack visibility into firewall activities and troubleshooting capabilities.
Enable diagnostic logs to monitor firewall activities and troubleshoot issues effectively. Use these logs in conjunction with Azure Monitor workbooks for detailed insights.
Use Structured Firewall Logs Format
Unstructured logs are harder to analyze and filter, leading to inefficient troubleshooting.
Adopt the structured firewall logs format for easier searching, filtering, and analysis using modern monitoring tools.
Use the Built-in Azure Firewall Workbook
Manually analyzing firewall data is time-consuming and prone to oversight.
Leverage the Azure Firewall workbook to analyze application and network rules, view statistics, and gain insights from firewall events.
Create Alerts for Firewall Capacity
Unmonitored firewalls may reach capacity, causing disruptions in network traffic.
Set up alerts for key metrics like throughput, SNAT port utilization, and health state to proactively manage Azure Firewall capacity and avoid bottlenecks.
Review the Policy Analytics Dashboard
Outdated or inefficient policies can lead to security risks and suboptimal performance.
Use the policy analytics dashboard to identify issues in your firewall policies, such as rule conflicts or excessive resource usage.
Understand KQL for Log Analysis
Without KQL knowledge, analyzing logs for troubleshooting becomes inefficient.
Learn Kusto Query Language (KQL) to analyze Azure Firewall logs effectively for debugging and optimizing firewall rules.
Utilize Azure Policies for Compliance
Inconsistent configurations across environments increase the risk of security gaps.
Use Azure Policies to enforce compliance and best practices for Azure Firewall and related network security configurations.