{"id":492,"date":"2026-04-14T06:08:13","date_gmt":"2026-04-14T06:08:13","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-firewall-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking\/"},"modified":"2026-04-14T06:08:13","modified_gmt":"2026-04-14T06:08:13","slug":"azure-firewall-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-firewall-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking\/","title":{"rendered":"Azure Firewall Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Networking<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Azure Firewall is Microsoft Azure\u2019s managed, cloud-native, stateful network firewall service used to control and inspect traffic flowing between your Azure virtual networks (VNets), the internet, on-premises networks, and other Azure services. It provides centralized traffic filtering, logging, and policy management without requiring you to deploy and maintain your own firewall virtual machines.<\/p>\n\n\n\n

In simple terms: Azure Firewall sits in the middle of your network paths and enforces \u201callow\/deny\u201d rules<\/strong> (plus advanced inspection features in higher tiers) so workloads can only talk to what they\u2019re supposed to talk to. It is commonly used for egress control<\/strong> (restricting outbound internet access), ingress publishing<\/strong> (DNAT), and east\u2013west inspection<\/strong> (traffic between subnets\/VNets).<\/p>\n\n\n\n

Technically, Azure Firewall is a managed stateful firewall-as-a-service<\/strong> that you deploy into a dedicated subnet (for VNet deployments) or into an Azure Virtual WAN Secure Hub (for hub-based deployments). Traffic is routed to the firewall using User Defined Routes (UDRs)<\/strong> or Virtual WAN routing so the firewall can apply network rules<\/strong>, application (FQDN) rules<\/strong>, and NAT rules<\/strong>, and emit detailed logs to Azure Monitor \/ Log Analytics \/ Microsoft Sentinel.<\/p>\n\n\n\n

Azure Firewall solves the problem of consistent, auditable, scalable network security enforcement<\/strong> across Azure environments\u2014especially when many applications, teams, and networks share the same platform and you need centralized control, visibility, and change governance.<\/p>\n\n\n\n

2. What is Azure Firewall?<\/h2>\n\n\n\n

Official purpose (what it\u2019s for)<\/strong>\nAzure Firewall is a managed network security service that provides stateful traffic filtering<\/strong> and threat protection<\/strong> for Azure VNets and hybrid connectivity. It is designed to enforce centralized network and application connectivity policies and provide visibility through logging and metrics.<\/p>\n\n\n\n

Core capabilities (what it can do)<\/strong>\nAt a high level, Azure Firewall provides:<\/p>\n\n\n\n

    \n
  • Stateful L3\u2013L4 filtering<\/strong> (IP addresses, ports, protocols) via Network rules<\/em><\/li>\n
  • Stateful L7 filtering for HTTP\/S<\/strong> and some application scenarios via Application rules<\/em> (FQDN-based)<\/li>\n
  • Inbound and outbound NAT<\/strong> (commonly DNAT publishing) via NAT rules<\/em><\/li>\n
  • Threat intelligence-based filtering<\/strong> (known malicious IPs\/domains, depending on configuration)<\/li>\n
  • Centralized logging and metrics<\/strong> through Azure Monitor diagnostic logs<\/li>\n
  • Policy-based management<\/strong> with Azure Firewall Policy and Azure Firewall Manager<\/li>\n
  • Premium tier capabilities<\/strong> such as TLS inspection and IDPS (verify exact feature availability by tier in official docs)<\/li>\n<\/ul>\n\n\n\n

    Major components (how it\u2019s packaged and managed)<\/strong><\/p>\n\n\n\n

      \n
    • Azure Firewall resource<\/strong>: The firewall instance deployed into a VNet (or into a Secure Hub in Virtual WAN).<\/li>\n
    • Azure Firewall Policy<\/strong>: The recommended, modern configuration model that stores rules and settings separately from the firewall instance. Policies can be reused across multiple firewalls.<\/li>\n
    • Rule Collection Groups<\/strong> within a policy: Logical containers for rule collections (Application \/ Network \/ NAT) with priorities.<\/li>\n
    • Firewall Subnet<\/strong>: A dedicated subnet named AzureFirewallSubnet<\/code><\/strong> required for VNet deployments.<\/li>\n
    • Public IP address(es)<\/strong>: Used for inbound publishing and\/or outbound SNAT (depending on design).<\/li>\n
    • Routing<\/strong>: UDRs (route tables) or Virtual WAN routing that forces traffic through the firewall.<\/li>\n
    • Logging destinations<\/strong>: Log Analytics workspace, Event Hubs, or Storage (via diagnostic settings).<\/li>\n<\/ul>\n\n\n\n

      Service type<\/strong>\nManaged PaaS<\/strong> firewall service (not a VM you manage). Microsoft operates the underlying compute, scaling, and availability.<\/p>\n\n\n\n

      Regional \/ global \/ scope<\/strong>\nAzure Firewall is primarily a regional<\/strong> resource. You deploy it into a specific Azure region (and optionally across Availability Zones<\/strong> where supported). It is created inside a subscription\/resource group and attached to a VNet (VNet deployment) or Secure Hub (Virtual WAN deployment). Policies can be centrally managed and associated across multiple instances.<\/p>\n\n\n\n

      How it fits into the Azure ecosystem<\/strong>\nAzure Firewall is part of Azure\u2019s Networking and Security toolchain and commonly integrates with:<\/p>\n\n\n\n

        \n
      • VNets, subnets, peering<\/strong><\/li>\n
      • Azure Virtual WAN<\/strong> (Secure Hub)<\/li>\n
      • Azure Firewall Manager<\/strong> (central management and secured virtual hubs)<\/li>\n
      • Azure Monitor + Log Analytics<\/strong>, Microsoft Sentinel<\/strong><\/li>\n
      • Azure Bastion<\/strong>, VPN Gateway<\/strong>, ExpressRoute<\/strong><\/li>\n
      • Azure Policy<\/strong> (governance), RBAC<\/strong> (access control)<\/li>\n
      • Application Gateway \/ Front Door<\/strong> (for L7 inbound publishing patterns\u2014these are complementary, not replacements)<\/li>\n<\/ul>\n\n\n\n
        \n

        Service naming status: \u201cAzure Firewall\u201d is the current, active product name<\/strong>. It includes multiple tiers (commonly referred to as Basic\/Standard\/Premium). Always verify current tier names and capabilities in official documentation because feature matrices evolve.<\/p>\n<\/blockquote>\n\n\n\n

        Official docs landing page: https:\/\/learn.microsoft.com\/azure\/firewall\/<\/p>\n\n\n\n

        3. Why use Azure Firewall?<\/h2>\n\n\n\n

        Business reasons<\/h3>\n\n\n\n
          \n
        • Centralized control<\/strong>: One set of policies can govern many applications and subnets, reducing inconsistent ad-hoc rules.<\/li>\n
        • Faster security approvals<\/strong>: Standardized policy objects and logging help satisfy audit and compliance needs.<\/li>\n
        • Reduced operational overhead<\/strong>: You avoid patching and maintaining firewall VM appliances.<\/li>\n<\/ul>\n\n\n\n

          Technical reasons<\/h3>\n\n\n\n
            \n
          • Stateful inspection<\/strong>: Return traffic is automatically allowed for permitted flows.<\/li>\n
          • Network + application filtering<\/strong>: Combine IP\/port rules with FQDN-based rules for outbound HTTP\/S.<\/li>\n
          • Hybrid-ready<\/strong>: Works in hub-and-spoke and hybrid designs with VPN\/ExpressRoute.<\/li>\n
          • Integration-friendly<\/strong>: Built for Azure routing, monitoring, and policy-based management.<\/li>\n<\/ul>\n\n\n\n

            Operational reasons<\/h3>\n\n\n\n
              \n
            • Built-in high availability<\/strong>: No manual clustering for typical deployments.<\/li>\n
            • Auto scaling<\/strong>: Designed to scale with traffic patterns (architecture-dependent; verify throughput guidance in official docs).<\/li>\n
            • Central logging<\/strong>: Diagnostic logs integrate directly with Azure Monitor tooling.<\/li>\n<\/ul>\n\n\n\n

              Security\/compliance reasons<\/h3>\n\n\n\n
                \n
              • Consistent enforcement point<\/strong>: Helps implement network segmentation, egress control, and controlled inbound publishing.<\/li>\n
              • Threat intelligence<\/strong>: Can alert\/deny traffic to\/from known malicious endpoints (depending on configuration).<\/li>\n
              • Auditability<\/strong>: Structured logs can support investigations and compliance reporting.<\/li>\n<\/ul>\n\n\n\n

                Scalability\/performance reasons<\/h3>\n\n\n\n
                  \n
                • Managed scaling model<\/strong>: Better fit than self-managed NVAs when teams don\u2019t want to size\/scale VMs.<\/li>\n
                • Zonal deployment options<\/strong>: Where supported, can improve resiliency with zone redundancy.<\/li>\n<\/ul>\n\n\n\n

                  When teams should choose Azure Firewall<\/h3>\n\n\n\n

                  Choose Azure Firewall when you need:<\/p>\n\n\n\n

                    \n
                  • Centralized egress filtering<\/strong> from multiple subnets\/VNets<\/li>\n
                  • A consistent, managed firewall control plane with logging<\/strong><\/li>\n
                  • A hub-and-spoke security boundary in Azure<\/li>\n
                  • A straightforward way to publish inbound services via DNAT (when appropriate)<\/li>\n<\/ul>\n\n\n\n

                    When teams should not choose Azure Firewall<\/h3>\n\n\n\n

                    Avoid or reconsider Azure Firewall if:<\/p>\n\n\n\n

                      \n
                    • You only need basic subnet-level filtering<\/strong>: Network Security Groups (NSGs) may be enough.<\/li>\n
                    • You need a dedicated web application firewall (WAF)<\/strong> for HTTP inbound protection: Use Application Gateway WAF or Azure Front Door WAF.<\/li>\n
                    • You need very vendor-specific NGFW features<\/strong> not available in Azure Firewall tiers: consider third-party NVAs (Palo Alto, Fortinet, Check Point) in Azure Marketplace.<\/li>\n
                    • You cannot route traffic through a centralized point due to latency, asymmetric routing, or application constraints (you may need distributed controls plus NSGs).<\/li>\n<\/ul>\n\n\n\n

                      4. Where is Azure Firewall used?<\/h2>\n\n\n\n

                      Industries<\/h3>\n\n\n\n
                        \n
                      • Finance and insurance (regulated environments, strong egress control)<\/li>\n
                      • Healthcare (auditability and controlled outbound access)<\/li>\n
                      • Retail and e-commerce (segmentation between tiers and partner systems)<\/li>\n
                      • Manufacturing\/IoT (hybrid connectivity, controlled internet access)<\/li>\n
                      • Government (policy enforcement and monitoring)<\/li>\n<\/ul>\n\n\n\n

                        Team types<\/h3>\n\n\n\n
                          \n
                        • Platform engineering \/ cloud center of excellence (CCoE)<\/li>\n
                        • Network engineering teams migrating hub-and-spoke to Azure<\/li>\n
                        • Security engineering teams implementing central egress controls<\/li>\n
                        • SRE\/operations teams needing consistent logging and incident response<\/li>\n<\/ul>\n\n\n\n

                          Workloads<\/h3>\n\n\n\n
                            \n
                          • VM-based enterprise applications (Windows\/Linux)<\/li>\n
                          • AKS clusters (commonly for egress control; design carefully)<\/li>\n
                          • PaaS workloads accessed privately (via private endpoints and routing patterns)<\/li>\n
                          • Shared services (jump boxes, patch servers, update repositories)<\/li>\n<\/ul>\n\n\n\n

                            Architectures<\/h3>\n\n\n\n
                              \n
                            • Hub-and-spoke VNets with centralized firewall in the hub<\/li>\n
                            • Virtual WAN Secure Hub with centrally managed security<\/li>\n
                            • Multi-subscription landing zones with shared policy<\/li>\n
                            • Hybrid networks with on-premises + Azure interconnect<\/li>\n<\/ul>\n\n\n\n

                              Real-world deployment contexts<\/h3>\n\n\n\n
                                \n
                              • Production<\/strong>: Most common\u2014central egress\/ingress control, auditing, and standardized governance.<\/li>\n
                              • Dev\/test<\/strong>: Often used to mirror production security boundaries or to avoid developers having unrestricted internet egress.<\/li>\n<\/ul>\n\n\n\n

                                5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                Below are realistic, commonly implemented Azure Firewall scenarios.<\/p>\n\n\n\n

                                1) Centralized outbound internet access control (egress filtering)<\/h3>\n\n\n\n
                                  \n
                                • Problem<\/strong>: Workloads in multiple subnets have unrestricted internet access.<\/li>\n
                                • Why Azure Firewall fits<\/strong>: Application and network rules can restrict outbound destinations; logs provide visibility.<\/li>\n
                                • Example<\/strong>: Allow only Microsoft update endpoints and a few SaaS domains; block everything else.<\/li>\n<\/ul>\n\n\n\n

                                  2) Hub-and-spoke shared firewall for multiple VNets<\/h3>\n\n\n\n
                                    \n
                                  • Problem<\/strong>: Teams run apps in different spokes and need consistent security.<\/li>\n
                                  • Why it fits<\/strong>: A hub firewall plus UDRs\/peering provides a common inspection point.<\/li>\n
                                  • Example<\/strong>: Finance, HR, and Engineering VNets route outbound via the hub firewall; each team gets its own policy\/rule group.<\/li>\n<\/ul>\n\n\n\n

                                    3) Publish an internal service to the internet using DNAT<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: You need inbound access to a VM-based app, but want centralized control and logging.<\/li>\n
                                    • Why it fits<\/strong>: NAT rules can map a firewall public IP\/port to a private IP\/port.<\/li>\n
                                    • Example<\/strong>: DNAT TCP\/443 from firewall public IP to an internal reverse proxy VM.<\/li>\n<\/ul>\n\n\n\n

                                      4) Control traffic to partner networks via VPN\/ExpressRoute<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: You connect to partner networks and must restrict which subnets can communicate.<\/li>\n
                                      • Why it fits<\/strong>: Network rules and forced routing can enforce segmentation.<\/li>\n
                                      • Example<\/strong>: Only the integration subnet can reach partner CIDRs over the VPN.<\/li>\n<\/ul>\n\n\n\n

                                        5) Segmentation between application tiers (east\u2013west inspection)<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: You need consistent controls between tiers\/subnets beyond NSGs.<\/li>\n
                                        • Why it fits<\/strong>: A centralized firewall can enforce \u201conly app tier talks to DB tier on port X\u201d across VNets\/subnets.<\/li>\n
                                        • Example<\/strong>: Web subnet can reach app subnet on 8443; app subnet can reach DB subnet on 1433.<\/li>\n<\/ul>\n\n\n\n

                                          6) Threat intelligence-based blocking<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: You want a managed way to reduce exposure to known malicious endpoints.<\/li>\n
                                          • Why it fits<\/strong>: Threat intelligence mode can alert\/deny.<\/li>\n
                                          • Example<\/strong>: Deny traffic to known botnet destinations while logging events to Sentinel.<\/li>\n<\/ul>\n\n\n\n

                                            7) Central DNS proxy pattern for controlled name resolution (design-dependent)<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: You want consistent DNS behavior and improved filtering alignment for FQDN-based controls.<\/li>\n
                                            • Why it fits<\/strong>: Azure Firewall offers DNS proxy capabilities (verify configuration guidance in official docs).<\/li>\n
                                            • Example<\/strong>: Spokes use the firewall as DNS proxy, with forwarding to an internal resolver.<\/li>\n<\/ul>\n\n\n\n

                                              8) Policy standardization across environments (dev\/test\/prod)<\/h3>\n\n\n\n
                                                \n
                                              • Problem<\/strong>: Security rules drift between environments.<\/li>\n
                                              • Why it fits<\/strong>: Azure Firewall Policy can be reused; changes can be managed via IaC and CI\/CD.<\/li>\n
                                              • Example<\/strong>: A baseline policy is shared across dev\/prod with environment-specific rule collection groups.<\/li>\n<\/ul>\n\n\n\n

                                                9) Secure Azure Virtual WAN hub for distributed branches<\/h3>\n\n\n\n
                                                  \n
                                                • Problem<\/strong>: Many branches connect through Virtual WAN and need central security inspection.<\/li>\n
                                                • Why it fits<\/strong>: Azure Firewall can be deployed in Secure Hub and managed centrally.<\/li>\n
                                                • Example<\/strong>: Branch-to-Azure traffic is inspected; specific SaaS endpoints are allowed.<\/li>\n<\/ul>\n\n\n\n

                                                  10) Logging and incident response for network flows<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem<\/strong>: You need to answer \u201cwho talked to what\u201d during an incident.<\/li>\n
                                                  • Why it fits<\/strong>: Firewall logs (application\/network\/NAT\/threat intel) provide a central data source.<\/li>\n
                                                  • Example<\/strong>: Sentinel alerts on unusual outbound destinations, analysts pivot via firewall logs.<\/li>\n<\/ul>\n\n\n\n

                                                    11) Restrict admin access paths (jump-host alternatives)<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem<\/strong>: Admins need access to servers, but inbound rules are messy and risky.<\/li>\n
                                                    • Why it fits<\/strong>: Combine firewall DNAT (or private access paths) with logging and strict rules; often used with Bastion\/VPN.<\/li>\n
                                                    • Example<\/strong>: Only a management subnet can reach RDP\/SSH targets; all access is logged.<\/li>\n<\/ul>\n\n\n\n

                                                      12) Controlled outbound for build agents and CI\/CD runners<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem<\/strong>: Build agents can exfiltrate data or pull from untrusted sources.<\/li>\n
                                                      • Why it fits<\/strong>: Restrict outbound to approved artifact repos and package registries.<\/li>\n
                                                      • Example<\/strong>: Allow access only to Azure DevOps, GitHub Enterprise, and approved package mirrors.<\/li>\n<\/ul>\n\n\n\n

                                                        6. Core Features<\/h2>\n\n\n\n

                                                        Feature availability can depend on SKU\/tier (Basic\/Standard\/Premium) and deployment model (VNet vs Virtual WAN). Always verify the current feature matrix in official docs.<\/p>\n\n\n\n

                                                        6.1 Stateful firewalling (L3\/L4)<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does<\/strong>: Filters traffic by source\/destination IP, port, and protocol; tracks connection state.<\/li>\n
                                                        • Why it matters<\/strong>: Simplifies rules (return traffic allowed automatically) and reduces misconfiguration risk.<\/li>\n
                                                        • Practical benefit<\/strong>: Replace many distributed \u201callow return\u201d rules in NSGs with centralized stateful inspection.<\/li>\n
                                                        • Caveats<\/strong>: Requires correct routing so traffic actually passes through the firewall.<\/li>\n<\/ul>\n\n\n\n

                                                          6.2 Application rules (L7 \/ FQDN filtering for HTTP\/S)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does<\/strong>: Allows\/denies outbound access based on FQDN for HTTP and HTTPS (and some additional protocol handling depending on tier\/features).<\/li>\n
                                                          • Why it matters<\/strong>: IP-based allowlists for SaaS are brittle; FQDN rules are more maintainable.<\/li>\n
                                                          • Practical benefit<\/strong>: Allow *.microsoft.com<\/code> (example) while blocking the rest of the internet.<\/li>\n
                                                          • Caveats<\/strong>: Enforcing FQDN rules depends on protocol behavior (HTTP Host header \/ TLS SNI). Non-HTTP\/S scenarios may require different approaches.<\/li>\n<\/ul>\n\n\n\n

                                                            6.3 NAT rules (DNAT\/SNAT behavior)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: Publishes internal services via DNAT and provides outbound SNAT using firewall public IP(s).<\/li>\n
                                                            • Why it matters<\/strong>: Enables controlled inbound publishing and consistent outbound public IP identity.<\/li>\n
                                                            • Practical benefit<\/strong>: A partner allowlists your outbound IPs; you provide firewall public IPs.<\/li>\n
                                                            • Caveats<\/strong>: Inbound publishing for web apps often fits better with Application Gateway or Front Door plus WAF; use DNAT thoughtfully.<\/li>\n<\/ul>\n\n\n\n

                                                              6.4 Threat intelligence-based filtering<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Uses Microsoft threat intelligence to alert and\/or deny traffic involving known malicious IPs\/domains (based on mode).<\/li>\n
                                                              • Why it matters<\/strong>: Adds a managed security layer without maintaining your own blocklists.<\/li>\n
                                                              • Practical benefit<\/strong>: Reduce exposure to common malicious destinations.<\/li>\n
                                                              • Caveats<\/strong>: Not a replacement for endpoint protection, EDR, or comprehensive threat hunting.<\/li>\n<\/ul>\n\n\n\n

                                                                6.5 Azure Firewall Policy (recommended management model)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does<\/strong>: Separates rules\/configuration from the firewall instance; supports reuse and central governance.<\/li>\n
                                                                • Why it matters<\/strong>: Improves change control, consistency, and multi-firewall management.<\/li>\n
                                                                • Practical benefit<\/strong>: Apply one baseline policy to multiple firewalls across subscriptions (with the right RBAC).<\/li>\n
                                                                • Caveats<\/strong>: Ensure you understand rule priorities and policy inheritance (if using parent\/child policies\u2014verify in docs).<\/li>\n<\/ul>\n\n\n\n

                                                                  6.6 Azure Firewall Manager (centralized management at scale)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does<\/strong>: Provides centralized management for Azure Firewall instances and secured virtual hubs.<\/li>\n
                                                                  • Why it matters<\/strong>: Needed for larger estates using hub-and-spoke and Virtual WAN patterns.<\/li>\n
                                                                  • Practical benefit<\/strong>: Central deployment, routing intent (Virtual WAN), and policy association.<\/li>\n
                                                                  • Caveats<\/strong>: Introduces additional design choices; confirm requirements for Virtual WAN secured hubs.<\/li>\n<\/ul>\n\n\n\n

                                                                    6.7 Diagnostics: logs and metrics (Azure Monitor)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does<\/strong>: Emits structured logs for application\/network\/NAT\/threat intel events and exposes metrics.<\/li>\n
                                                                    • Why it matters<\/strong>: Operational visibility, auditing, troubleshooting, and incident response.<\/li>\n
                                                                    • Practical benefit<\/strong>: Query \u201cwhat was blocked and why\u201d in Log Analytics; alert on patterns.<\/li>\n
                                                                    • Caveats<\/strong>: Logs cost money (Log Analytics ingestion\/retention). Plan retention and sampling.<\/li>\n<\/ul>\n\n\n\n

                                                                      6.8 Availability and resiliency options<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does<\/strong>: Provides a managed HA service; can be deployed with zone redundancy in supported regions.<\/li>\n
                                                                      • Why it matters<\/strong>: Firewalls are critical path; downtime affects many workloads.<\/li>\n
                                                                      • Practical benefit<\/strong>: Avoid building your own active\/active cluster with NVAs.<\/li>\n
                                                                      • Caveats<\/strong>: Zone support varies by region\/SKU\u2014verify in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                                        6.9 DNS proxy capability (scenario-dependent)<\/h3>\n\n\n\n
                                                                          \n
                                                                        • What it does<\/strong>: Allows clients to use the firewall as a DNS proxy (forwarding queries onward).<\/li>\n
                                                                        • Why it matters<\/strong>: Can simplify DNS pathing for some inspection and resolution designs.<\/li>\n
                                                                        • Practical benefit<\/strong>: Centralize DNS forwarding behavior in certain hub designs.<\/li>\n
                                                                        • Caveats<\/strong>: DNS design is easy to break; validate resolution paths, conditional forwarders, and private DNS requirements.<\/li>\n<\/ul>\n\n\n\n

                                                                          6.10 Premium features (examples: TLS inspection, IDPS)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • What it does<\/strong>: Premium tier adds deeper inspection such as TLS inspection and intrusion detection and prevention (feature set evolves).<\/li>\n
                                                                          • Why it matters<\/strong>: Supports stricter security requirements where L7 visibility and signatures are required.<\/li>\n
                                                                          • Practical benefit<\/strong>: Detect\/stop known exploit patterns, inspect encrypted outbound traffic (where lawful\/appropriate).<\/li>\n
                                                                          • Caveats<\/strong>: TLS inspection requires certificate\/key management and has privacy\/compliance implications. Performance and troubleshooting complexity increase.<\/li>\n<\/ul>\n\n\n\n

                                                                            Official overview and features: https:\/\/learn.microsoft.com\/azure\/firewall\/overview<\/p>\n\n\n\n

                                                                            7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                            7.1 High-level architecture<\/h3>\n\n\n\n

                                                                            Azure Firewall is typically deployed in one of two ways:<\/p>\n\n\n\n

                                                                              \n
                                                                            1. \n

                                                                              VNet deployment (hub firewall)<\/strong>\n – Azure Firewall lives in a hub VNet in a dedicated subnet (AzureFirewallSubnet<\/code>).\n – Spoke VNets peer to the hub.\n – Spoke subnets use UDRs to force traffic (0.0.0.0\/0, RFC1918, or specific prefixes) to the firewall private IP.<\/p>\n<\/li>\n

                                                                            2. \n

                                                                              Virtual WAN Secure Hub deployment<\/strong>\n – Azure Firewall is deployed into a Virtual WAN hub as a secured hub.\n – Routing and security policy are managed through Azure Firewall Manager and Virtual WAN constructs.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                                                              This tutorial focuses on the VNet deployment<\/strong> because it\u2019s easiest to learn and validate in a small lab.<\/p>\n\n\n\n

                                                                              7.2 Data flow (request path)<\/h3>\n\n\n\n

                                                                              A typical egress flow looks like:<\/p>\n\n\n\n

                                                                                \n
                                                                              1. A workload (VM\/AKS node\/app) sends traffic to an internet destination.<\/li>\n
                                                                              2. A UDR<\/strong> on the workload subnet sends 0.0.0.0\/0 to Next hop: Virtual appliance<\/strong> = Azure Firewall private IP.<\/li>\n
                                                                              3. Azure Firewall evaluates rules:\n – Application rules for HTTP\/S by FQDN\n – Network rules for IP\/port\/protocol\n – Threat intelligence filtering (if enabled)<\/li>\n
                                                                              4. If allowed, Azure Firewall performs SNAT (as needed) using its public IP and forwards traffic to the destination.<\/li>\n
                                                                              5. Logs are written to Azure Monitor via diagnostic settings.<\/li>\n<\/ol>\n\n\n\n

                                                                                7.3 Control plane vs data plane<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Control plane<\/strong>: Azure Resource Manager (ARM), Firewall Policy, RBAC, Firewall Manager. This is how you configure the firewall.<\/li>\n
                                                                                • Data plane<\/strong>: The actual packet\/flow processing, NAT, inspection, and logging.<\/li>\n<\/ul>\n\n\n\n

                                                                                  7.4 Integrations and dependencies<\/h3>\n\n\n\n

                                                                                  Common dependencies and integrations:<\/p>\n\n\n\n

                                                                                    \n
                                                                                  • Route tables (UDRs)<\/strong>: Required to steer traffic.<\/li>\n
                                                                                  • Public IP<\/strong>: Required for outbound SNAT and inbound DNAT patterns.<\/li>\n
                                                                                  • Log Analytics \/ Azure Monitor<\/strong>: For logs, metrics, alerts.<\/li>\n
                                                                                  • Microsoft Sentinel<\/strong>: For SIEM\/SOAR and detection rules.<\/li>\n
                                                                                  • Key Vault<\/strong> (often used in Premium TLS inspection scenarios): For certificate lifecycle (verify recommended patterns in docs).<\/li>\n
                                                                                  • Virtual WAN<\/strong>: Alternative deployment model.<\/li>\n<\/ul>\n\n\n\n

                                                                                    7.5 Security\/authentication model<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Access to configure Azure Firewall is controlled by Azure RBAC<\/strong> at subscription\/resource group\/resource scope.<\/li>\n
                                                                                    • Policy management can be delegated (for example, security team owns policies; platform team owns firewall instances).<\/li>\n
                                                                                    • Logs and workspaces also have RBAC and may be subject to data access governance.<\/li>\n<\/ul>\n\n\n\n

                                                                                      7.6 Networking model considerations<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Azure Firewall is placed in a dedicated subnet with strict naming requirements (AzureFirewallSubnet<\/code>).<\/li>\n
                                                                                      • Correct routing is essential:<\/li>\n
                                                                                      • If traffic is not routed through the firewall, rules do nothing.<\/li>\n
                                                                                      • Avoid asymmetric routing (return path must also traverse expected route).<\/li>\n<\/ul>\n\n\n\n

                                                                                        7.7 Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Enable Diagnostic settings<\/strong> on Azure Firewall to send logs to Log Analytics.<\/li>\n
                                                                                        • Decide retention based on compliance and cost.<\/li>\n
                                                                                        • Use Azure Policy to enforce diagnostics and tagging.<\/li>\n
                                                                                        • Build alert rules around:<\/li>\n
                                                                                        • Denied traffic spikes<\/li>\n
                                                                                        • Threat intel hits<\/li>\n
                                                                                        • Unexpected outbound destinations<\/li>\n
                                                                                        • DNAT attempts from unknown source IPs<\/li>\n<\/ul>\n\n\n\n

                                                                                          7.8 Architecture diagrams<\/h3>\n\n\n\n

                                                                                          Simple learning architecture (single VNet)<\/h4>\n\n\n\n
                                                                                          flowchart LR\n  VM[Workload VM\\n(WorkloadSubnet)] -->|UDR 0.0.0.0\/0| AFW[Azure Firewall\\n(AzureFirewallSubnet)]\n  AFW -->|SNAT via Public IP| Internet[(Internet)]\n  AFW --> Logs[Azure Monitor Logs\\n(Log Analytics)]\n<\/code><\/pre>\n\n\n\n
                                                                                          Production-style hub-and-spoke architecture<\/h4>\n\n\n\n
                                                                                          flowchart TB\n  subgraph Spokes[Spoke VNets]\n    S1[Spoke VNet A\\nApp Subnets]\n    S2[Spoke VNet B\\nData Subnets]\n    S3[Spoke VNet C\\nShared Services]\n  end\n\n  subgraph Hub[Hub VNet]\n    AFW2[Azure Firewall\\nAzureFirewallSubnet]\n    MGMT[Management Subnet\\n(Bastion\/Jump\/Tools)]\n    GW[VPN\/ExpressRoute Gateway]\n  end\n\n  OnPrem[(On-Prem Network)]\n  Internet2[(Internet)]\n  Monitor[Azure Monitor \/ Log Analytics]\n  Sentinel[Microsoft Sentinel]\n\n  S1 -->|UDR to Firewall| AFW2\n  S2 -->|UDR to Firewall| AFW2\n  S3 -->|UDR to Firewall| AFW2\n\n  AFW2 -->|Egress SNAT| Internet2\n  AFW2 -->|Hybrid routes| GW --> OnPrem\n\n  AFW2 --> Monitor --> Sentinel\n\n  S1 -.VNet Peering.- Hub\n  S2 -.VNet Peering.- Hub\n  S3 -.VNet Peering.- Hub\n<\/code><\/pre>\n\n\n\n
                                                                                          8. Prerequisites<\/h2>\n\n\n\n
                                                                                          Azure account and subscription<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • An active Azure subscription<\/strong> with permission to create:<\/li>\n
                                                                                          • Resource groups<\/li>\n
                                                                                          • VNets\/subnets, route tables, public IPs<\/li>\n
                                                                                          • Azure Firewall and Firewall Policy<\/li>\n
                                                                                          • Virtual machines (for validation)<\/li>\n
                                                                                          • Log Analytics workspace (optional but recommended)<\/li>\n<\/ul>\n\n\n\n
                                                                                            Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                            At minimum (depending on how your org scopes roles), you typically need:<\/p>\n\n\n\n
                                                                                              \n
                                                                                            • Contributor<\/strong> on the resource group (or higher) to deploy resources<\/li>\n
                                                                                            • Network Contributor<\/strong> for networking resources<\/li>\n
                                                                                            • Log Analytics Contributor<\/strong> (or appropriate workspace permissions) if enabling diagnostics to Log Analytics<\/li>\n<\/ul>\n\n\n\n
                                                                                              In regulated environments, security teams may own firewall policies; coordinate RBAC accordingly.<\/p>\n\n\n\n
                                                                                              Billing requirements<\/h3>\n\n\n\n
                                                                                              Azure Firewall is a paid service. Ensure:\n– Your subscription has billing enabled.\n– You understand that Azure Firewall costs accrue while it exists, plus data processing and logging charges.<\/p>\n\n\n\n
                                                                                              Tools<\/h3>\n\n\n\n
                                                                                              Choose one:\n– Azure Portal (browser)\n– Azure CLI (optional but useful): https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli\n– Azure Cloud Shell (no install): https:\/\/learn.microsoft.com\/azure\/cloud-shell\/overview<\/p>\n\n\n\n
                                                                                              This tutorial uses Azure Cloud Shell + Azure Portal<\/strong> for clarity and reliability.<\/p>\n\n\n\n
                                                                                              Region availability<\/h3>\n\n\n\n
                                                                                              Azure Firewall is available in many Azure regions, but features and zone support vary<\/strong>. Verify:\n– Azure Firewall availability: https:\/\/azure.microsoft.com\/products\/azure-firewall\/ (then cross-check docs)\n– Zone support and SKU availability: verify in official docs for your chosen region.<\/p>\n\n\n\n
                                                                                              Quotas\/limits<\/h3>\n\n\n\n
                                                                                              Azure Firewall has documented limits (rules, IP configurations, etc.). Before production design, review:\n– Azure Firewall limits: https:\/\/learn.microsoft.com\/azure\/firewall\/firewall-limits<\/p>\n\n\n\n
                                                                                              Prerequisite services (for this lab)<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Virtual Network with:<\/li>\n
                                                                                              • AzureFirewallSubnet<\/code><\/li>\n
                                                                                              • A workload subnet<\/li>\n
                                                                                              • Public IP (for the firewall)<\/li>\n
                                                                                              • A VM for traffic generation\/validation (Ubuntu)<\/li>\n
                                                                                              • Route table (UDR)<\/li>\n
                                                                                              • (Recommended) Log Analytics workspace for diagnostics<\/li>\n<\/ul>\n\n\n\n
                                                                                                9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                Azure Firewall pricing is usage-based<\/strong> and varies by:<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                • SKU\/tier<\/strong> (commonly Basic\/Standard\/Premium)<\/li>\n
                                                                                                • Region<\/strong><\/li>\n
                                                                                                • Deployment model<\/strong> (VNet vs Virtual WAN)<\/li>\n
                                                                                                • Data processed<\/strong> volume<\/li>\n<\/ul>\n\n\n\n
                                                                                                  You should always confirm current pricing on the official pricing page and calculator:<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  • Official pricing page: https:\/\/azure.microsoft.com\/pricing\/details\/azure-firewall\/<\/li>\n
                                                                                                  • Azure Pricing Calculator: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/li>\n<\/ul>\n\n\n\n
                                                                                                    9.1 Pricing dimensions (how you\u2019re charged)<\/h3>\n\n\n\n
                                                                                                    Common pricing components include:<\/p>\n\n\n\n
                                                                                                      \n
                                                                                                    1. \n
                                                                                                      Firewall instance charge (per hour)<\/strong>\n   You pay for the firewall resource while it is provisioned.<\/p>\n<\/li>\n
                                                                                                    2. \n
                                                                                                      Data processed (per GB)<\/strong>\n   Traffic processed through the firewall incurs a per-GB charge.<\/p>\n<\/li>\n
                                                                                                    3. \n
                                                                                                      Premium add-ons (if applicable)<\/strong>\n   Premium tier typically costs more per hour and\/or per GB due to deeper inspection features.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                      \n
                                                                                                      Exact rates vary by region and tier\u2014do not hardcode numbers. Use the official pricing page for your region.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                      9.2 Free tier<\/h3>\n\n\n\n
                                                                                                      Azure Firewall generally does not have a free tier<\/strong>. Some related services (like Azure Monitor free allocations) may have limited free quotas, but Azure Firewall itself is a paid service.<\/p>\n\n\n\n
                                                                                                      9.3 Key cost drivers<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Hours provisioned<\/strong>: Leaving a firewall running 24\/7 is a steady baseline cost.<\/li>\n
                                                                                                      • Data processed<\/strong>: High-traffic environments can pay significant per-GB charges.<\/li>\n
                                                                                                      • Number of firewalls<\/strong>: Multiple regions or segmented environments increase hourly costs.<\/li>\n
                                                                                                      • Logging volume<\/strong>: Sending verbose logs to Log Analytics increases ingestion and retention costs.<\/li>\n
                                                                                                      • Public IPs<\/strong>: Public IP resources can incur cost (depending on SKU and region).<\/li>\n
                                                                                                      • Egress data transfer<\/strong>: Internet egress bandwidth charges still apply (Azure bandwidth pricing), independent of the firewall.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        9.4 Hidden or indirect costs to plan for<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Log Analytics ingestion & retention<\/strong>: Firewall logs can be high volume.<\/li>\n
                                                                                                        • Microsoft Sentinel<\/strong>: If enabled, SIEM costs can be significant.<\/li>\n
                                                                                                        • Operational overhead<\/strong>: Rule management, change reviews, testing pipelines.<\/li>\n
                                                                                                        • Architecture costs<\/strong>: Hub-and-spoke may add VNet peering costs; Virtual WAN has its own pricing model.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          9.5 Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Egress bandwidth charges<\/strong> apply for data leaving Azure regions to the internet.<\/li>\n
                                                                                                          • Inter-region traffic<\/strong> and some peering patterns can incur charges\u2014review Azure bandwidth pricing.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            9.6 How to optimize cost (practical guidance)<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Right-size tier<\/strong>: Use Standard unless Premium features are required (e.g., TLS inspection\/IDPS). Basic may fit small environments\u2014verify constraints.<\/li>\n
                                                                                                            • Control log volume<\/strong>:<\/li>\n
                                                                                                            • Enable only needed categories initially.<\/li>\n
                                                                                                            • Use reasonable retention.<\/li>\n
                                                                                                            • Consider Event Hub forwarding to cheaper storage\/processing patterns (architecture-dependent).<\/li>\n
                                                                                                            • Reduce processed data<\/strong>:<\/li>\n
                                                                                                            • Don\u2019t hairpin traffic unnecessarily.<\/li>\n
                                                                                                            • Route only required subnets\/prefixes through the firewall.<\/li>\n
                                                                                                            • Design for scale<\/strong>: Avoid unnecessary multi-firewall sprawl; use policy reuse and centralized design where appropriate.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              9.7 Example low-cost starter estimate (how to think about it)<\/h3>\n\n\n\n
                                                                                                              For a small lab:\n– 1 Azure Firewall instance running for a few hours\n– Minimal traffic (a few MB\/GB)\n– Short-lived Log Analytics workspace (optional)<\/p>\n\n\n\n
                                                                                                              Use the Pricing Calculator with:\n– Your region\n– Tier (Standard)\n– Estimated hours (e.g., 4\u20138 hours)\n– Estimated data processed (e.g., < 1 GB)\n– Log Analytics ingestion estimate (small for a lab)<\/p>\n\n\n\n
                                                                                                              9.8 Example production cost considerations<\/h3>\n\n\n\n
                                                                                                              In production, model:\n– 24\/7 hourly cost per region\n– Peak\/average data processed per day\/month\n– Expected logging volume (blocked traffic can generate lots of logs)\n– Retention requirements (30\/90\/180\/365 days)\n– Sentinel enablement and analytics rules\n– Additional hubs\/regions for DR<\/p>\n\n\n\n
                                                                                                              10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                              This lab creates a small Azure environment where a VM\u2019s outbound internet access is forced through Azure Firewall. You\u2019ll configure an allow-only<\/strong> application rule (allow Microsoft\u2019s website) and verify that other sites are blocked by default.<\/p>\n\n\n\n
                                                                                                              Objective<\/h3>\n\n\n\n
                                                                                                              Deploy Azure Firewall (Standard)<\/strong> with an Azure Firewall Policy<\/strong>, route a workload subnet through it, and enforce FQDN-based outbound control<\/strong> with logging.<\/p>\n\n\n\n
                                                                                                              Lab Overview<\/h3>\n\n\n\n
                                                                                                              You will build:<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                              • Resource group: rg-afw-lab<\/code><\/li>\n
                                                                                                              • VNet: vnet-afw-lab<\/code> (10.10.0.0\/16<\/code>)<\/li>\n
                                                                                                              • Subnet AzureFirewallSubnet<\/code> (10.10.0.0\/26<\/code>)<\/li>\n
                                                                                                              • Subnet WorkloadSubnet<\/code> (10.10.1.0\/24<\/code>)<\/li>\n
                                                                                                              • Azure Firewall + Public IP<\/li>\n
                                                                                                              • Firewall Policy with an application rule: Allow www.microsoft.com<\/code><\/strong><\/li>\n
                                                                                                              • Route table forcing WorkloadSubnet<\/code> egress to firewall<\/li>\n
                                                                                                              • Ubuntu VM with no public IP<\/strong><\/li>\n
                                                                                                              • Validation using Run Command<\/strong> (no bastion needed)<\/li>\n
                                                                                                              • Optional: Log Analytics workspace + diagnostics<\/li>\n<\/ul>\n\n\n\n
                                                                                                                \n
                                                                                                                Cost note: Azure Firewall is not \u201cmicro-cost.\u201d Do this lab in a non-production subscription and clean up<\/strong> afterward.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 1: Create a resource group and choose a region<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. Open Azure Cloud Shell<\/strong> (Bash): https:\/\/learn.microsoft.com\/azure\/cloud-shell\/overview<\/li>\n
                                                                                                                2. Set variables (choose a region that supports Azure Firewall in your subscription):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  RG=\"rg-afw-lab\"\nLOC=\"eastus\"   # change if needed\n<\/code><\/pre>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Create the resource group:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                    az group create --name \"$RG\" --location \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Resource group rg-afw-lab<\/code> exists.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 2: Create the VNet and subnets (including AzureFirewallSubnet)<\/h3>\n\n\n\n
                                                                                                                    Create the VNet and subnets:<\/p>\n\n\n\n
                                                                                                                    VNET=\"vnet-afw-lab\"\n\naz network vnet create \\\n  --resource-group \"$RG\" \\\n  --name \"$VNET\" \\\n  --address-prefixes 10.10.0.0\/16 \\\n  --subnet-name WorkloadSubnet \\\n  --subnet-prefixes 10.10.1.0\/24\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Now create the required firewall subnet with the exact name<\/strong> AzureFirewallSubnet<\/code>:<\/p>\n\n\n\n
                                                                                                                    az network vnet subnet create \\\n  --resource-group \"$RG\" \\\n  --vnet-name \"$VNET\" \\\n  --name AzureFirewallSubnet \\\n  --address-prefixes 10.10.0.0\/26\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> VNet has two subnets: WorkloadSubnet<\/code> and AzureFirewallSubnet<\/code>.<\/p>\n\n\n\n
                                                                                                                    Verification:<\/strong><\/p>\n\n\n\n
                                                                                                                    az network vnet subnet list --resource-group \"$RG\" --vnet-name \"$VNET\" -o table\n<\/code><\/pre>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 3: Create a public IP for Azure Firewall<\/h3>\n\n\n\n
                                                                                                                    Create a Standard public IP (zone settings can vary; keep it simple for labs):<\/p>\n\n\n\n
                                                                                                                    PIP=\"pip-afw-lab\"\n\naz network public-ip create \\\n  --resource-group \"$RG\" \\\n  --name \"$PIP\" \\\n  --sku Standard \\\n  --allocation-method Static\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> A static Standard public IP is created.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 4: Create an Azure Firewall Policy<\/h3>\n\n\n\n
                                                                                                                    Create a firewall policy:<\/p>\n\n\n\n
                                                                                                                    POLICY=\"afwpol-lab\"\n\naz network firewall policy create \\\n  --resource-group \"$RG\" \\\n  --name \"$POLICY\" \\\n  --location \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> An Azure Firewall Policy exists and is ready to receive rule collection groups.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 5: Deploy Azure Firewall into the VNet and attach the policy<\/h3>\n\n\n\n
                                                                                                                    Create the Azure Firewall instance:<\/p>\n\n\n\n
                                                                                                                    AFW=\"afw-lab\"\n\naz network firewall create \\\n  --resource-group \"$RG\" \\\n  --name \"$AFW\" \\\n  --location \"$LOC\" \\\n  --sku AZFW_VNet \\\n  --tier Standard \\\n  --firewall-policy \"$POLICY\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Attach an IP configuration (bind firewall to VNet and public IP). This step can take time:<\/p>\n\n\n\n
                                                                                                                    az network firewall ip-config create \\\n  --resource-group \"$RG\" \\\n  --firewall-name \"$AFW\" \\\n  --name \"ipconfig1\" \\\n  --public-ip-address \"$PIP\" \\\n  --vnet-name \"$VNET\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Get the firewall private IP:<\/p>\n\n\n\n
                                                                                                                    FW_PRIVATE_IP=$(az network firewall show \\\n  --resource-group \"$RG\" \\\n  --name \"$AFW\" \\\n  --query \"ipConfigurations[0].privateIPAddress\" -o tsv)\n\necho \"Firewall private IP: $FW_PRIVATE_IP\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Azure Firewall is deployed and has a private IP in AzureFirewallSubnet<\/code>.<\/p>\n\n\n\n
                                                                                                                    Common issue:<\/strong> If firewall deployment fails, confirm:\n– Subnet name is exactly AzureFirewallSubnet<\/code>\n– Address space is large enough for the firewall subnet\n– The region supports the selected tier\nIf unsure, verify in official docs: https:\/\/learn.microsoft.com\/azure\/firewall\/<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 6: Create a rule collection group to allow only www.microsoft.com<\/code> (outbound)<\/h3>\n\n\n\n
                                                                                                                    Azure Firewall Policy uses rule collection groups<\/strong>. Create one with an application rule collection<\/strong>.<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                    Note: Azure Firewall\u2019s default behavior is deny if there\u2019s no matching allow rule (given typical rule design). You will explicitly allow www.microsoft.com<\/code> and then test that other sites are blocked.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                    Create the rule collection group:<\/p>\n\n\n\n
                                                                                                                    RCG=\"rcg-app-egress\"\nPRIORITY=100\n\naz network firewall policy rule-collection-group create \\\n  --resource-group \"$RG\" \\\n  --policy-name \"$POLICY\" \\\n  --name \"$RCG\" \\\n  --priority \"$PRIORITY\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Add an application rule collection with a single allow rule for HTTPS to www.microsoft.com<\/code>:<\/p>\n\n\n\n
                                                                                                                    az network firewall policy rule-collection-group collection add-filter-collection \\\n  --resource-group \"$RG\" \\\n  --policy-name \"$POLICY\" \\\n  --rule-collection-group-name \"$RCG\" \\\n  --name \"app-allow-microsoft\" \\\n  --collection-priority 100 \\\n  --action Allow \\\n  --rule-name \"allow-msft-web\" \\\n  --rule-type ApplicationRule \\\n  --protocols Https=443 \\\n  --source-addresses 10.10.1.0\/24 \\\n  --target-fqdns \"www.microsoft.com\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Policy has an application rule allowing HTTPS from WorkloadSubnet<\/code> to www.microsoft.com<\/code>.<\/p>\n\n\n\n
                                                                                                                    Verification idea (optional):<\/strong><\/p>\n\n\n\n
                                                                                                                    az network firewall policy rule-collection-group show \\\n  --resource-group \"$RG\" \\\n  --policy-name \"$POLICY\" \\\n  --name \"$RCG\" \\\n  --query \"ruleCollections[].name\" -o tsv\n<\/code><\/pre>\n\n\n\n
                                                                                                                    If CLI syntax differs due to version changes, use Azure Portal<\/strong>:\n– Firewall Policy \u2192 Rule collection groups \u2192 Add application rule collection \u2192 Add rule\n(And verify in official docs<\/strong> for current portal steps.)<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 7: Create a route table to force outbound traffic through the firewall<\/h3>\n\n\n\n
                                                                                                                    Create a route table:<\/p>\n\n\n\n
                                                                                                                    RT=\"rt-workload-egress\"\n\naz network route-table create \\\n  --resource-group \"$RG\" \\\n  --name \"$RT\" \\\n  --location \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Add a default route (0.0.0.0\/0) to the firewall private IP:<\/p>\n\n\n\n
                                                                                                                    az network route-table route create \\\n  --resource-group \"$RG\" \\\n  --route-table-name \"$RT\" \\\n  --name \"default-to-firewall\" \\\n  --address-prefix 0.0.0.0\/0 \\\n  --next-hop-type VirtualAppliance \\\n  --next-hop-ip-address \"$FW_PRIVATE_IP\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Associate the route table to WorkloadSubnet<\/code>:<\/p>\n\n\n\n
                                                                                                                    az network vnet subnet update \\\n  --resource-group \"$RG\" \\\n  --vnet-name \"$VNET\" \\\n  --name WorkloadSubnet \\\n  --route-table \"$RT\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Any VM in WorkloadSubnet<\/code> sends internet-bound traffic to Azure Firewall.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 8: Deploy a test VM with no public IP<\/h3>\n\n\n\n
                                                                                                                    Create an Ubuntu VM in the workload subnet without a public IP. Use SSH keys (Cloud Shell can generate them).<\/p>\n\n\n\n
                                                                                                                    VM=\"vm-workload-01\"\n\naz vm create \\\n  --resource-group \"$RG\" \\\n  --name \"$VM\" \\\n  --image Ubuntu2204 \\\n  --vnet-name \"$VNET\" \\\n  --subnet WorkloadSubnet \\\n  --public-ip-address \"\" \\\n  --admin-username azureuser \\\n  --generate-ssh-keys\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> VM is created, but it is not directly reachable from the internet.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 9: Validate outbound access (allowed vs blocked) using Run Command<\/h3>\n\n\n\n
                                                                                                                    Use Run Command to execute curl from inside the VM.<\/p>\n\n\n\n
                                                                                                                    1) Test the allowed destination:<\/p>\n\n\n\n
                                                                                                                    az vm run-command invoke \\\n  --resource-group \"$RG\" \\\n  --name \"$VM\" \\\n  --command-id RunShellScript \\\n  --scripts \"set -e; echo 'Testing allowed site...'; curl -I https:\/\/www.microsoft.com | head -n 5\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> You should see an HTTP response header (e.g., HTTP\/2 200<\/code> or a redirect like 301\/302<\/code>).<\/p>\n\n\n\n
                                                                                                                    2) Test a blocked destination (not in your allowlist), e.g. Google:<\/p>\n\n\n\n
                                                                                                                    az vm run-command invoke \\\n  --resource-group \"$RG\" \\\n  --name \"$VM\" \\\n  --command-id RunShellScript \\\n  --scripts \"echo 'Testing blocked site...'; timeout 10 curl -I https:\/\/www.google.com || echo 'Blocked (expected)'\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> The request should fail (timeout\/connection error) and print Blocked (expected)<\/code>.<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                    If Google still works, your traffic may not be traversing the firewall (routing issue) or you may have other allow rules. Re-check the route table association and firewall policy.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 10 (Recommended): Enable diagnostics to Log Analytics and query denies<\/h3>\n\n\n\n
                                                                                                                    Create a Log Analytics workspace:<\/p>\n\n\n\n
                                                                                                                    LAW=\"law-afw-lab\"\n\naz monitor log-analytics workspace create \\\n  --resource-group \"$RG\" \\\n  --workspace-name \"$LAW\" \\\n  --location \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Get workspace resource ID:<\/p>\n\n\n\n
                                                                                                                    LAW_ID=$(az monitor log-analytics workspace show \\\n  --resource-group \"$RG\" \\\n  --workspace-name \"$LAW\" \\\n  --query id -o tsv)\n\necho \"$LAW_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Enable diagnostics on Azure Firewall (log categories can change; verify in docs if needed):<\/p>\n\n\n\n
                                                                                                                    AFW_ID=$(az network firewall show --resource-group \"$RG\" --name \"$AFW\" --query id -o tsv)\n\naz monitor diagnostic-settings create \\\n  --name \"diag-afw-to-law\" \\\n  --resource \"$AFW_ID\" \\\n  --workspace \"$LAW_ID\" \\\n  --logs '[\n    {\"category\":\"AzureFirewallApplicationRule\",\"enabled\":true},\n    {\"category\":\"AzureFirewallNetworkRule\",\"enabled\":true},\n    {\"category\":\"AzureFirewallDnsProxy\",\"enabled\":true}\n  ]' \\\n  --metrics '[{\"category\":\"AllMetrics\",\"enabled\":true}]'\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Firewall logs start flowing to Log Analytics (may take several minutes).<\/p>\n\n\n\n
                                                                                                                    Query example (in Log Analytics workspace \u2192 Logs):<\/strong>\n– Look for application rule denies\/allows (table names may differ by schema updates). A common table is AzureDiagnostics<\/code> for classic schemas; newer resources may use resource-specific tables. If you\u2019re unsure, start by listing tables and searching for \u201cAzureFirewall\u201d.<\/p>\n\n\n\n
                                                                                                                    Example KQL starting point (verify table names in your workspace):<\/p>\n\n\n\n
                                                                                                                    AzureDiagnostics\n| where ResourceType has \"AZUREFIREWALLS\"\n| where Category has \"AzureFirewallApplicationRule\"\n| sort by TimeGenerated desc\n| take 50\n<\/code><\/pre>\n\n\n\n
                                                                                                                    If your workspace uses a different table schema, verify in official docs<\/strong>:\nhttps:\/\/learn.microsoft.com\/azure\/firewall\/firewall-logs-and-metrics<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Validation<\/h3>\n\n\n\n
                                                                                                                    You have successfully completed the lab if:<\/p>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • WorkloadSubnet<\/code> has a route table with 0.0.0.0\/0<\/code> next hop to the firewall private IP.<\/li>\n
                                                                                                                    • From the VM:<\/li>\n
                                                                                                                    • https:\/\/www.microsoft.com<\/code> succeeds<\/li>\n
                                                                                                                    • https:\/\/www.google.com<\/code> fails (blocked)<\/li>\n
                                                                                                                    • (Optional) Firewall logs show allowed and denied attempts.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Troubleshooting<\/h3>\n\n\n\n
                                                                                                                      Common problems and practical fixes:<\/p>\n\n\n\n
                                                                                                                      1) Traffic bypasses Azure Firewall<\/strong>\n– Confirm the route table is associated with WorkloadSubnet<\/code>.\n– Confirm the route next hop IP is the firewall private IP<\/strong>.\n– Confirm there is no conflicting route overriding your UDR.<\/p>\n\n\n\n
                                                                                                                      2) Azure Firewall deployment fails<\/strong>\n– Subnet name must be exactly AzureFirewallSubnet<\/code>.\n– Subnet size must meet requirements (check official docs).\n– Verify region\/SKU availability.<\/p>\n\n\n\n
                                                                                                                      3) Allowed site is blocked<\/strong>\n– Ensure the application rule targets the correct FQDN (www.microsoft.com<\/code> vs microsoft.com<\/code>).\n– Some sites redirect across multiple hostnames. If your goal is \u201callow the full site,\u201d you may need to allow additional FQDNs used in redirects\/CDNs. Use logs to identify blocked FQDNs, then add them intentionally.<\/p>\n\n\n\n
                                                                                                                      4) No logs in Log Analytics<\/strong>\n– Wait 5\u201315 minutes after enabling diagnostics.\n– Confirm diagnostic settings are attached to the firewall resource.\n– Confirm workspace permissions and that categories are valid for your resource\/API version.<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Cleanup<\/h3>\n\n\n\n
                                                                                                                      To avoid ongoing Azure Firewall hourly charges, delete the resource group:<\/p>\n\n\n\n
                                                                                                                      az group delete --name \"$RG\" --yes --no-wait\n<\/code><\/pre>\n\n\n\n
                                                                                                                      Expected outcome:<\/strong> All lab resources are removed. Confirm in the Azure Portal that the resource group is gone.<\/p>\n\n\n\n
                                                                                                                      11. Best Practices<\/h2>\n\n\n\n
                                                                                                                      Architecture best practices<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Use hub-and-spoke<\/strong> for centralized inspection in multi-VNet environments.<\/li>\n
                                                                                                                      • Minimize hairpinning<\/strong>: Route only necessary prefixes through the firewall to reduce latency and cost.<\/li>\n
                                                                                                                      • Plan for hybrid<\/strong>: If using VPN\/ExpressRoute, ensure routes are symmetric and documented.<\/li>\n
                                                                                                                      • Prefer Azure Firewall Policy<\/strong> over legacy per-firewall \u201cclassic rules\u201d for consistency and reuse.<\/li>\n
                                                                                                                      • Separate inbound publishing vs outbound control<\/strong>: Use Application Gateway\/Front Door for many web ingress patterns and Azure Firewall primarily for network control and egress.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Use least privilege RBAC<\/strong>:<\/li>\n
                                                                                                                        • Security team: manage firewall policies\/rules<\/li>\n
                                                                                                                        • Network\/platform team: manage routing and firewall instances<\/li>\n
                                                                                                                        • Operations: read-only + log access<\/li>\n
                                                                                                                        • Use Privileged Identity Management (PIM)<\/strong> for just-in-time elevation in production.<\/li>\n
                                                                                                                        • Protect policy changes with change control<\/strong> and approvals (GitOps\/IaC).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Cost best practices<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Use the lowest tier<\/strong> that satisfies requirements.<\/li>\n
                                                                                                                          • Avoid routing large internal east\u2013west traffic through the firewall unless required.<\/li>\n
                                                                                                                          • Right-size diagnostics:<\/li>\n
                                                                                                                          • Send only required logs<\/li>\n
                                                                                                                          • Set retention deliberately<\/li>\n
                                                                                                                          • Consider archive strategies for long-term compliance<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Performance best practices<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Keep rule sets clean and well-structured:<\/li>\n
                                                                                                                            • Use meaningful priorities and naming<\/li>\n
                                                                                                                            • Avoid overly broad rules that cause security drift<\/li>\n
                                                                                                                            • Consider how application rule matching works (FQDN\/SNI\/Host header behavior).<\/li>\n
                                                                                                                            • Validate throughput and scaling guidance in official docs for high-volume designs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Use Availability Zones<\/strong> where supported if the firewall is business-critical.<\/li>\n
                                                                                                                              • Consider multi-region strategies for DR (separate firewalls per region).<\/li>\n
                                                                                                                              • Ensure routing is resilient (UDRs + consistent propagation patterns).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Operations best practices<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Enable diagnostics and build dashboards\/workbooks for:<\/li>\n
                                                                                                                                • Top allowed\/denied destinations<\/li>\n
                                                                                                                                • Threat intel hits<\/li>\n
                                                                                                                                • DNAT attempts<\/li>\n
                                                                                                                                • Create runbooks for:<\/li>\n
                                                                                                                                • \u201cNew outbound domain request\u201d (how to evaluate and add safely)<\/li>\n
                                                                                                                                • Incident response (log queries, isolation steps)<\/li>\n
                                                                                                                                • Use tagging for ownership and chargeback:<\/li>\n
                                                                                                                                • env<\/code>, app<\/code>, costCenter<\/code>, owner<\/code>, dataClassification<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Use consistent names (example pattern):<\/li>\n
                                                                                                                                  • afw-{env}-{region}-hub01<\/code><\/li>\n
                                                                                                                                  • afwpol-{env}-baseline<\/code><\/li>\n
                                                                                                                                  • rcg-egress-web-allow<\/code><\/li>\n
                                                                                                                                  • Enforce:<\/li>\n
                                                                                                                                  • Required tags<\/li>\n
                                                                                                                                  • Diagnostics enabled<\/li>\n
                                                                                                                                  • Approved regions and SKUs\nvia Azure Policy<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                    Identity and access model<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Azure Firewall is configured via ARM and controlled by Azure RBAC<\/strong>.<\/li>\n
                                                                                                                                    • Use separate roles\/scopes for:<\/li>\n
                                                                                                                                    • Policy authors<\/li>\n
                                                                                                                                    • Policy approvers<\/li>\n
                                                                                                                                    • Firewall operators<\/li>\n
                                                                                                                                    • Log readers (SOC)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Encryption<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Data plane encryption depends on protocols:<\/li>\n
                                                                                                                                      • HTTPS is encrypted end-to-end unless you implement TLS inspection<\/strong> (Premium).<\/li>\n
                                                                                                                                      • Logs in Azure Monitor and Log Analytics are stored encrypted at rest by Azure (verify your compliance needs in official docs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Network exposure<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Public IPs on Azure Firewall can accept inbound traffic if you configure DNAT rules.<\/li>\n
                                                                                                                                        • Restrict inbound with:<\/li>\n
                                                                                                                                        • Tight DNAT source restrictions (where possible)<\/li>\n
                                                                                                                                        • Upstream DDoS protections\/design (Azure DDoS Protection is separate)<\/li>\n
                                                                                                                                        • Prefer WAF services for HTTP ingress when appropriate<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Secrets handling<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • If using TLS inspection (Premium), certificate\/private key handling is sensitive:<\/li>\n
                                                                                                                                          • Store certificates securely (often in Key Vault depending on recommended patterns\u2014verify in official docs).<\/li>\n
                                                                                                                                          • Restrict access and audit retrieval\/rotation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Enable diagnostic logs and retain them based on compliance requirements.<\/li>\n
                                                                                                                                            • Forward relevant logs to a SIEM (Microsoft Sentinel or another system).<\/li>\n
                                                                                                                                            • Monitor changes to policies and route tables (Azure Activity Log + alerts).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • TLS inspection can create privacy, regulatory, and legal obligations.<\/li>\n
                                                                                                                                              • Ensure appropriate consent and policy for decrypting traffic.<\/li>\n
                                                                                                                                              • Maintain auditable change history for firewall rules.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Forgetting routing<\/strong>: Assuming rules apply when traffic never hits the firewall.<\/li>\n
                                                                                                                                                • Over-broad allow rules<\/strong>: \u201cAllow Any Any\u201d defeats the purpose.<\/li>\n
                                                                                                                                                • Not logging<\/strong>: No diagnostics = no audit trail.<\/li>\n
                                                                                                                                                • Not accounting for redirects\/CDNs<\/strong>: Allowing one FQDN may not allow the full app; teams then \u201ctemporarily allow all,\u201d and it sticks.<\/li>\n
                                                                                                                                                • Publishing web apps with DNAT<\/strong> without WAF considerations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Start from deny-by-default<\/strong> outbound with explicit allowlists.<\/li>\n
                                                                                                                                                  • Use baseline policies and environment overrides.<\/li>\n
                                                                                                                                                  • Automate rule deployment through IaC with peer review.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                    Azure Firewall is widely used, but there are practical constraints to plan for.<\/p>\n\n\n\n
                                                                                                                                                    Known limitations \/ constraints (review before production)<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Rule and object limits<\/strong> exist (numbers can change). Review: https:\/\/learn.microsoft.com\/azure\/firewall\/firewall-limits<\/li>\n
                                                                                                                                                    • Feature availability differs by tier<\/strong> (Basic vs Standard vs Premium).<\/li>\n
                                                                                                                                                    • Regional feature differences<\/strong>: Availability Zones and some features vary by region.<\/li>\n
                                                                                                                                                    • Traffic must be routed through the firewall<\/strong> (UDRs \/ Virtual WAN routing). Misrouting is the #1 cause of \u201cit doesn\u2019t work.\u201d<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • FQDN allowlisting is not always \u201cone domain\u201d<\/strong>: modern apps use multiple domains for auth, CDNs, telemetry.<\/li>\n
                                                                                                                                                      • Asymmetric routing breaks stateful inspection<\/strong>: ensure return traffic follows the same path.<\/li>\n
                                                                                                                                                      • Logging costs can surprise you<\/strong>: blocked traffic storms can generate a lot of logs.<\/li>\n
                                                                                                                                                      • DNAT is not a WAF<\/strong>: it won\u2019t provide the same protections as a dedicated WAF service.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Compatibility nuances<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Some protocols and applications don\u2019t behave cleanly with centralized inspection or require additional design (proxy behavior, DNS considerations, etc.). Validate with a pilot.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Migrating from NVA appliances requires mapping:<\/li>\n
                                                                                                                                                          • NAT rules<\/li>\n
                                                                                                                                                          • App rules vs network rules<\/li>\n
                                                                                                                                                          • Logging differences<\/li>\n
                                                                                                                                                          • Routing and HA design\nExpect iterative testing.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                            Azure Firewall is one part of Azure\u2019s networking security toolbox. Here\u2019s how it compares to common alternatives.<\/p>\n\n\n\n
                                                                                                                                                            \n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                            Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                            Azure Firewall<\/strong><\/td>\nCentralized stateful filtering, egress control, hub security<\/td>\nManaged scaling\/HA, policy-based management, strong Azure integration, centralized logging<\/td>\nCosts can be significant; requires routing; not a full WAF replacement<\/td>\nYou need centralized inspection across VNets\/hybrid with strong logging<\/td>\n<\/tr>\n
                                                                                                                                                            Network Security Groups (NSGs)<\/strong><\/td>\nSubnet\/NIC-level L3\/L4 filtering<\/td>\nFree\/low cost, simple, distributed, very common<\/td>\nNo centralized L7\/FQDN egress control; limited centralized visibility<\/td>\nYou need basic segmentation inside a VNet\/subnet<\/td>\n<\/tr>\n
                                                                                                                                                            Azure Application Gateway (WAF)<\/strong><\/td>\nHTTP\/S inbound app publishing<\/td>\nL7 load balancer + WAF protections<\/td>\nNot a general outbound firewall; not meant for broad L3\/L4 filtering<\/td>\nYou need inbound web protection and routing<\/td>\n<\/tr>\n
                                                                                                                                                            Azure Front Door (WAF)<\/strong><\/td>\nGlobal HTTP\/S entry point<\/td>\nGlobal edge, WAF, acceleration<\/td>\nNot for private network egress control<\/td>\nYou need global web entry and WAF at the edge<\/td>\n<\/tr>\n
                                                                                                                                                            Third-party NVAs (Marketplace)<\/strong><\/td>\nAdvanced NGFW features or vendor standardization<\/td>\nFamiliar enterprise feature sets, vendor ecosystems<\/td>\nOperational overhead, scaling\/HA design, licensing<\/td>\nYou need specific NGFW features or already standardize on a vendor<\/td>\n<\/tr>\n
                                                                                                                                                            AWS Network Firewall<\/strong> (other cloud)<\/td>\nSimilar managed firewalling in AWS<\/td>\nManaged stateful filtering in AWS<\/td>\nNot Azure-native; different integrations<\/td>\nMulti-cloud comparison\u2014choose based on cloud location<\/td>\n<\/tr>\n
                                                                                                                                                            GCP Cloud NGFW \/ firewall controls<\/strong> (other cloud)<\/td>\nSimilar capabilities in GCP<\/td>\nManaged controls in GCP<\/td>\nNot Azure-native<\/td>\nChoose based on cloud platform<\/td>\n<\/tr>\n
                                                                                                                                                            Self-managed firewall VMs (pfSense, iptables, etc.)<\/strong><\/td>\nSmall environments or special cases<\/td>\nFull control, potentially lower base cost<\/td>\nPatching, scaling, HA complexity, operational risk<\/td>\nOnly if you accept ops overhead and have a strong reason<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                            15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                            Enterprise example (regulated hub-and-spoke)<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Problem<\/strong>: A financial services company has 40+ spoke VNets across multiple subscriptions. Auditors require proof that outbound internet access is restricted and logged. Security team wants centralized enforcement with approvals.<\/li>\n
                                                                                                                                                            • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                                                            • Hub VNet per region with Azure Firewall (zone-redundant where supported)<\/li>\n
                                                                                                                                                            • Azure Firewall Policy baseline (deny-by-default)<\/li>\n
                                                                                                                                                            • Rule collection groups per business unit and environment (dev\/test\/prod)<\/li>\n
                                                                                                                                                            • UDRs on spoke subnets forcing 0.0.0.0\/0 to the hub firewall<\/li>\n
                                                                                                                                                            • Diagnostic logs to Log Analytics + Microsoft Sentinel<\/li>\n
                                                                                                                                                            • Why Azure Firewall was chosen<\/strong>:<\/li>\n
                                                                                                                                                            • Managed HA and scaling reduces operational risk vs NVA clusters<\/li>\n
                                                                                                                                                            • Policy-based model supports central security governance<\/li>\n
                                                                                                                                                            • Native logging pipeline supports audit and IR<\/li>\n
                                                                                                                                                            • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                                                            • Consistent egress control with measurable compliance evidence<\/li>\n
                                                                                                                                                            • Faster incident investigations with centralized logs<\/li>\n
                                                                                                                                                            • Reduced drift vs distributed NSG-only approach<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Startup\/small-team example (simple egress allowlist)<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Problem<\/strong>: A startup runs workloads in Azure and suffered a supply-chain incident where build agents downloaded unauthorized tooling. They want strict outbound controls for CI runners.<\/li>\n
                                                                                                                                                              • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                                                              • Single VNet with Azure Firewall Standard<\/li>\n
                                                                                                                                                              • Allow outbound only to approved domains (artifact repos, source control, package registries)<\/li>\n
                                                                                                                                                              • Logs retained for a short period for troubleshooting<\/li>\n
                                                                                                                                                              • Why Azure Firewall was chosen<\/strong>:<\/li>\n
                                                                                                                                                              • Quick to deploy, managed service, strong logging<\/li>\n
                                                                                                                                                              • Central enforcement without touching every workload\u2019s NSGs<\/li>\n
                                                                                                                                                              • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                                                              • Reduced exfiltration risk from build agents<\/li>\n
                                                                                                                                                              • Better visibility into attempted outbound traffic<\/li>\n
                                                                                                                                                              • A repeatable security boundary as the company grows<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                1) Is Azure Firewall a WAF?<\/strong>\nNo. Azure Firewall is a network firewall (L3\u2013L7 depending on features) mainly for network\/app connectivity control. For web attack protection (OWASP, bot protection, etc.), use a WAF service such as Application Gateway WAF or Front Door WAF.<\/p>\n\n\n\n
                                                                                                                                                                2) Do I need Azure Firewall if I already use NSGs?<\/strong>\nOften yes for centralized egress control, FQDN filtering, NAT publishing, and centralized logging. NSGs are still important for local segmentation and least privilege inside subnets.<\/p>\n\n\n\n
                                                                                                                                                                3) Where do I deploy Azure Firewall in a hub-and-spoke design?<\/strong>\nTypically in the hub VNet<\/strong> in a dedicated subnet named AzureFirewallSubnet<\/code>, with spokes peered to the hub and UDRs forcing traffic to the firewall.<\/p>\n\n\n\n
                                                                                                                                                                4) How do I make sure traffic actually goes through Azure Firewall?<\/strong>\nUse UDRs<\/strong> (route tables) on spoke\/workload subnets and validate effective routes. Without routing, firewall rules won\u2019t apply.<\/p>\n\n\n\n
                                                                                                                                                                5) Can Azure Firewall restrict outbound traffic by domain name?<\/strong>\nYes, via Application rules<\/strong> (FQDN-based) primarily for HTTP\/S. Validate how your application resolves and connects (redirects, multiple domains).<\/p>\n\n\n\n
                                                                                                                                                                6) Why does \u201callow example.com<\/code>\u201d still break the application?<\/strong>\nModern apps often use multiple hostnames (CDNs, authentication providers). Use firewall logs to identify additional required FQDNs and allow them intentionally.<\/p>\n\n\n\n
                                                                                                                                                                7) Is Azure Firewall regional or global?<\/strong>\nAzure Firewall is primarily regional<\/strong>, though you can deploy per region and centralize management with policies\/manager.<\/p>\n\n\n\n
                                                                                                                                                                8) Does Azure Firewall support Availability Zones?<\/strong>\nIn many regions yes, but support varies. Verify zone support in official documentation for your region and chosen tier.<\/p>\n\n\n\n
                                                                                                                                                                9) Can Azure Firewall inspect east\u2013west traffic between spokes?<\/strong>\nYes, if you route that traffic through the firewall (for example, UDRs for RFC1918 prefixes). Be mindful of latency and cost.<\/p>\n\n\n\n
                                                                                                                                                                10) How does Azure Firewall logging work?<\/strong>\nYou enable diagnostic settings<\/strong> to send logs\/metrics to Log Analytics, Event Hub, or Storage. Then query\/alert with Azure Monitor and Sentinel.<\/p>\n\n\n\n
                                                                                                                                                                11) What are the biggest cost drivers?<\/strong>\nHourly firewall cost + data processed charges + logging (Log Analytics ingestion\/retention) + bandwidth egress.<\/p>\n\n\n\n
                                                                                                                                                                12) Can I use Azure Firewall with Azure Kubernetes Service (AKS)?<\/strong>\nYes, commonly for egress control, but you must design routing carefully (UDRs, SNAT, and cluster networking considerations). Pilot and validate.<\/p>\n\n\n\n
                                                                                                                                                                13) What\u2019s the difference between Azure Firewall and a third-party NVA?<\/strong>\nAzure Firewall is managed and Azure-integrated. NVAs can offer vendor-specific NGFW features but require more operational work and licensing management.<\/p>\n\n\n\n
                                                                                                                                                                14) Does Azure Firewall support DNAT for inbound publishing?<\/strong>\nYes, NAT rules can map a firewall public IP\/port to private IP\/port. For web apps, consider WAF services as a more appropriate edge layer.<\/p>\n\n\n\n
                                                                                                                                                                15) How do I organize rules at scale?<\/strong>\nUse Azure Firewall Policy<\/strong> with rule collection groups (by environment, app, team), consistent naming, priorities, and IaC-driven changes with approvals.<\/p>\n\n\n\n
                                                                                                                                                                16) Can I centralize management across multiple firewalls?<\/strong>\nYes\u2014use Azure Firewall Policy reuse and Azure Firewall Manager for centralized management patterns (especially with Virtual WAN secured hubs).<\/p>\n\n\n\n
                                                                                                                                                                17) What\u2019s the most common reason Azure Firewall \u201cdoes nothing\u201d?<\/strong>\nTraffic is not routed through it. Validate UDRs, effective routes, and return path symmetry.<\/p>\n\n\n\n
                                                                                                                                                                17. Top Online Resources to Learn Azure Firewall<\/h2>\n\n\n\n
                                                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                Official documentation<\/td>\nAzure Firewall documentation<\/td>\nCanonical setup, concepts, configuration, and troubleshooting: https:\/\/learn.microsoft.com\/azure\/firewall\/<\/td>\n<\/tr>\n
                                                                                                                                                                Official overview<\/td>\nAzure Firewall overview<\/td>\nClear explanation of what it is and key concepts: https:\/\/learn.microsoft.com\/azure\/firewall\/overview<\/td>\n<\/tr>\n
                                                                                                                                                                Official pricing<\/td>\nAzure Firewall pricing<\/td>\nCurrent SKU\/tier pricing model: https:\/\/azure.microsoft.com\/pricing\/details\/azure-firewall\/<\/td>\n<\/tr>\n
                                                                                                                                                                Pricing tool<\/td>\nAzure Pricing Calculator<\/td>\nBuild region- and usage-specific estimates: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\n<\/tr>\n
                                                                                                                                                                Logs & metrics<\/td>\nAzure Firewall logs and metrics<\/td>\nHow to enable diagnostics and interpret logs: https:\/\/learn.microsoft.com\/azure\/firewall\/firewall-logs-and-metrics<\/td>\n<\/tr>\n
                                                                                                                                                                Limits<\/td>\nAzure Firewall limits<\/td>\nRule\/object constraints to plan designs: https:\/\/learn.microsoft.com\/azure\/firewall\/firewall-limits<\/td>\n<\/tr>\n
                                                                                                                                                                Architecture center<\/td>\nAzure Architecture Center<\/td>\nReference patterns for hub-spoke and security (search within): https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\n<\/tr>\n
                                                                                                                                                                Virtual WAN secured hub<\/td>\nVirtual WAN + secured hub docs<\/td>\nFor Virtual WAN deployment patterns (verify current pages): https:\/\/learn.microsoft.com\/azure\/virtual-wan\/<\/td>\n<\/tr>\n
                                                                                                                                                                Azure Firewall Manager<\/td>\nFirewall Manager documentation<\/td>\nCentralized management patterns: https:\/\/learn.microsoft.com\/azure\/firewall-manager\/<\/td>\n<\/tr>\n
                                                                                                                                                                Video learning<\/td>\nMicrosoft Azure YouTube channel<\/td>\nOfficial talks and demos (search \u201cAzure Firewall\u201d): https:\/\/www.youtube.com\/@MicrosoftAzure<\/td>\n<\/tr>\n
                                                                                                                                                                Community (reputable)<\/td>\nMicrosoft Tech Community (Azure Networking)<\/td>\nReal-world troubleshooting and announcements (validate with docs): https:\/\/techcommunity.microsoft.com\/t5\/azure-networking\/bd-p\/AzureNetworking<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                1. \n
                                                                                                                                                                  DevOpsSchool.com<\/strong>\n   – Suitable audience<\/strong>: DevOps engineers, SREs, cloud engineers, platform teams\n   – Likely learning focus<\/strong>: Azure infrastructure, DevOps practices, CI\/CD, cloud operations (verify specific Azure Firewall coverage on site)\n   – Mode<\/strong>: Check website\n   – Website<\/strong>: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                2. \n
                                                                                                                                                                  ScmGalaxy.com<\/strong>\n   – Suitable audience<\/strong>: DevOps and SCM learners, build\/release engineers\n   – Likely learning focus<\/strong>: Source control, CI\/CD tooling, DevOps foundations (verify Azure networking offerings on site)\n   – Mode<\/strong>: Check website\n   – Website<\/strong>: https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n
                                                                                                                                                                3. \n
                                                                                                                                                                  CLoudOpsNow.in<\/strong>\n   – Suitable audience<\/strong>: Cloud operations and platform operations teams\n   – Likely learning focus<\/strong>: Cloud operations practices, monitoring, reliability (verify Azure Firewall content on site)\n   – Mode<\/strong>: Check website\n   – Website<\/strong>: https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n
                                                                                                                                                                4. \n
                                                                                                                                                                  SreSchool.com<\/strong>\n   – Suitable audience<\/strong>: SREs, operations engineers, reliability-focused teams\n   – Likely learning focus<\/strong>: SRE practices, observability, incident response (verify Azure networking modules on site)\n   – Mode<\/strong>: Check website\n   – Website<\/strong>: https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                5. \n
                                                                                                                                                                  AiOpsSchool.com<\/strong>\n   – Suitable audience<\/strong>: Operations teams adopting AIOps, monitoring engineers\n   – Likely learning focus<\/strong>: AIOps concepts, automation, monitoring analytics (verify Azure integration content on site)\n   – Mode<\/strong>: Check website\n   – Website<\/strong>: https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                  19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  1. \n
                                                                                                                                                                    RajeshKumar.xyz<\/strong>\n   – Likely specialization<\/strong>: DevOps\/cloud training content (verify specific Azure Firewall materials on site)\n   – Suitable audience<\/strong>: Beginners to intermediate engineers\n   – Website<\/strong>: https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n
                                                                                                                                                                  2. \n
                                                                                                                                                                    devopstrainer.in<\/strong>\n   – Likely specialization<\/strong>: DevOps training and coaching (verify Azure networking coverage)\n   – Suitable audience<\/strong>: DevOps engineers and students\n   – Website<\/strong>: https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n
                                                                                                                                                                  3. \n
                                                                                                                                                                    devopsfreelancer.com<\/strong>\n   – Likely specialization<\/strong>: Freelance DevOps services and training resources (verify Azure content)\n   – Suitable audience<\/strong>: Teams seeking practical DevOps guidance\n   – Website<\/strong>: https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n
                                                                                                                                                                  4. \n
                                                                                                                                                                    devopssupport.in<\/strong>\n   – Likely specialization<\/strong>: DevOps support and enablement resources (verify Azure Firewall coverage)\n   – Suitable audience<\/strong>: Working professionals needing hands-on support\n   – Website<\/strong>: https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                    20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    1. \n
                                                                                                                                                                      cotocus.com<\/strong>\n   – Likely service area<\/strong>: Cloud and DevOps consulting (verify service catalog)\n   – Where they may help<\/strong>: Landing zones, networking architecture, security implementations, operations\n   – Consulting use case examples<\/strong>:<\/p>\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Hub-and-spoke Azure networking with Azure Firewall<\/li>\n
                                                                                                                                                                      • Logging\/SIEM integration for firewall events<\/li>\n
                                                                                                                                                                      • Migration from NVA appliances to managed services<\/li>\n
                                                                                                                                                                      • Website<\/strong>: https:\/\/cotocus.com\/<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                      • \n
                                                                                                                                                                        DevOpsSchool.com<\/strong>\n   – Likely service area<\/strong>: DevOps and cloud consulting\/training (verify offerings)\n   – Where they may help<\/strong>: DevOps enablement, cloud operations, automation, IaC\n   – Consulting use case examples<\/strong>:<\/p>\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Azure Firewall Policy deployment with IaC pipelines<\/li>\n
                                                                                                                                                                        • Operational runbooks and monitoring dashboards<\/li>\n
                                                                                                                                                                        • Cost governance for centralized egress and logging<\/li>\n
                                                                                                                                                                        • Website<\/strong>: https:\/\/www.devopsschool.com\/<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                        • \n
                                                                                                                                                                          DEVOPSCONSULTING.IN<\/strong>\n   – Likely service area<\/strong>: DevOps consulting and implementation services (verify offerings)\n   – Where they may help<\/strong>: CI\/CD, cloud adoption, infrastructure automation\n   – Consulting use case examples<\/strong>:<\/p>\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Secure egress design for build agents<\/li>\n
                                                                                                                                                                          • Route table\/segmentation design and validation<\/li>\n
                                                                                                                                                                          • Logging pipeline to Azure Monitor\/Sentinel<\/li>\n
                                                                                                                                                                          • Website<\/strong>: https:\/\/www.devopsconsulting.in\/<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                            21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                            What to learn before Azure Firewall<\/h3>\n\n\n\n
                                                                                                                                                                            To be effective with Azure Firewall, you should be comfortable with:<\/p>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • IP addressing and subnetting<\/strong> (CIDR, RFC1918)<\/li>\n
                                                                                                                                                                            • Routing fundamentals<\/strong> (default routes, longest prefix match, asymmetric routing)<\/li>\n
                                                                                                                                                                            • Azure VNets and subnets<\/strong><\/li>\n
                                                                                                                                                                            • Network Security Groups (NSGs)<\/strong> and how they differ from firewalls<\/li>\n
                                                                                                                                                                            • Azure RBAC<\/strong> and resource organization (subscriptions, resource groups)<\/li>\n
                                                                                                                                                                            • Azure Monitor basics<\/strong> (logs, metrics, diagnostic settings)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              What to learn after Azure Firewall<\/h3>\n\n\n\n
                                                                                                                                                                              Once you understand Azure Firewall, expand into:<\/p>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • Hub-and-spoke landing zones<\/strong> and governance (Azure Policy)<\/li>\n
                                                                                                                                                                              • Azure Firewall Manager<\/strong> and Virtual WAN secured hubs<\/strong><\/li>\n
                                                                                                                                                                              • Microsoft Sentinel<\/strong> detections and incident workflows using firewall logs<\/li>\n
                                                                                                                                                                              • Private endpoints\/Private Link<\/strong> and private DNS designs<\/li>\n
                                                                                                                                                                              • WAF services<\/strong> (Application Gateway WAF, Front Door WAF)<\/li>\n
                                                                                                                                                                              • Zero Trust networking patterns<\/strong> and segmentation strategies<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                Job roles that use Azure Firewall<\/h3>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                • Cloud Network Engineer<\/li>\n
                                                                                                                                                                                • Cloud Security Engineer<\/li>\n
                                                                                                                                                                                • Platform Engineer<\/li>\n
                                                                                                                                                                                • SRE \/ Cloud Operations Engineer<\/li>\n
                                                                                                                                                                                • Solutions Architect<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  Certification path (Azure)<\/h3>\n\n\n\n
                                                                                                                                                                                  Microsoft certifications change over time, so verify current certification names in official Microsoft Learn<\/strong>. Commonly relevant tracks include:\n– Azure Fundamentals (AZ-900)\n– Azure Administrator (AZ-104)\n– Azure Security Engineer (AZ-500)\n– Azure Network Engineer Associate (check current code\/name in Microsoft Learn)<\/p>\n\n\n\n
                                                                                                                                                                                  Microsoft Learn certifications: https:\/\/learn.microsoft.com\/credentials\/<\/p>\n\n\n\n
                                                                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Build a hub-and-spoke lab with:<\/li>\n
                                                                                                                                                                                  • Shared firewall policy baseline<\/li>\n
                                                                                                                                                                                  • Separate dev\/prod spokes<\/li>\n
                                                                                                                                                                                  • Egress allowlist + logging queries<\/li>\n
                                                                                                                                                                                  • Add DNAT publishing for a private VM and compare with Application Gateway for web publishing.<\/li>\n
                                                                                                                                                                                  • Create alerting:<\/li>\n
                                                                                                                                                                                  • Spike in denied outbound traffic<\/li>\n
                                                                                                                                                                                  • Threat intel hits<\/li>\n
                                                                                                                                                                                  • Build IaC (Bicep\/Terraform) to deploy:<\/li>\n
                                                                                                                                                                                  • Firewall + policy<\/li>\n
                                                                                                                                                                                  • Route tables<\/li>\n
                                                                                                                                                                                  • Diagnostics and retention<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • Azure Firewall<\/strong>: Managed, stateful network firewall service in Azure.<\/li>\n
                                                                                                                                                                                    • Azure Firewall Policy<\/strong>: Central policy object containing firewall rules\/settings, attachable to one or more firewalls.<\/li>\n
                                                                                                                                                                                    • Rule Collection Group<\/strong>: A container in a firewall policy that holds rule collections and sets evaluation priority.<\/li>\n
                                                                                                                                                                                    • Application Rule<\/strong>: L7 rule that allows\/denies traffic based on FQDN for supported protocols (commonly HTTP\/S).<\/li>\n
                                                                                                                                                                                    • Network Rule<\/strong>: L3\/L4 rule based on IPs, ports, and protocols.<\/li>\n
                                                                                                                                                                                    • NAT Rule<\/strong>: Rule defining address\/port translation (often DNAT for inbound publishing).<\/li>\n
                                                                                                                                                                                    • UDR (User Defined Route)<\/strong>: Custom route in an Azure route table to steer traffic (e.g., to a firewall).<\/li>\n
                                                                                                                                                                                    • SNAT<\/strong>: Source NAT\u2014outbound translation often to a firewall public IP.<\/li>\n
                                                                                                                                                                                    • DNAT<\/strong>: Destination NAT\u2014inbound translation from public IP\/port to private IP\/port.<\/li>\n
                                                                                                                                                                                    • Hub-and-spoke<\/strong>: Network topology where spokes connect to a central hub for shared services and security.<\/li>\n
                                                                                                                                                                                    • Virtual WAN Secure Hub<\/strong>: Virtual WAN hub with integrated security services such as Azure Firewall.<\/li>\n
                                                                                                                                                                                    • Azure Monitor Diagnostic Settings<\/strong>: Configuration that sends resource logs\/metrics to Log Analytics\/Event Hub\/Storage.<\/li>\n
                                                                                                                                                                                    • Log Analytics<\/strong>: Azure Monitor log store queried with KQL.<\/li>\n
                                                                                                                                                                                    • KQL<\/strong>: Kusto Query Language, used to query Azure Monitor logs.<\/li>\n
                                                                                                                                                                                    • Threat intelligence filtering<\/strong>: Blocking\/alerting based on known malicious indicators provided by Microsoft.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                      Azure Firewall is Azure\u2019s managed, stateful firewall service in the Networking<\/strong> category, designed to provide centralized traffic control, threat intelligence filtering, NAT capabilities, and deep operational visibility through Azure Monitor. It fits best as a hub security control for egress filtering<\/strong>, segmentation<\/strong>, and hybrid network enforcement<\/strong>, especially when you want consistent governance across many subnets and VNets.<\/p>\n\n\n\n
                                                                                                                                                                                      Cost-wise, plan for hourly firewall charges<\/strong>, data processed charges<\/strong>, and potentially significant logging costs<\/strong> (Log Analytics\/Sentinel). Security-wise, success depends on correct routing (UDRs\/Virtual WAN), least-privilege policy management, and intentional allowlisting (especially for modern apps that use many FQDNs).<\/p>\n\n\n\n
                                                                                                                                                                                      Use Azure Firewall when you need a centralized, auditable enforcement point that integrates cleanly with Azure\u2019s routing and monitoring ecosystem. Next, deepen your skills by implementing a hub-and-spoke or Virtual WAN secured hub design, enabling diagnostics, and building operational playbooks and alerts around firewall events.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                      Networking<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,50,10],"tags":[],"class_list":["post-492","post","type-post","status-publish","format-standard","hentry","category-azure","category-networking","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=492"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/492\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}