{"id":502,"date":"2026-04-14T07:17:43","date_gmt":"2026-04-14T07:17:43","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-firewall-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking\/"},"modified":"2026-04-14T07:17:43","modified_gmt":"2026-04-14T07:17:43","slug":"azure-firewall-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-firewall-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking\/","title":{"rendered":"Azure Firewall Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Networking<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Azure Firewall Manager is Azure\u2019s centralized management layer for deploying, configuring, and governing Azure Firewall<\/strong> at scale\u2014especially in hub-and-spoke<\/strong> networks and Azure Virtual WAN secured hubs<\/strong>. It helps platform and security teams consistently apply firewall policies across many networks, regions, and subscriptions without duplicating rule sets and operational processes.<\/p>\n\n\n\n

In simple terms: Azure Firewall Manager is where you define firewall policy once and apply it consistently to many firewalls and hubs<\/strong>.<\/p>\n\n\n\n

Technically, Azure Firewall Manager provides a control-plane experience (primarily in the Azure portal and ARM) for creating and managing Azure Firewall Policies<\/strong> (including hierarchical policies), associating them to Azure Firewalls<\/strong> (VNet-based) and secured virtual hubs<\/strong>, and optionally integrating with supported third-party security providers in Virtual WAN (verify supported partners in official docs). It does not<\/strong> replace Azure Firewall; it manages and orchestrates it.<\/p>\n\n\n\n

The problem it solves is common in enterprise Networking and security operations: as environments grow, teams end up with inconsistent firewall rules, duplicated configuration, brittle change processes, and difficult auditing across subscriptions and regions. Azure Firewall Manager addresses this with centralized governance, policy reuse, and more predictable operations.<\/p>\n\n\n\n

\n

Service name check: Azure Firewall Manager<\/strong> is the current, active service name in Azure documentation at the time of writing. If Azure renames portal experiences (for example, consolidating blades), the underlying resource types and concepts remain centered around Azure Firewall Policy<\/strong> and policy associations. Always verify the latest UX in official docs.<\/p>\n<\/blockquote>\n\n\n\n

2. What is Azure Firewall Manager?<\/h2>\n\n\n\n

Azure Firewall Manager is an Azure Networking<\/strong> security management service designed to centrally deploy and manage firewall security policies for Azure Firewall<\/strong> and secured virtual hubs<\/strong> in Azure Virtual WAN<\/strong>.<\/p>\n\n\n\n

Official purpose (what it\u2019s for)<\/h3>\n\n\n\n
    \n
  • Centralize security policy management for Azure Firewall across multiple environments.<\/li>\n
  • Provide consistent enforcement in hub-and-spoke and Virtual WAN architectures.<\/li>\n
  • Simplify policy rollout, change control, and governance for firewall rules.<\/li>\n<\/ul>\n\n\n\n

    Core capabilities (what it can do)<\/h3>\n\n\n\n
      \n
    • Create and manage Azure Firewall Policies<\/strong>.<\/li>\n
    • Use hierarchical policies<\/strong> (parent\/child) for shared baseline controls plus app\/team-specific overrides.<\/li>\n
    • Associate policies to:<\/li>\n
    • VNet-based Azure Firewall<\/strong> deployments (hub VNets)<\/li>\n
    • Secured virtual hubs<\/strong> (Virtual WAN hubs with managed security)<\/li>\n
    • Support scalable architectures like hub-and-spoke<\/strong> and Azure Virtual WAN<\/strong>.<\/li>\n
    • Centralize monitoring and governance patterns (through integration with Azure Monitor\/Log Analytics, Microsoft Sentinel, etc., via Azure Firewall logs).<\/li>\n<\/ul>\n\n\n\n

      Major components<\/h3>\n\n\n\n

      Azure Firewall Manager is best understood as a management umbrella around these key components:<\/p>\n\n\n\n

        \n
      • Azure Firewall<\/strong>: The stateful network firewall (data plane) that processes traffic.<\/li>\n
      • Azure Firewall Policy<\/strong>: The policy object containing rule collection groups, rules (network, application, NAT), threat intelligence settings, TLS inspection settings (Premium capability), IDPS settings (Premium capability), and more (capabilities depend on Firewall SKU\u2014verify).<\/li>\n
      • Policy association<\/strong>: The binding of a policy to an Azure Firewall instance or secured virtual hub.<\/li>\n
      • (Optional) Virtual WAN secured hub<\/strong>: A Virtual WAN hub with security provider (Azure Firewall or supported partner) enabled.<\/li>\n<\/ul>\n\n\n\n

        Service type<\/h3>\n\n\n\n
          \n
        • Primarily a management\/control-plane<\/strong> service for Azure Firewall deployments.<\/li>\n
        • It does not process traffic itself; Azure Firewall<\/strong> (and\/or the Virtual WAN security provider) processes traffic.<\/li>\n<\/ul>\n\n\n\n

          Scope: regional\/global and Azure resource scope<\/h3>\n\n\n\n
            \n
          • Azure Firewall Policy<\/strong> is an Azure resource created in a specific resource group<\/strong> and region<\/strong> (location), but can often be used across environments depending on Azure Firewall architecture. The exact constraints can vary by scenario; verify in official docs for your topology.<\/li>\n
          • Azure Firewall Manager provides centralized management across subscriptions and regions<\/strong> (subject to RBAC permissions and supported capabilities).<\/li>\n<\/ul>\n\n\n\n

            How it fits into the Azure ecosystem<\/h3>\n\n\n\n

            Azure Firewall Manager sits at the intersection of:\n– Networking<\/strong>: VNets, peering, route tables (UDR), Virtual WAN, VPN\/ExpressRoute gateways\n– Security<\/strong>: centralized policy, enforcement controls, logging and SIEM integration\n– Operations<\/strong>: change management, governance, consistent rollout, auditing and troubleshooting<\/p>\n\n\n\n

            It complements (not replaces) other Azure Networking and security services like:\n– Network Security Groups (NSGs) for subnet\/NIC-level filtering\n– Azure Application Gateway \/ WAF for HTTP(S) application layer protection\n– DDoS Protection for volumetric attack mitigation\n– Microsoft Defender for Cloud for posture management (recommendations)<\/p>\n\n\n\n

            3. Why use Azure Firewall Manager?<\/h2>\n\n\n\n

            Business reasons<\/h3>\n\n\n\n
              \n
            • Consistency and standardization<\/strong>: Apply a baseline firewall posture across business units and environments.<\/li>\n
            • Reduced operational cost<\/strong>: Central policy management reduces duplicated effort and configuration drift.<\/li>\n
            • Faster onboarding<\/strong>: New spokes, subscriptions, or environments can inherit security posture with less manual work.<\/li>\n
            • Audit readiness<\/strong>: Easier to demonstrate standardized controls and rule governance.<\/li>\n<\/ul>\n\n\n\n

              Technical reasons<\/h3>\n\n\n\n
                \n
              • Policy reuse at scale<\/strong>: Use centralized policies rather than recreating rules per firewall.<\/li>\n
              • Hierarchical policies<\/strong>: Separate global baseline rules (parent) from workload rules (child).<\/li>\n
              • Works with hub-and-spoke and Virtual WAN<\/strong>: Two of the most common Azure enterprise network patterns.<\/li>\n<\/ul>\n\n\n\n

                Operational reasons<\/h3>\n\n\n\n
                  \n
                • Central change workflow<\/strong>: Fewer places to edit rules, fewer \u201csnowflake\u201d firewalls.<\/li>\n
                • Separation of duties<\/strong>: Central team owns baseline; app teams can own child policies (with appropriate RBAC).<\/li>\n
                • Repeatable rollout<\/strong>: Standardized association patterns for new hubs and spokes.<\/li>\n<\/ul>\n\n\n\n

                  Security\/compliance reasons<\/h3>\n\n\n\n
                    \n
                  • Central governance<\/strong>: Helps enforce consistent outbound filtering and segmentation.<\/li>\n
                  • Improved visibility<\/strong>: With Azure Firewall logs routed centrally, security teams can monitor policy outcomes.<\/li>\n
                  • Supports regulated environments<\/strong>: Central rule management and auditing are useful for ISO 27001, SOC 2, PCI DSS, HIPAA-aligned programs (compliance depends on your controls\u2014Azure Firewall Manager is an enabler, not a certification).<\/li>\n<\/ul>\n\n\n\n

                    Scalability\/performance reasons<\/h3>\n\n\n\n
                      \n
                    • Better scalability of operations (people\/process) rather than raw packet throughput.<\/li>\n
                    • Azure Firewall scaling\/performance is primarily determined by the Azure Firewall SKU and architecture; Firewall Manager helps you manage it.<\/li>\n<\/ul>\n\n\n\n

                      When teams should choose Azure Firewall Manager<\/h3>\n\n\n\n
                        \n
                      • You have multiple VNets\/subscriptions<\/strong> and want centralized policy management.<\/li>\n
                      • You\u2019re implementing hub-and-spoke<\/strong> or Virtual WAN<\/strong> and want consistent inspection.<\/li>\n
                      • You want baseline security rules<\/strong> plus team\/application-specific rules<\/strong> using hierarchical policies.<\/li>\n
                      • You need a structured way to apply firewall governance at enterprise scale.<\/li>\n<\/ul>\n\n\n\n

                        When teams should not choose it<\/h3>\n\n\n\n
                          \n
                        • You have a small environment with a single VNet and no need for centralized policy governance (managing Azure Firewall directly may be sufficient).<\/li>\n
                        • You only need simple segmentation that NSGs can handle (note: NSGs are not a full firewall replacement; they\u2019re L3\/L4 and don\u2019t provide the same centralized inspection\/logging capabilities).<\/li>\n
                        • You require a non-Azure firewall vendor feature set not supported by Azure Firewall (consider partner security providers or third-party appliances; validate support and architecture implications).<\/li>\n<\/ul>\n\n\n\n

                          4. Where is Azure Firewall Manager used?<\/h2>\n\n\n\n

                          Industries<\/h3>\n\n\n\n
                            \n
                          • Financial services: centralized egress control, segmentation, auditing<\/li>\n
                          • Healthcare: controlled outbound access, monitoring, compliance reporting<\/li>\n
                          • Retail\/e-commerce: environment separation (prod vs non-prod), controlled outbound dependencies<\/li>\n
                          • Government\/public sector: strict egress control and centralized governance<\/li>\n
                          • SaaS and tech: multi-subscription landing zones with standardized controls<\/li>\n
                          • Manufacturing\/IoT: hub inspection for hybrid connectivity and device telemetry paths<\/li>\n<\/ul>\n\n\n\n

                            Team types<\/h3>\n\n\n\n
                              \n
                            • Platform engineering: standardize connectivity and security across landing zones<\/li>\n
                            • Networking teams: hub-and-spoke routing, centralized security appliances<\/li>\n
                            • Security engineering: egress filtering, threat intelligence controls, SIEM integration<\/li>\n
                            • DevOps\/SRE: operational runbooks, change control, incident response workflows<\/li>\n<\/ul>\n\n\n\n

                              Workloads<\/h3>\n\n\n\n
                                \n
                              • Internet-facing web apps (paired with WAF) needing controlled outbound<\/li>\n
                              • Internal APIs and microservices needing segmentation and egress policies<\/li>\n
                              • Hybrid workloads with VPN\/ExpressRoute where hub inspection is required<\/li>\n
                              • Data platforms (Synapse, Databricks, Kubernetes) where outbound dependencies must be controlled<\/li>\n<\/ul>\n\n\n\n

                                Architectures<\/h3>\n\n\n\n
                                  \n
                                • Hub-and-spoke VNets with centralized Azure Firewall<\/li>\n
                                • Azure Virtual WAN with secured hubs for centralized security<\/li>\n
                                • Multi-region networks with consistent policy definitions<\/li>\n
                                • Shared services hubs for DNS, identity, monitoring, and security inspection<\/li>\n<\/ul>\n\n\n\n

                                  Real-world deployment contexts<\/h3>\n\n\n\n
                                    \n
                                  • Production: strict change control, centralized logging, high availability patterns<\/li>\n
                                  • Dev\/test: enforce \u201cno-open-egress\u201d policies, reduce risk of accidental exposure, lower operational overhead with reusable policies<\/li>\n<\/ul>\n\n\n\n

                                    5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                    Below are realistic Azure Networking scenarios where Azure Firewall Manager is a strong fit.<\/p>\n\n\n\n

                                    1) Centralized outbound internet control (egress filtering)<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: Spoke VNets and workloads can reach any internet destination, increasing exfiltration and compliance risk.<\/li>\n
                                    • Why Azure Firewall Manager fits<\/strong>: Central policy defines allowed FQDNs\/IPs and is applied to hub firewall(s).<\/li>\n
                                    • Example<\/strong>: Only allow outbound HTTPS to *.microsoft.com<\/code>, OS update endpoints, and approved SaaS; deny everything else.<\/li>\n<\/ul>\n\n\n\n

                                      2) Standard baseline policy across many subscriptions (landing zone governance)<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: Different teams deploy their own firewall rules, leading to drift and audit pain.<\/li>\n
                                      • Why it fits<\/strong>: Hierarchical policies allow a parent baseline<\/strong> with mandatory rules, plus child policies<\/strong> for teams.<\/li>\n
                                      • Example<\/strong>: Parent policy enforces deny-to-known-malicious + required internal services; child policy adds app-specific allow rules.<\/li>\n<\/ul>\n\n\n\n

                                        3) Hub-and-spoke segmentation between environments (prod\/non-prod)<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: East-west traffic between environments is accidentally permitted via peering and routes.<\/li>\n
                                        • Why it fits<\/strong>: Central policy defines inter-spoke rules and is enforced at the hub.<\/li>\n
                                        • Example<\/strong>: Block non-prod from reaching prod databases; allow only specific management ports from jump hosts.<\/li>\n<\/ul>\n\n\n\n

                                          4) Standardized firewall rollouts in multi-region architectures<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: Each region deploys its own firewall rules; rule parity becomes difficult.<\/li>\n
                                          • Why it fits<\/strong>: Use a consistent policy approach and associate to region-specific Azure Firewalls.<\/li>\n
                                          • Example<\/strong>: Global policy reused in two regions; only region-specific endpoints differ via child policies.<\/li>\n<\/ul>\n\n\n\n

                                            5) Controlled access to platform services (PaaS) with central inspection<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: Workloads need outbound access to PaaS endpoints; governance wants visibility and restriction.<\/li>\n
                                            • Why it fits<\/strong>: Central outbound rules and logging provide governance.<\/li>\n
                                            • Example<\/strong>: Allow outbound to Azure Container Registry, Azure Storage, Key Vault endpoints (as appropriate) while denying unknown destinations.<\/li>\n<\/ul>\n\n\n\n

                                              6) M&A \/ multi-tenant consolidation<\/h3>\n\n\n\n
                                                \n
                                              • Problem<\/strong>: Newly acquired business units must be brought under a centralized security posture quickly.<\/li>\n
                                              • Why it fits<\/strong>: Central policy + association pattern accelerates standardization.<\/li>\n
                                              • Example<\/strong>: Add new spokes into shared hub, inherit baseline policy, and use a child policy for BU-specific apps.<\/li>\n<\/ul>\n\n\n\n

                                                7) Virtual WAN secured hub security standardization<\/h3>\n\n\n\n
                                                  \n
                                                • Problem<\/strong>: Large global WAN needs consistent security enforcement at hubs.<\/li>\n
                                                • Why it fits<\/strong>: Firewall Manager is designed to manage security in secured virtual hubs<\/strong>.<\/li>\n
                                                • Example<\/strong>: Global Virtual WAN with hubs in key regions; consistent security policy applied per hub.<\/li>\n<\/ul>\n\n\n\n

                                                  8) Central logging and SIEM integration readiness<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem<\/strong>: Firewall logs are inconsistent, scattered, or not collected.<\/li>\n
                                                  • Why it fits<\/strong>: Central deployments can standardize diagnostics settings patterns (implementation still requires Azure Monitor configuration).<\/li>\n
                                                  • Example<\/strong>: All Azure Firewalls forward logs to central Log Analytics workspace and Microsoft Sentinel.<\/li>\n<\/ul>\n\n\n\n

                                                    9) Shared services hub for outbound dependencies (DNS\/NTP\/updates)<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem<\/strong>: Workloads require a small set of essential outbound dependencies; everything else should be denied.<\/li>\n
                                                    • Why it fits<\/strong>: Central policy codifies essential services and simplifies expansion as needed.<\/li>\n
                                                    • Example<\/strong>: Allow DNS to internal resolvers, allow OS updates and time sync; deny everything else.<\/li>\n<\/ul>\n\n\n\n

                                                      10) Incident response: fast global block rule rollout<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem<\/strong>: A newly discovered malicious domain\/IP must be blocked everywhere quickly.<\/li>\n
                                                      • Why it fits<\/strong>: Central policy update applies across many firewalls (depending on your association strategy).<\/li>\n
                                                      • Example<\/strong>: Add \u201cdeny known IOC list\u201d rule collection group at high priority in parent policy.<\/li>\n<\/ul>\n\n\n\n

                                                        6. Core Features<\/h2>\n\n\n\n

                                                        Azure Firewall Manager\u2019s value is mainly in centralized policy and deployment workflows. Key features include:<\/p>\n\n\n\n

                                                        1) Centralized Azure Firewall Policy management<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does<\/strong>: Lets you create and manage Azure Firewall Policies centrally (often via the Firewall Manager portal experience).<\/li>\n
                                                        • Why it matters<\/strong>: Standardizes rules and reduces configuration drift across multiple environments.<\/li>\n
                                                        • Practical benefit<\/strong>: Faster change implementation and consistent enforcement.<\/li>\n
                                                        • Caveats<\/strong>: Policy changes affect associated firewalls; apply change control and testing.<\/li>\n<\/ul>\n\n\n\n

                                                          2) Policy association to multiple Azure Firewalls<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does<\/strong>: Enables associating a single policy to one or more Azure Firewall instances.<\/li>\n
                                                          • Why it matters<\/strong>: Promotes reuse and consistency across regions and hubs.<\/li>\n
                                                          • Practical benefit<\/strong>: One policy update can roll out to many enforcement points.<\/li>\n
                                                          • Caveats<\/strong>: Validate impact\u2014shared policies can create unintended blast radius if not designed properly.<\/li>\n<\/ul>\n\n\n\n

                                                            3) Hierarchical firewall policies (parent\/child)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: Supports a base (parent) policy inherited by child policies, allowing overrides\/extension where supported.<\/li>\n
                                                            • Why it matters<\/strong>: Enables enterprise governance patterns: central security baseline + workload flexibility.<\/li>\n
                                                            • Practical benefit<\/strong>: Security team controls non-negotiable rules; app teams add necessary exceptions.<\/li>\n
                                                            • Caveats<\/strong>: Hierarchical behavior has specific rules about evaluation and what can be overridden; verify in official docs and test.<\/li>\n<\/ul>\n\n\n\n

                                                              4) Support for secured virtual hubs (Azure Virtual WAN)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Helps configure security providers (Azure Firewall or supported partners) for Virtual WAN hubs and apply policy.<\/li>\n
                                                              • Why it matters<\/strong>: Virtual WAN is common in global enterprise networking; security must be consistent at hubs.<\/li>\n
                                                              • Practical benefit<\/strong>: Standard hub security posture with centralized management.<\/li>\n
                                                              • Caveats<\/strong>: Virtual WAN and secured hubs add additional cost and have specific constraints; verify topology requirements.<\/li>\n<\/ul>\n\n\n\n

                                                                5) Central governance for hub-and-spoke inspection architectures<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does<\/strong>: Aligns with hub-and-spoke designs where traffic is routed through a central firewall.<\/li>\n
                                                                • Why it matters<\/strong>: Hub-and-spoke is a foundational Azure Networking model.<\/li>\n
                                                                • Practical benefit<\/strong>: Repeatable designs across subscriptions and business units.<\/li>\n
                                                                • Caveats<\/strong>: Requires correct routing (UDRs), DNS planning, and careful segmentation design.<\/li>\n<\/ul>\n\n\n\n

                                                                  6) Integration with Azure role-based access control (RBAC)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does<\/strong>: Uses Azure RBAC to control who can create policies, modify rules, and associate policies.<\/li>\n
                                                                  • Why it matters<\/strong>: Supports separation of duties and least privilege.<\/li>\n
                                                                  • Practical benefit<\/strong>: Delegated management\u2014platform team manages infrastructure, security team manages policy.<\/li>\n
                                                                  • Caveats<\/strong>: Mis-scoped roles can lead to accidental broad permissions; use resource group scoping and PIM where possible.<\/li>\n<\/ul>\n\n\n\n

                                                                    7) Works with Azure Firewall logging and diagnostics<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does<\/strong>: While logging is configured on Azure Firewall resources, Firewall Manager architectures typically standardize log pipelines.<\/li>\n
                                                                    • Why it matters<\/strong>: Without logs, firewall enforcement becomes hard to audit and troubleshoot.<\/li>\n
                                                                    • Practical benefit<\/strong>: Central visibility for allow\/deny, threat intel hits, and operational troubleshooting.<\/li>\n
                                                                    • Caveats<\/strong>: Logging costs can be significant (Log Analytics ingestion\/retention).<\/li>\n<\/ul>\n\n\n\n

                                                                      8) Supports standardized deployments and lifecycle operations<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does<\/strong>: Helps you deploy new firewalls or secured hubs in a repeatable, centrally managed way (commonly via portal, IaC, or both).<\/li>\n
                                                                      • Why it matters<\/strong>: Enterprises need consistency across environments.<\/li>\n
                                                                      • Practical benefit<\/strong>: Reduced time-to-deploy and reduced configuration drift.<\/li>\n
                                                                      • Caveats<\/strong>: Your IaC approach (Bicep\/Terraform) should codify policies and associations for repeatability; portal-only workflows are harder to audit.<\/li>\n<\/ul>\n\n\n\n

                                                                        7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                        High-level architecture<\/h3>\n\n\n\n

                                                                        Azure Firewall Manager sits in the control plane and manages Azure Firewall Policies<\/strong> and their association to Azure Firewall<\/strong> and\/or Virtual WAN secured hubs<\/strong>. The actual traffic inspection occurs in Azure Firewall data plane.<\/p>\n\n\n\n

                                                                        Key concepts:\n– Control plane<\/strong>: Create\/modify policy, associate policy, configure hub security.\n– Data plane<\/strong>: Azure Firewall processes traffic, applies policy rules, produces logs.<\/p>\n\n\n\n

                                                                        Request\/data flow vs control flow<\/h3>\n\n\n\n
                                                                          \n
                                                                        • \n

                                                                          Control flow<\/strong> (administrative):\n 1. Admin defines rules in Azure Firewall Policy (often via Firewall Manager experience).\n 2. Policy is associated to an Azure Firewall or secured virtual hub.\n 3. Azure Firewall enforces rules and emits logs\/metrics.<\/p>\n<\/li>\n

                                                                        • \n

                                                                          Data flow<\/strong> (network traffic):\n 1. Workload in a spoke subnet sends traffic.\n 2. Route table (UDR) sends 0.0.0.0\/0 or specific prefixes to Azure Firewall private IP (hub).\n 3. Azure Firewall evaluates rules (network\/application\/NAT).\n 4. Traffic is allowed\/denied; logs written to configured destinations.<\/p>\n<\/li>\n<\/ul>\n\n\n\n

                                                                          Integrations with related services<\/h3>\n\n\n\n

                                                                          Common integrations in Azure Networking and security architectures:\n– Virtual Network peering<\/strong>: connect spokes to hub VNet.\n– Route tables (UDR)<\/strong>: force traffic through Azure Firewall.\n– Azure Monitor + Log Analytics<\/strong>: collect firewall logs and metrics.\n– Microsoft Sentinel<\/strong>: SIEM\/SOAR on top of Log Analytics.\n– Azure Policy<\/strong>: govern resource configurations (for example, enforce diagnostics settings or tagging). Exact built-in policies vary; verify.\n– Private DNS \/ DNS Resolver<\/strong>: ensure consistent DNS resolution for FQDN-based rules and private endpoints.\n– ExpressRoute\/VPN Gateway<\/strong>: hybrid connectivity; hub inspection patterns often apply.<\/p>\n\n\n\n

                                                                          Dependency services<\/h3>\n\n\n\n

                                                                          Azure Firewall Manager deployments typically depend on:\n– Azure Firewall (Standard or Premium; Basic has different capabilities\u2014verify applicability)\n– VNets\/subnets (AzureFirewallSubnet required for VNet-based firewall)\n– Public IP addresses (for outbound SNAT and inbound DNAT scenarios)\n– Route tables (UDRs) for traffic steering\n– Log Analytics workspace (if enabling logs)<\/p>\n\n\n\n

                                                                          Security\/authentication model<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Uses Azure RBAC<\/strong> for management actions.<\/li>\n
                                                                          • Supports governance via management groups, subscriptions, resource groups.<\/li>\n
                                                                          • For policy changes, use least privilege<\/strong>, PIM<\/strong>, and change control.<\/li>\n<\/ul>\n\n\n\n

                                                                            Networking model<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Hub-and-spoke:<\/li>\n
                                                                            • Hub VNet contains Azure Firewall and shared services.<\/li>\n
                                                                            • Spoke VNets peer to hub.<\/li>\n
                                                                            • \n

                                                                              UDRs force spoke subnets through firewall.<\/p>\n<\/li>\n

                                                                            • \n

                                                                              Virtual WAN:<\/p>\n<\/li>\n

                                                                            • Virtual hubs connect VNets and on-prem via hub.<\/li>\n
                                                                            • Secured hub deploys security provider in hub.<\/li>\n<\/ul>\n\n\n\n

                                                                              Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                \n
                                                                              • Enable Azure Firewall diagnostic logs:<\/li>\n
                                                                              • Application rule logs<\/li>\n
                                                                              • Network rule logs<\/li>\n
                                                                              • NAT rule logs<\/li>\n
                                                                              • Threat intelligence logs (if enabled)<\/li>\n
                                                                              • IDPS\/TLS inspection logs for Premium features (verify)<\/li>\n
                                                                              • Send logs to:<\/li>\n
                                                                              • Log Analytics (common)<\/li>\n
                                                                              • Storage account (archival)<\/li>\n
                                                                              • Event Hub (streaming to SIEM)<\/li>\n<\/ul>\n\n\n\n

                                                                                Simple architecture diagram (Mermaid)<\/h4>\n\n\n\n
                                                                                flowchart LR\n  Admin[Admin \/ SecOps] -->|Define policy| AFM[Azure Firewall Manager]\n  AFM -->|Creates\/updates| AFP[Azure Firewall Policy]\n  AFP -->|Associated to| AF[Azure Firewall in Hub VNet]\n  Spoke[Spoke Workload Subnet] -->|UDR to firewall| AF\n  AF -->|Allow\/Deny| Internet[(Internet)]\n  AF --> Logs[Azure Monitor \/ Log Analytics]\n<\/code><\/pre>\n\n\n\n
                                                                                Production-style architecture diagram (Mermaid)<\/h4>\n\n\n\n
                                                                                flowchart TB\n  subgraph MG[Management Group \/ Governance]\n    RBAC[Azure RBAC + PIM]\n    AzPolicy[Azure Policy (governance)]\n  end\n\n  subgraph Sec[Security Operations]\n    AFM[Azure Firewall Manager]\n    Parent[Parent Firewall Policy (baseline)]\n    ChildA[Child Policy - App A]\n    ChildB[Child Policy - App B]\n    LA[Log Analytics Workspace]\n    Sentinel[Microsoft Sentinel]\n  end\n\n  subgraph Region1[Region 1]\n    subgraph Hub1[Hub VNet]\n      AF1[Azure Firewall]\n      DNS1[DNS \/ Resolver (optional)]\n    end\n    subgraph Spokes1[Spoke VNets]\n      AppA1[App A Subnet]\n      AppB1[App B Subnet]\n    end\n  end\n\n  subgraph Region2[Region 2]\n    subgraph Hub2[Hub VNet]\n      AF2[Azure Firewall]\n    end\n    subgraph Spokes2[Spoke VNets]\n      AppA2[App A Subnet]\n    end\n  end\n\n  Internet[(Internet)]\n  OnPrem[(On-prem via VPN\/ER)]\n\n  RBAC --> AFM\n  AzPolicy --> AF1\n  AzPolicy --> AF2\n\n  AFM --> Parent\n  Parent --> ChildA\n  Parent --> ChildB\n  ChildA --> AF1\n  ChildB --> AF1\n  Parent --> AF2\n\n  AppA1 -->|UDR| AF1\n  AppB1 -->|UDR| AF1\n  AppA2 -->|UDR| AF2\n\n  AF1 --> Internet\n  AF2 --> Internet\n\n  OnPrem --> AF1\n  OnPrem --> AF2\n\n  AF1 --> LA\n  AF2 --> LA\n  LA --> Sentinel\n<\/code><\/pre>\n\n\n\n
                                                                                8. Prerequisites<\/h2>\n\n\n\n
                                                                                Before starting with Azure Firewall Manager in a hands-on lab or production:<\/p>\n\n\n\n
                                                                                Account\/subscription requirements<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • An active Azure subscription<\/strong> with billing enabled.<\/li>\n
                                                                                • Ability to create resource groups, VNets, Azure Firewall, route tables, and VMs.<\/li>\n<\/ul>\n\n\n\n
                                                                                  Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                  You need Azure RBAC permissions such as:\n– For lab simplicity: Owner<\/strong> or Contributor<\/strong> on the subscription or target resource group.\n– For least-privilege setups (recommended in real environments):\n  – Permissions to manage Azure Firewall Policy<\/strong>\n  – Permissions to manage Azure Firewall<\/strong>\n  – Permissions to manage Networking<\/strong> (VNets, subnets, route tables, peering)\n  – Permissions to configure diagnostic settings<\/strong> (Microsoft.Insights)<\/p>\n\n\n\n
                                                                                  Role names and exact permissions vary; verify in official docs and your organization\u2019s RBAC model.<\/p>\n\n\n\n
                                                                                  Billing requirements<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Azure Firewall is a paid service (hourly + data processing). Logs may add cost.<\/li>\n
                                                                                  • VM for validation is paid (compute + disk).<\/li>\n
                                                                                  • Public IP resources incur cost.<\/li>\n<\/ul>\n\n\n\n
                                                                                    Tools (CLI\/SDK\/portal)<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Azure portal (recommended for Firewall Manager experience).<\/li>\n
                                                                                    • Azure CLI (optional but useful): https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli<\/li>\n
                                                                                    • SSH client (if using Linux VM) or RDP client (if using Windows VM).<\/li>\n<\/ul>\n\n\n\n
                                                                                      Region availability<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Azure Firewall and Azure Firewall Policy availability varies by region.<\/li>\n
                                                                                      • Firewall Manager experience is generally available where Azure Firewall is available, but always verify region support<\/strong> in official docs for your target region(s), especially for Virtual WAN secured hubs and partner providers.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Quotas\/limits<\/h3>\n\n\n\n
                                                                                        Common limits come from Azure Firewall and policy objects, not specifically Firewall Manager:\n– Rule collection group limits\n– Number of rules\n– IP group limits\n– Public IP limitations\n– Virtual WAN hub constraints (if using secured hub)\nThese limits evolve; verify in official docs<\/strong> before large-scale designs.<\/p>\n\n\n\n
                                                                                        Prerequisite services<\/h3>\n\n\n\n
                                                                                        For the lab (VNet-based hub-and-spoke):\n– Resource group\n– Hub VNet + AzureFirewallSubnet\n– Spoke VNet + workload subnet\n– Azure Firewall (Standard\/Premium; choose based on needs)\n– Route table (UDR) to force traffic through the firewall\n– Test VM in the spoke subnet<\/p>\n\n\n\n
                                                                                        9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                        Azure Firewall Manager is primarily a management experience; the main costs come from the resources it manages and the telemetry you enable.<\/p>\n\n\n\n
                                                                                        Pricing dimensions (what you pay for)<\/h3>\n\n\n\n
                                                                                        You should model costs across these dimensions:<\/p>\n\n\n\n
                                                                                          \n
                                                                                        1. \n
                                                                                          Azure Firewall<\/strong>\n   – Billed per deployment\/SKU (for example Standard vs Premium) with:<\/p>\n
                                                                                            \n
                                                                                          • Hourly<\/strong> charge (running instance time)<\/li>\n
                                                                                          • Data processing<\/strong> charge (GB processed)<\/li>\n
                                                                                          • Source: Azure Firewall pricing page: https:\/\/azure.microsoft.com\/pricing\/details\/azure-firewall\/<\/li>\n<\/ul>\n<\/li>\n
                                                                                          • \n
                                                                                            Azure Virtual WAN \/ secured virtual hub<\/strong> (only if you use Virtual WAN)\n   – Virtual WAN and hubs have their own pricing components.\n   – Source: Virtual WAN pricing: https:\/\/azure.microsoft.com\/pricing\/details\/virtual-wan\/<\/p>\n<\/li>\n
                                                                                          • \n
                                                                                            Public IP addresses<\/strong>\n   – Standard public IP resources incur charges.\n   – Pricing varies by SKU and region; verify on Azure pricing.<\/p>\n<\/li>\n
                                                                                          • \n
                                                                                            Logging and monitoring<\/strong>\n   – Log Analytics ingestion and retention can become a major cost driver.\n   – Microsoft Sentinel adds additional cost on top of Log Analytics (if used).<\/p>\n<\/li>\n
                                                                                          • \n
                                                                                            Network egress<\/strong>\n   – Outbound data transfer to the internet is typically chargeable.\n   – Inter-region traffic may incur costs depending on routing patterns.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                            Free tier<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Azure Firewall Manager itself is commonly presented as having no separate line-item cost, but this can change. Verify in official docs\/pricing<\/strong>.<\/li>\n
                                                                                            • There is no meaningful \u201cfree tier\u201d for Azure Firewall usage; running a firewall incurs cost.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Cost drivers (what increases your bill)<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Firewall SKU<\/strong>: Premium typically costs more than Standard.<\/li>\n
                                                                                              • Traffic volume<\/strong>: Data processed charges scale with throughput.<\/li>\n
                                                                                              • Log volume<\/strong>: Deny-heavy rulesets and verbose diagnostics increase log ingestion.<\/li>\n
                                                                                              • Architecture choices<\/strong>:<\/li>\n
                                                                                              • Virtual WAN secured hubs add hub-related costs.<\/li>\n
                                                                                              • Multi-region deployments multiply fixed hourly components.<\/li>\n
                                                                                              • Always-on resources<\/strong>: Firewalls are typically always-on for production.<\/li>\n<\/ul>\n\n\n\n
                                                                                                Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Log Analytics retention<\/strong>: longer retention increases cost.<\/li>\n
                                                                                                • Sentinel<\/strong>: additional SIEM cost (if enabled).<\/li>\n
                                                                                                • Operational overhead<\/strong>: not a cloud bill item, but change management and troubleshooting time is real; centralized management can reduce it.<\/li>\n
                                                                                                • Data transfer<\/strong>:<\/li>\n
                                                                                                • Forced tunneling patterns can increase egress and routing complexity.<\/li>\n
                                                                                                • Inter-region inspection can cause unexpected bandwidth charges and latency (avoid unless required).<\/li>\n<\/ul>\n\n\n\n
                                                                                                  How to optimize cost (without weakening security)<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Start with Standard SKU<\/strong> unless you need Premium-only features (TLS inspection\/IDPS, etc.\u2014verify feature requirements).<\/li>\n
                                                                                                  • Keep firewall policies clean:<\/li>\n
                                                                                                  • Avoid overly broad logging in steady state; use targeted diagnostics for investigations.<\/li>\n
                                                                                                  • Use rule ordering to reduce unnecessary rule evaluations and deny noise.<\/li>\n
                                                                                                  • Centralize logging smartly:<\/li>\n
                                                                                                  • Tune Log Analytics retention.<\/li>\n
                                                                                                  • Consider archiving to Storage for long-term retention and using LA for shorter hot retention.<\/li>\n
                                                                                                  • For dev\/test:<\/li>\n
                                                                                                  • Use strict cleanup discipline; firewalls are expensive if left running.<\/li>\n
                                                                                                  • Consider whether NSGs or smaller patterns are sufficient for non-production (risk-based decision).<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n
                                                                                                    A minimal lab will typically include:\n– 1 Azure Firewall (Standard) running for a short time\n– 1 small Linux VM for testing\n– 1 public IP for the firewall\n– Log Analytics workspace (optional)\nYour cost will be dominated by Azure Firewall hourly + data processing<\/strong>. Run the lab briefly, validate, then delete resources<\/strong>.<\/p>\n\n\n\n
                                                                                                    Because prices vary by region and change over time, do not use static numbers here. Use:\n– Pricing: https:\/\/azure.microsoft.com\/pricing\/details\/azure-firewall\/\n– Calculator: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/p>\n\n\n\n
                                                                                                    Example production cost considerations<\/h3>\n\n\n\n
                                                                                                    In production, consider:\n– One firewall per region (or per hub) for latency and resiliency.\n– Log Analytics ingestion at scale (can be significant).\n– Virtual WAN hub costs if you standardize on secured hubs.\n– Additional services: DDoS Protection, Sentinel, third-party security providers.<\/p>\n\n\n\n
                                                                                                    10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                    This lab uses VNet hub-and-spoke<\/strong> with an Azure Firewall<\/strong> in the hub VNet. You will create and manage the firewall policy via the Azure Firewall Manager<\/strong> experience, associate it to the firewall, route spoke egress through the hub, and validate that traffic is allowed\/blocked as expected.<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                    Cost warning: Azure Firewall is not a low-cost service. Do this lab in a non-production subscription, keep the runtime short, and complete cleanup.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                    Objective<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Deploy a hub-and-spoke network.<\/li>\n
                                                                                                    • Deploy Azure Firewall in the hub.<\/li>\n
                                                                                                    • Create an Azure Firewall Policy<\/strong> using Azure Firewall Manager<\/strong>.<\/li>\n
                                                                                                    • Associate the policy to the firewall.<\/li>\n
                                                                                                    • Force spoke VM outbound traffic through the firewall using a route table.<\/li>\n
                                                                                                    • Validate an allow rule and a deny rule.<\/li>\n
                                                                                                    • Clean up all resources.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Lab Overview<\/h3>\n\n\n\n
                                                                                                      You will build:<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                      • Hub VNet<\/strong>: 10.0.0.0\/16<\/code><\/li>\n
                                                                                                      • AzureFirewallSubnet<\/code>: 10.0.0.0\/24<\/code> (required name)<\/li>\n
                                                                                                      • HubSharedSubnet<\/code> (optional): 10.0.1.0\/24<\/code> (not required)<\/li>\n
                                                                                                      • Spoke VNet<\/strong>: 10.1.0.0\/16<\/code><\/li>\n
                                                                                                      • WorkloadSubnet<\/code>: 10.1.1.0\/24<\/code><\/li>\n
                                                                                                      • Azure Firewall<\/strong> in hub with a public IP<\/li>\n
                                                                                                      • Firewall Policy<\/strong> (via Azure Firewall Manager)<\/li>\n
                                                                                                      • Application rule: allow ifconfig.me<\/code> over HTTP\/HTTPS (or another test endpoint)<\/li>\n
                                                                                                      • Network rule: optionally allow DNS to a resolver if needed<\/li>\n
                                                                                                      • Default deny (implicit)<\/li>\n
                                                                                                      • Route table<\/strong> on spoke workload subnet:<\/li>\n
                                                                                                      • 0.0.0.0\/0<\/code> next hop = Virtual appliance (Azure Firewall private IP)<\/li>\n
                                                                                                      • Linux VM<\/strong> in spoke to test connectivity<\/li>\n<\/ul>\n\n\n\n
                                                                                                        \n
                                                                                                        Note on test endpoints: Choose a stable public endpoint you control or a well-known endpoint. Some sites block cloud IPs or change behavior. You can substitute another domain and adjust rules accordingly.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                        Step 1: Create the resource group and networks (Azure CLI)<\/h3>\n\n\n\n
                                                                                                        1) Open Cloud Shell (Bash) in the Azure portal or use local Azure CLI.<\/p>\n\n\n\n
                                                                                                        2) Set variables (adjust region as needed):<\/p>\n\n\n\n
                                                                                                        RG=\"rg-afm-lab\"\nLOC=\"eastus\"\n\nHUB_VNET=\"vnet-hub-afm\"\nSPOKE_VNET=\"vnet-spoke-afm\"\n\nHUB_CIDR=\"10.0.0.0\/16\"\nAF_SUBNET_CIDR=\"10.0.0.0\/24\"\nSPOKE_CIDR=\"10.1.0.0\/16\"\nWORKLOAD_SUBNET_CIDR=\"10.1.1.0\/24\"\n\naz group create -n \"$RG\" -l \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Resource group created.<\/p>\n\n\n\n
                                                                                                        3) Create hub VNet with AzureFirewallSubnet:<\/p>\n\n\n\n
                                                                                                        az network vnet create \\\n  -g \"$RG\" -n \"$HUB_VNET\" -l \"$LOC\" \\\n  --address-prefixes \"$HUB_CIDR\" \\\n  --subnet-name \"AzureFirewallSubnet\" \\\n  --subnet-prefixes \"$AF_SUBNET_CIDR\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Hub VNet with AzureFirewallSubnet<\/code> exists.<\/p>\n\n\n\n
                                                                                                        4) Create spoke VNet:<\/p>\n\n\n\n
                                                                                                        az network vnet create \\\n  -g \"$RG\" -n \"$SPOKE_VNET\" -l \"$LOC\" \\\n  --address-prefixes \"$SPOKE_CIDR\" \\\n  --subnet-name \"WorkloadSubnet\" \\\n  --subnet-prefixes \"$WORKLOAD_SUBNET_CIDR\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Spoke VNet with WorkloadSubnet<\/code> exists.<\/p>\n\n\n\n
                                                                                                        5) Peer hub and spoke:<\/p>\n\n\n\n
                                                                                                        HUB_ID=$(az network vnet show -g \"$RG\" -n \"$HUB_VNET\" --query id -o tsv)\nSPOKE_ID=$(az network vnet show -g \"$RG\" -n \"$SPOKE_VNET\" --query id -o tsv)\n\naz network vnet peering create -g \"$RG\" --vnet-name \"$HUB_VNET\" \\\n  -n \"peer-hub-to-spoke\" --remote-vnet \"$SPOKE_ID\" --allow-vnet-access\n\naz network vnet peering create -g \"$RG\" --vnet-name \"$SPOKE_VNET\" \\\n  -n \"peer-spoke-to-hub\" --remote-vnet \"$HUB_ID\" --allow-vnet-access\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: VNet peering established both ways.<\/p>\n\n\n\n
                                                                                                        Step 2: Deploy Azure Firewall in the hub<\/h3>\n\n\n\n
                                                                                                        1) Create a public IP for the firewall:<\/p>\n\n\n\n
                                                                                                        PIP_NAME=\"pip-afm-fw\"\n\naz network public-ip create \\\n  -g \"$RG\" -n \"$PIP_NAME\" -l \"$LOC\" \\\n  --sku \"Standard\" \\\n  --allocation-method \"Static\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Standard static public IP created.<\/p>\n\n\n\n
                                                                                                        2) Create the Azure Firewall:<\/p>\n\n\n\n
                                                                                                        FW_NAME=\"afw-hub-afm\"\n\naz network firewall create -g \"$RG\" -n \"$FW_NAME\" -l \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Azure Firewall resource created (may take a few minutes).<\/p>\n\n\n\n
                                                                                                        3) Configure the firewall IP configuration:<\/p>\n\n\n\n
                                                                                                        az network firewall ip-config create \\\n  -g \"$RG\" -f \"$FW_NAME\" -n \"fw-ipconfig\" \\\n  --public-ip-address \"$PIP_NAME\" \\\n  --vnet-name \"$HUB_VNET\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Firewall has a public IP and is attached to the hub VNet.<\/p>\n\n\n\n
                                                                                                        4) Capture the firewall private IP (you\u2019ll need it for routing):<\/p>\n\n\n\n
                                                                                                        FW_PRIVATE_IP=$(az network firewall show -g \"$RG\" -n \"$FW_NAME\" \\\n  --query \"ipConfigurations[0].privateIPAddress\" -o tsv)\n\necho \"Firewall private IP: $FW_PRIVATE_IP\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: You have the firewall private IP address.<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                        If privateIPAddress<\/code> is empty, wait a few minutes and retry. Provisioning can take time.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                        Step 3: Create a Firewall Policy using Azure Firewall Manager (Portal)<\/h3>\n\n\n\n
                                                                                                        Azure Firewall Policy can be created via CLI, Bicep, Terraform, or portal. To explicitly use Azure Firewall Manager<\/strong>, do it through the portal experience.<\/p>\n\n\n\n
                                                                                                        1) In the Azure portal, search for Firewall Manager<\/strong> and open it.<\/p>\n\n\n\n
                                                                                                        2) Go to:\n– Azure Firewall policies<\/strong> \u2192 Create Azure Firewall policy<\/strong><\/p>\n\n\n\n
                                                                                                        3) Configure:\n– Subscription: your lab subscription\n– Resource group: rg-afm-lab<\/code>\n– Policy name: afwp-afm-lab<\/code>\n– Region: same as your firewall (for simplicity)\n– SKU: match your firewall needs (Standard is enough for this lab; Premium adds features\u2014verify)<\/p>\n\n\n\n
                                                                                                        Create the policy.<\/p>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: An Azure Firewall Policy resource exists.<\/p>\n\n\n\n
                                                                                                        Step 4: Add firewall rules to the policy (allow one site, deny everything else)<\/h3>\n\n\n\n
                                                                                                        You\u2019ll create an application rule<\/strong> allowing a specific FQDN, and rely on the default deny behavior for other outbound web requests.<\/p>\n\n\n\n
                                                                                                        1) In Firewall Manager<\/strong> \u2192 Azure Firewall policies<\/strong> \u2192 select afwp-afm-lab<\/code>.<\/p>\n\n\n\n
                                                                                                        2) Add a Rule collection group<\/strong> (example):\n– Name: rcg-lab-egress<\/code>\n– Priority: 100<\/code><\/p>\n\n\n\n
                                                                                                        3) Inside the rule collection group, add an Application rule collection<\/strong>:\n– Name: arc-allow-test<\/code>\n– Priority: 100<\/code>\n– Action: Allow<\/code><\/p>\n\n\n\n
                                                                                                        Add an application rule:\n– Name: allow-ifconfig<\/code>\n– Source type: IP address\n– Source: 10.1.1.0\/24<\/code> (workload subnet)\n– Protocols: http:80<\/code>, https:443<\/code>\n– Target FQDNs: ifconfig.me<\/code> (or your chosen test domain)<\/p>\n\n\n\n
                                                                                                        4) Save changes.<\/p>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Policy contains a rule that allows outbound web access only to the chosen domain (plus any other default allowances you add).<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                        DNS note: Application rules depend on DNS resolution. If your VM uses Azure-provided DNS, it should work, but in locked-down environments you may need explicit DNS rules and\/or a DNS resolver design. For this lab, keep DNS simple.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                        Step 5: Associate the policy to the Azure Firewall (using Firewall Manager)<\/h3>\n\n\n\n
                                                                                                        1) In Firewall Manager<\/strong>, find your firewall and associate the policy:\n– Go to Azure Firewalls<\/strong> (or equivalent blade that lists managed firewalls; UX can change\u2014verify)\n– Select afw-hub-afm<\/code>\n– Set Firewall policy<\/strong> = afwp-afm-lab<\/code>\n– Save<\/p>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: The Azure Firewall is now governed by the policy you created.<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                        Alternative method: You can set the policy directly on the Azure Firewall resource (outside Firewall Manager). For this tutorial, use Firewall Manager to reinforce the workflow.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                        Step 6: Create route table to force spoke egress through the firewall<\/h3>\n\n\n\n
                                                                                                        1) Create a route table:<\/p>\n\n\n\n
                                                                                                        RT_NAME=\"rt-spoke-egress\"\n\naz network route-table create -g \"$RG\" -n \"$RT_NAME\" -l \"$LOC\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        2) Create a default route (0.0.0.0\/0) to the firewall private IP:<\/p>\n\n\n\n
                                                                                                        az network route-table route create \\\n  -g \"$RG\" --route-table-name \"$RT_NAME\" \\\n  -n \"default-to-firewall\" \\\n  --address-prefix \"0.0.0.0\/0\" \\\n  --next-hop-type \"VirtualAppliance\" \\\n  --next-hop-ip-address \"$FW_PRIVATE_IP\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        3) Associate route table to the spoke workload subnet:<\/p>\n\n\n\n
                                                                                                        az network vnet subnet update \\\n  -g \"$RG\" --vnet-name \"$SPOKE_VNET\" -n \"WorkloadSubnet\" \\\n  --route-table \"$RT_NAME\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: Any outbound traffic from the workload subnet is routed through Azure Firewall.<\/p>\n\n\n\n
                                                                                                        Step 7: Create a test VM in the spoke<\/h3>\n\n\n\n
                                                                                                        Create a small Ubuntu VM (choose a small size to reduce cost). This VM does not need a public IP if you use Azure Bastion, a jumpbox, or Cloud Shell + run-command. For simplicity, this lab uses a public IP with SSH; secure it with a strong SSH key and restrict source IP where possible.<\/p>\n\n\n\n
                                                                                                        1) Create an NSG rule set (optional but recommended) and VM:<\/p>\n\n\n\n
                                                                                                        VM_NAME=\"vm-spoke-test\"\nADMIN_USER=\"azureuser\"\n\naz network nsg create -g \"$RG\" -n \"nsg-spoke-vm\" -l \"$LOC\"\n\n# Restrict SSH to your IP if possible (replace YOUR_PUBLIC_IP\/32)\n# If you cannot, you can temporarily open and then tighten.\naz network nsg rule create -g \"$RG\" --nsg-name \"nsg-spoke-vm\" \\\n  -n \"Allow-SSH\" --priority 1000 \\\n  --access Allow --protocol Tcp --direction Inbound \\\n  --source-address-prefixes \"YOUR_PUBLIC_IP\/32\" \\\n  --source-port-ranges \"*\" \\\n  --destination-address-prefixes \"*\" --destination-port-ranges 22\n\naz vm create -g \"$RG\" -n \"$VM_NAME\" -l \"$LOC\" \\\n  --image \"Ubuntu2204\" \\\n  --vnet-name \"$SPOKE_VNET\" --subnet \"WorkloadSubnet\" \\\n  --nsg \"nsg-spoke-vm\" \\\n  --admin-username \"$ADMIN_USER\" \\\n  --generate-ssh-keys\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: A Linux VM is created in the spoke subnet.<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                        If you cannot restrict SSH to a fixed IP, use Azure Bastion instead. Bastion adds cost but avoids exposing SSH to the internet.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                        Validation<\/h3>\n\n\n\n
                                                                                                        You will validate that:\n1) The allowed domain is reachable (HTTP\/HTTPS).\n2) A disallowed domain is blocked.<\/p>\n\n\n\n
                                                                                                        1) SSH to the VM:<\/p>\n\n\n\n
                                                                                                        VM_PIP=$(az vm show -g \"$RG\" -n \"$VM_NAME\" -d --query publicIps -o tsv)\nssh \"${ADMIN_USER}@${VM_PIP}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        2) From the VM, test the allowed domain:<\/p>\n\n\n\n
                                                                                                        curl -I https:\/\/ifconfig.me\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: You should receive an HTTP response (for example 200 OK<\/code> or a redirect). If it times out or fails, check troubleshooting.<\/p>\n\n\n\n
                                                                                                        3) Test a disallowed domain (example):<\/p>\n\n\n\n
                                                                                                        curl -I https:\/\/example.com\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: This should fail (timeout\/connection reset) because the policy only allows ifconfig.me<\/code> for HTTP\/HTTPS.<\/p>\n\n\n\n
                                                                                                        4) Confirm logs (recommended):\n– In Azure portal, go to the Azure Firewall resource \u2192 Logs<\/strong> (or Log Analytics if configured).\n– If you configured diagnostic settings to Log Analytics, query firewall logs to confirm allow\/deny events.<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                        Log query details vary by diagnostic configuration and table names; verify the current Azure Firewall logging schema in official docs.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                        Troubleshooting<\/h3>\n\n\n\n
                                                                                                        Common issues in Azure Firewall Manager \/ Azure Firewall labs:<\/p>\n\n\n\n
                                                                                                        1) Firewall private IP is empty<\/strong>\n– Cause: Firewall not fully provisioned.\n– Fix: Wait 5\u201315 minutes and re-run the query.<\/p>\n\n\n\n
                                                                                                        2) Traffic bypasses the firewall<\/strong>\n– Cause: Route table not associated to subnet, wrong next hop IP, or VM in different subnet.\n– Fix:\n  – Confirm the route table is attached to WorkloadSubnet<\/code>.\n  – Confirm 0.0.0.0\/0<\/code> route points to firewall private IP.\n  – Check effective routes on the VM NIC in the portal.<\/p>\n\n\n\n
                                                                                                        3) DNS resolution issues break FQDN rules<\/strong>\n– Cause: Application rules require DNS; if DNS is blocked or misrouted, FQDN-based allow rules won\u2019t match.\n– Fix:\n  – Ensure the VM can resolve DNS (try nslookup ifconfig.me<\/code>).\n  – Verify your DNS architecture (Azure-provided DNS vs custom resolver).\n  – In more advanced setups, explicitly allow DNS traffic to your resolver and ensure that traffic also routes appropriately.<\/p>\n\n\n\n
                                                                                                        4) SSH NSG rule blocks you<\/strong>\n– Cause: Wrong source IP in NSG rule.\n– Fix: Update NSG inbound rule to your current public IP, or use Bastion.<\/p>\n\n\n\n
                                                                                                        5) Policy association not applied<\/strong>\n– Cause: Policy not associated, or applied to different firewall, or propagation delay.\n– Fix:\n  – Verify Azure Firewall resource shows the policy attached.\n  – Wait a few minutes for propagation.\n  – Confirm you edited the correct policy\/rule collection group.<\/p>\n\n\n\n
                                                                                                        Cleanup<\/h3>\n\n\n\n
                                                                                                        Delete the resource group to remove everything created:<\/p>\n\n\n\n
                                                                                                        az group delete -n \"$RG\" --yes --no-wait\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome<\/strong>: All lab resources (firewall, policy, VNets, VM, public IPs, route tables) are deleted. Monitor deletion to ensure no billable resources remain.<\/p>\n\n\n\n
                                                                                                        11. Best Practices<\/h2>\n\n\n\n
                                                                                                        Architecture best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Use hub-and-spoke or Virtual WAN intentionally<\/strong>:<\/li>\n
                                                                                                        • Hub-and-spoke is straightforward and common for many orgs.<\/li>\n
                                                                                                        • Virtual WAN is ideal for large-scale global connectivity and standardized hubs.<\/li>\n
                                                                                                        • Avoid cross-region inspection unless required<\/strong>: It increases latency and may increase bandwidth charges.<\/li>\n
                                                                                                        • Design for blast radius<\/strong>:<\/li>\n
                                                                                                        • Use separate policies or child policies per environment\/team to reduce the risk of one change impacting all.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Separate duties<\/strong>:<\/li>\n
                                                                                                          • Platform team: networking resources, firewall deployment, routing<\/li>\n
                                                                                                          • Security team: firewall policy rules and change approval<\/li>\n
                                                                                                          • Use least privilege<\/strong>:<\/li>\n
                                                                                                          • Scope RBAC to the resource group containing firewall policies.<\/li>\n
                                                                                                          • Use Azure AD Privileged Identity Management (PIM) for elevated roles.<\/li>\n
                                                                                                          • Tagging and ownership<\/strong>:<\/li>\n
                                                                                                          • Tag policies and firewalls with owner, environment, cost center, and change group.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Cost best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Right-size your footprint<\/strong>: Avoid deploying firewalls in regions you don\u2019t need.<\/li>\n
                                                                                                            • Manage logs intentionally<\/strong>:<\/li>\n
                                                                                                            • Send to Log Analytics with tuned retention.<\/li>\n
                                                                                                            • Archive long-term logs to Storage when appropriate.<\/li>\n
                                                                                                            • Dev\/test discipline<\/strong>: Tear down lab\/test firewalls promptly.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Performance best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Keep rule sets maintainable<\/strong>:<\/li>\n
                                                                                                              • Use structured rule collection groups and priorities.<\/li>\n
                                                                                                              • Keep high-frequency allow rules early where appropriate (validate behavior with docs).<\/li>\n
                                                                                                              • Minimize overly broad application rules<\/strong>:<\/li>\n
                                                                                                              • Prefer specific FQDNs and destination constraints.<\/li>\n
                                                                                                              • Plan DNS<\/strong>:<\/li>\n
                                                                                                              • FQDN-based rules require reliable DNS resolution; treat DNS as a critical dependency.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Reliability best practices<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Plan for regional failures<\/strong>:<\/li>\n
                                                                                                                • For mission-critical systems, design multi-region patterns and failover strategies.<\/li>\n
                                                                                                                • Avoid single points of operational failure<\/strong>:<\/li>\n
                                                                                                                • Use IaC to recreate configuration consistently.<\/li>\n
                                                                                                                • Use controlled change rollout (staged environments).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Operations best practices<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Centralize monitoring<\/strong>:<\/li>\n
                                                                                                                  • Standardize diagnostics settings for all Azure Firewalls.<\/li>\n
                                                                                                                  • Use alerts on key signals (threat intel hits, unusual deny spikes, health signals).<\/li>\n
                                                                                                                  • Runbooks<\/strong>:<\/li>\n
                                                                                                                  • Document how to add rules, validate changes, and roll back.<\/li>\n
                                                                                                                  • Change control<\/strong>:<\/li>\n
                                                                                                                  • Use pull requests and IaC for policy\/rule changes where possible.<\/li>\n
                                                                                                                  • If using portal changes, maintain audit trails and approvals.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Naming examples:<\/li>\n
                                                                                                                    • Policies: afwp-{org}-{env}-{region}-{purpose}<\/code><\/li>\n
                                                                                                                    • Firewalls: afw-{org}-{env}-{region}-hub<\/code><\/li>\n
                                                                                                                    • Route tables: rt-{env}-{spoke}-egress<\/code><\/li>\n
                                                                                                                    • Tag baseline:<\/li>\n
                                                                                                                    • Environment<\/code>, Owner<\/code>, CostCenter<\/code>, DataClassification<\/code>, ChangeGroup<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                      12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                      Identity and access model<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Azure RBAC<\/strong> controls who can:<\/li>\n
                                                                                                                      • Create\/modify firewall policies<\/li>\n
                                                                                                                      • Associate policies to firewalls\/hubs<\/li>\n
                                                                                                                      • Configure diagnostics and routing<\/li>\n
                                                                                                                      • Recommendations:<\/li>\n
                                                                                                                      • Use management groups<\/strong> and consistent RBAC assignments.<\/li>\n
                                                                                                                      • Use PIM<\/strong> for privileged roles.<\/li>\n
                                                                                                                      • Use separate resource groups for:
                                                                                                                          \n
                                                                                                                        • Networking infrastructure<\/li>\n
                                                                                                                        • Security policies<\/li>\n
                                                                                                                        • Workloads (spokes)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Encryption<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Control plane operations use Azure\u2019s standard secure management plane.<\/li>\n
                                                                                                                          • Data plane encryption depends on your workloads (TLS, IPsec, etc.).<\/li>\n
                                                                                                                          • If using Azure Firewall Premium TLS inspection, certificate and key handling becomes critical\u2014verify Premium requirements and harden key management<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Network exposure<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Avoid exposing management endpoints unnecessarily.<\/li>\n
                                                                                                                            • Use secure administrative access patterns:<\/li>\n
                                                                                                                            • Bastion for VM access<\/li>\n
                                                                                                                            • Restrictive NSGs<\/li>\n
                                                                                                                            • No public IPs on workloads when not needed<\/li>\n
                                                                                                                            • For inbound publishing:<\/li>\n
                                                                                                                            • Prefer Application Gateway\/WAF for HTTP(S) front doors.<\/li>\n
                                                                                                                            • Use Azure Firewall DNAT where it fits, but ensure strict destination constraints.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Secrets handling<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Firewall policies themselves generally do not require secrets.<\/li>\n
                                                                                                                              • If TLS inspection is used (Premium), certificate management becomes a secret-handling concern. Use Key Vault and strict access controls where supported; verify current integration guidance.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Enable diagnostic logs for Azure Firewall and route to central logging.<\/li>\n
                                                                                                                                • Integrate with Microsoft Sentinel for detection and response if desired.<\/li>\n
                                                                                                                                • Regularly review:<\/li>\n
                                                                                                                                • Rule change history (via Azure Activity Log)<\/li>\n
                                                                                                                                • Firewall deny spikes (could indicate misconfig or malicious activity)<\/li>\n
                                                                                                                                • Threat intelligence events (if enabled)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                  Azure Firewall Manager supports compliance goals by enabling centralized policy and auditing, but compliance depends on:\n– Your control implementation (rules, logging, retention, incident response)\n– Proper identity governance\n– Network segmentation design<\/p>\n\n\n\n
                                                                                                                                  Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Overly permissive \u201callow all outbound\u201d rules for convenience.<\/li>\n
                                                                                                                                  • Not forcing routes through firewall (traffic bypass).<\/li>\n
                                                                                                                                  • No logging or short retention.<\/li>\n
                                                                                                                                  • Too broad policy reuse causing large blast radius.<\/li>\n
                                                                                                                                  • Weak admin access to test VMs (public SSH from anywhere).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Start with a deny-by-default<\/strong> egress posture and add explicit allows.<\/li>\n
                                                                                                                                    • Use hierarchical policies<\/strong>:<\/li>\n
                                                                                                                                    • Parent baseline: threat intel, deny lists, core enterprise allow list<\/li>\n
                                                                                                                                    • Child policies: workload-specific exceptions<\/li>\n
                                                                                                                                    • Ensure routing enforcement<\/strong> and validate effective routes.<\/li>\n
                                                                                                                                    • Centralize logs, and protect the logging pipeline.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                      Azure Firewall Manager inherits most practical constraints from Azure Firewall, Azure Firewall Policy, and (optionally) Virtual WAN. Common gotchas include:<\/p>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Firewall Manager is not the firewall<\/strong>: It manages policies and associations; Azure Firewall is the enforcement point.<\/li>\n
                                                                                                                                      • Routing is required<\/strong>: Without UDRs (or correct Virtual WAN routing), traffic will bypass inspection.<\/li>\n
                                                                                                                                      • DNS dependency for FQDN rules<\/strong>: Application rules require correct DNS resolution; broken DNS looks like \u201cfirewall issue\u201d but isn\u2019t.<\/li>\n
                                                                                                                                      • Policy blast radius<\/strong>: Shared policies across many firewalls can cause widespread outage if changed incorrectly.<\/li>\n
                                                                                                                                      • Propagation delays<\/strong>: Policy updates and associations can take time to apply.<\/li>\n
                                                                                                                                      • SKU\/feature mismatch<\/strong>: Some policy settings require Azure Firewall Premium (TLS inspection\/IDPS, etc.). Verify capabilities per SKU.<\/li>\n
                                                                                                                                      • Logging cost surprises<\/strong>: High-volume environments can generate large Log Analytics ingestion charges.<\/li>\n
                                                                                                                                      • Virtual WAN complexity\/cost<\/strong>: Secured hub architectures are powerful but introduce additional moving parts and cost centers.<\/li>\n
                                                                                                                                      • Regional availability differences<\/strong>: Not all features (especially partner integrations) are available in all regions; verify.<\/li>\n
                                                                                                                                      • Third-party security providers<\/strong>: Supported partners and capabilities change; validate current list and constraints in official docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                        Azure Firewall Manager is best compared as a centralized management layer for firewalls and hub security, not as a firewall itself.<\/p>\n\n\n\n
                                                                                                                                        Comparison table<\/h3>\n\n\n\n
                                                                                                                                        \n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                        Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                        Azure Firewall Manager<\/strong><\/td>\nCentral management of Azure Firewall Policies across hubs\/firewalls<\/td>\nCentralized policy, hierarchical policies, scalable governance, Virtual WAN secured hub alignment<\/td>\nStill requires Azure Firewall; routing\/DNS complexity; cost is mainly in underlying firewall\/logging<\/td>\nYou need consistent firewall policy management across many VNets\/subscriptions\/regions<\/td>\n<\/tr>\n
                                                                                                                                        Azure Firewall (directly managed)<\/strong><\/td>\nSingle or few firewalls with simple governance<\/td>\nDirect control, fewer layers<\/td>\nHarder to standardize at scale; more manual duplication<\/td>\nSmall environments or early-stage deployments<\/td>\n<\/tr>\n
                                                                                                                                        Network Security Groups (NSGs)<\/strong><\/td>\nBasic subnet\/NIC L3\/L4 filtering<\/td>\nLow cost, simple, distributed control<\/td>\nNot a centralized stateful firewall; limited L7 features; limited central logging\/inspection<\/td>\nSimple segmentation, micro-segmentation, or complementing firewall (not replacing it)<\/td>\n<\/tr>\n
                                                                                                                                        Azure Application Gateway WAF<\/strong><\/td>\nHTTP\/HTTPS inbound app protection<\/td>\nStrong L7 WAF features, app routing<\/td>\nNot a general egress firewall; not for non-HTTP protocols<\/td>\nYou need inbound web protection (often paired with Azure Firewall)<\/td>\n<\/tr>\n
                                                                                                                                        Azure Front Door WAF<\/strong><\/td>\nGlobal edge + web protection<\/td>\nGlobal routing, edge WAF<\/td>\nNot for internal east-west or general egress control<\/td>\nGlobal web apps requiring edge routing and WAF<\/td>\n<\/tr>\n
                                                                                                                                        AWS Network Firewall + Firewall Manager (AWS)<\/strong><\/td>\nSimilar concept in AWS<\/td>\nManaged firewall + centralized policies (AWS ecosystem)<\/td>\nDifferent cloud; migration complexity<\/td>\nAWS-native environments (not Azure)<\/td>\n<\/tr>\n
                                                                                                                                        GCP Cloud Firewall Policies \/ Cloud Armor<\/strong><\/td>\nSimilar concepts in GCP<\/td>\nGCP-native controls<\/td>\nDifferent cloud; not Azure Firewall equivalent<\/td>\nGCP-native environments (not Azure)<\/td>\n<\/tr>\n
                                                                                                                                        Self-managed firewall appliances (e.g., NVA)<\/strong><\/td>\nHighly customized firewall needs<\/td>\nFull vendor feature set, deep customization<\/td>\nOps burden, scaling\/HA complexity, patching, licensing<\/td>\nWhen Azure Firewall features don\u2019t meet requirements and you can operate NVAs reliably<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                        15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                        Enterprise example: multi-subscription landing zone with centralized egress control<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Problem<\/strong>: A large enterprise has 30+ subscriptions across multiple teams. Each team deploys workloads in spokes. Security needs consistent outbound restrictions, logging, and incident response capability.<\/li>\n
                                                                                                                                        • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                                        • Hub-and-spoke per region (or Virtual WAN hubs for global WAN).<\/li>\n
                                                                                                                                        • Azure Firewall per hub.<\/li>\n
                                                                                                                                        • Azure Firewall Manager-managed parent policy<\/strong>:
                                                                                                                                            \n
                                                                                                                                          • Deny known malicious indicators (threat intel)<\/li>\n
                                                                                                                                          • Allow required enterprise services (identity endpoints, update services, approved SaaS)<\/li>\n
                                                                                                                                          • Standard logging and alerting requirements<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                          • Child policies<\/strong> per business unit\/application to allow specific external dependencies.<\/li>\n
                                                                                                                                          • Central Log Analytics + Sentinel for correlation.<\/li>\n
                                                                                                                                          • Why Azure Firewall Manager was chosen<\/strong>:<\/li>\n
                                                                                                                                          • Central governance with hierarchical policies.<\/li>\n
                                                                                                                                          • Reduced duplication and more predictable auditing and change control.<\/li>\n
                                                                                                                                          • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                                          • Faster onboarding of new spokes\/subscriptions with inherited baseline.<\/li>\n
                                                                                                                                          • Reduced policy drift and fewer security exceptions.<\/li>\n
                                                                                                                                          • Improved visibility for incident response.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Startup\/small-team example: standard hub firewall for a few environments<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Problem<\/strong>: A startup runs staging and production in separate VNets and wants to prevent accidental open egress while maintaining a small ops footprint.<\/li>\n
                                                                                                                                            • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                                            • Single hub VNet with Azure Firewall.<\/li>\n
                                                                                                                                            • Two spokes (staging\/prod).<\/li>\n
                                                                                                                                            • Azure Firewall Manager used to maintain:
                                                                                                                                                \n
                                                                                                                                              • A baseline policy shared by both environments<\/li>\n
                                                                                                                                              • Separate child policies per environment (prod tighter, staging slightly more permissive)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                              • Log Analytics workspace with short retention for cost control.<\/li>\n
                                                                                                                                              • Why Azure Firewall Manager was chosen<\/strong>:<\/li>\n
                                                                                                                                              • Even with only a few environments, policy reuse and separation reduces mistakes.<\/li>\n
                                                                                                                                              • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                                              • Less risk of accidental exposure.<\/li>\n
                                                                                                                                              • Easier troubleshooting and visibility into outbound dependencies.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                1) Is Azure Firewall Manager a firewall?<\/strong>\nNo. Azure Firewall Manager is primarily a management layer for defining and associating Azure Firewall Policies<\/strong>. Azure Firewall<\/strong> is the service that actually inspects and allows\/denies traffic.<\/p>\n\n\n\n
                                                                                                                                                2) Do I need Azure Firewall Manager to use Azure Firewall Policy?<\/strong>\nNot strictly. You can create and attach firewall policies directly on Azure Firewall resources. Azure Firewall Manager provides a centralized experience and governance model, especially useful at scale.<\/p>\n\n\n\n
                                                                                                                                                3) Can one policy be applied to multiple Azure Firewalls?<\/strong>\nYes, that\u2019s a common pattern. Design carefully to manage blast radius.<\/p>\n\n\n\n
                                                                                                                                                4) What is a hierarchical firewall policy?<\/strong>\nA parent\/child policy model where a child policy inherits baseline controls from a parent policy and extends it. Exact inheritance and override behavior should be verified in official docs.<\/p>\n\n\n\n
                                                                                                                                                5) Does Azure Firewall Manager support Azure Virtual WAN?<\/strong>\nYes, it is commonly used with secured virtual hubs<\/strong> in Virtual WAN. Verify specific region and feature support.<\/p>\n\n\n\n
                                                                                                                                                6) Does Azure Firewall Manager add extra cost?<\/strong>\nTypically, the major costs are Azure Firewall, Virtual WAN (if used), logging, and data transfer. Azure Firewall Manager is mainly a management layer. Always verify current pricing guidance in official sources.<\/p>\n\n\n\n
                                                                                                                                                7) How do I force traffic through Azure Firewall?<\/strong>\nIn hub-and-spoke VNets, you typically use User Defined Routes (UDRs)<\/strong> on spoke subnets pointing 0.0.0.0\/0<\/code> (or specific prefixes) to the firewall private IP.<\/p>\n\n\n\n
                                                                                                                                                8) Why are my FQDN application rules not working?<\/strong>\nMost commonly due to DNS resolution issues, routing that bypasses the firewall, or rule misconfiguration. Validate DNS and effective routes.<\/p>\n\n\n\n
                                                                                                                                                9) Can Azure Firewall Manager manage third-party firewalls?<\/strong>\nIn Virtual WAN secured hubs, Azure supports certain third-party security providers. Firewall Manager can help configure hub security providers. Verify current supported partners in official docs.<\/p>\n\n\n\n
                                                                                                                                                10) Should I replace NSGs with Azure Firewall Manager?<\/strong>\nNo. NSGs and Azure Firewall serve different purposes and often complement each other. NSGs are good for local segmentation; Azure Firewall provides centralized, stateful inspection and L7 controls.<\/p>\n\n\n\n
                                                                                                                                                11) How do I audit who changed firewall rules?<\/strong>\nUse the Azure Activity Log<\/strong> for management operations and maintain IaC and pull request workflows when possible.<\/p>\n\n\n\n
                                                                                                                                                12) What\u2019s the best way to roll out policy changes safely?<\/strong>\nUse staged rollout:\n– Test in dev\/test\n– Use child policies for controlled scope\n– Validate logs and traffic behavior\n– Apply to production with change windows and rollback plans<\/p>\n\n\n\n
                                                                                                                                                13) Can I use Azure Firewall Manager across multiple subscriptions?<\/strong>\nYes, as long as RBAC permissions allow it. Centralized governance often uses management groups.<\/p>\n\n\n\n
                                                                                                                                                14) How do I monitor Azure Firewall?<\/strong>\nEnable diagnostics and metrics to Azure Monitor\/Log Analytics and consider Sentinel for detection. Create alerts for threat intel hits, deny spikes, and health signals.<\/p>\n\n\n\n
                                                                                                                                                15) What\u2019s the most common design mistake?<\/strong>\nDeploying the firewall but failing to enforce routing through it, resulting in traffic bypass and a false sense of security.<\/p>\n\n\n\n
                                                                                                                                                17. Top Online Resources to Learn Azure Firewall Manager<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                Official documentation<\/td>\nAzure Firewall Manager documentation: https:\/\/learn.microsoft.com\/azure\/firewall-manager\/<\/td>\nPrimary reference for concepts, supported scenarios, and configuration workflows<\/td>\n<\/tr>\n
                                                                                                                                                Official documentation<\/td>\nAzure Firewall documentation: https:\/\/learn.microsoft.com\/azure\/firewall\/<\/td>\nRequired to understand the enforcement plane, SKUs, rules, and deployment patterns<\/td>\n<\/tr>\n
                                                                                                                                                Official documentation<\/td>\nAzure Firewall Policy documentation: https:\/\/learn.microsoft.com\/azure\/firewall-manager\/policy-overview (verify exact page paths)<\/td>\nExplains policy structure, rule collection groups, and hierarchy concepts<\/td>\n<\/tr>\n
                                                                                                                                                Official pricing page<\/td>\nAzure Firewall pricing: https:\/\/azure.microsoft.com\/pricing\/details\/azure-firewall\/<\/td>\nAuthoritative pricing model for firewall runtime and data processing<\/td>\n<\/tr>\n
                                                                                                                                                Official pricing page<\/td>\nAzure Virtual WAN pricing: https:\/\/azure.microsoft.com\/pricing\/details\/virtual-wan\/<\/td>\nNeeded if you use secured virtual hubs<\/td>\n<\/tr>\n
                                                                                                                                                Official pricing tools<\/td>\nAzure Pricing Calculator: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\nBuild region-specific estimates based on your architecture<\/td>\n<\/tr>\n
                                                                                                                                                Architecture guidance<\/td>\nAzure Architecture Center: https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\nReference architectures for hub-spoke, Virtual WAN, and network security patterns<\/td>\n<\/tr>\n
                                                                                                                                                Monitoring guidance<\/td>\nAzure Monitor documentation: https:\/\/learn.microsoft.com\/azure\/azure-monitor\/<\/td>\nLearn how to route logs\/metrics and build alerts<\/td>\n<\/tr>\n
                                                                                                                                                SIEM guidance<\/td>\nMicrosoft Sentinel documentation: https:\/\/learn.microsoft.com\/azure\/sentinel\/<\/td>\nIf you want SIEM\/SOAR on firewall logs<\/td>\n<\/tr>\n
                                                                                                                                                CLI reference<\/td>\nAzure CLI network commands: https:\/\/learn.microsoft.com\/cli\/azure\/network<\/td>\nPractical command reference for VNets, route tables, firewall resources<\/td>\n<\/tr>\n
                                                                                                                                                Product updates<\/td>\nAzure updates: https:\/\/azure.microsoft.com\/updates\/<\/td>\nTrack changes in Azure Firewall\/Firewall Manager and Networking services<\/td>\n<\/tr>\n
                                                                                                                                                Community learning (reputable)<\/td>\nMicrosoft Tech Community (Azure Networking): https:\/\/techcommunity.microsoft.com\/category\/azure-networking\/blog\/azurenetworkingblog<\/td>\nPractical posts and announcements from Azure Networking teams (validate against docs)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n\n
                                                                                                                                                Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nAzure fundamentals, cloud operations, DevOps practices (verify course catalog)<\/td>\ncheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                ScmGalaxy.com<\/td>\nBeginners to intermediate engineers<\/td>\nDevOps\/SCM and cloud-adjacent training (verify specifics)<\/td>\ncheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                CLoudOpsNow.in<\/td>\nCloud ops practitioners<\/td>\nCloud operations and automation topics (verify specifics)<\/td>\ncheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                SreSchool.com<\/td>\nSREs, operations teams<\/td>\nReliability engineering practices and operations (verify specifics)<\/td>\ncheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                AiOpsSchool.com<\/td>\nOps + monitoring practitioners<\/td>\nAIOps concepts, monitoring\/observability (verify specifics)<\/td>\ncheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n
                                                                                                                                                Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                RajeshKumar.xyz<\/td>\nDevOps\/cloud training content (verify focus)<\/td>\nStudents, engineers seeking guided learning<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                devopstrainer.in<\/td>\nDevOps training and mentoring (verify focus)<\/td>\nBeginners to intermediate DevOps engineers<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                devopsfreelancer.com<\/td>\nFreelance DevOps guidance\/services (verify specifics)<\/td>\nTeams seeking practical help and learning<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                devopssupport.in<\/td>\nDevOps support and training resources (verify specifics)<\/td>\nOps\/DevOps teams needing hands-on support<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n
                                                                                                                                                Company Name<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                cotocus.com<\/td>\nCloud\/DevOps consulting (verify exact offerings)<\/td>\nArchitecture, implementation, operationalization<\/td>\nHub-and-spoke rollout, IaC enablement, monitoring\/logging setup<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                DevOpsSchool.com<\/td>\nDevOps and cloud services (verify exact offerings)<\/td>\nTraining + consulting engagements<\/td>\nAzure landing zone practices, CI\/CD integration, ops readiness<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify exact offerings)<\/td>\nAdvisory and implementation support<\/td>\nStandardized deployments, automation, operational best practices<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                What to learn before Azure Firewall Manager<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Azure Networking fundamentals:<\/li>\n
                                                                                                                                                • VNets, subnets, peering<\/li>\n
                                                                                                                                                • Route tables (UDR), effective routes<\/li>\n
                                                                                                                                                • DNS basics in Azure (Azure-provided DNS vs custom DNS)<\/li>\n
                                                                                                                                                • Security fundamentals:<\/li>\n
                                                                                                                                                • Least privilege and RBAC<\/li>\n
                                                                                                                                                • Network segmentation patterns<\/li>\n
                                                                                                                                                • Azure basics:<\/li>\n
                                                                                                                                                • Resource groups, subscriptions, regions<\/li>\n
                                                                                                                                                • Azure Monitor and Activity Log<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  What to learn after Azure Firewall Manager<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Advanced Azure Firewall capabilities:<\/li>\n
                                                                                                                                                  • Firewall Premium features (TLS inspection, IDPS) if relevant (verify)<\/li>\n
                                                                                                                                                  • Threat intelligence tuning and incident workflows<\/li>\n
                                                                                                                                                  • Azure Virtual WAN secured hubs (for global WAN architectures)<\/li>\n
                                                                                                                                                  • Microsoft Sentinel:<\/li>\n
                                                                                                                                                  • Detection rules, hunting queries, incident automation<\/li>\n
                                                                                                                                                  • Infrastructure as Code:<\/li>\n
                                                                                                                                                  • Bicep\/ARM or Terraform for repeatable firewall policy deployment<\/li>\n
                                                                                                                                                  • Governance:<\/li>\n
                                                                                                                                                  • Azure Policy initiatives for diagnostics\/tagging compliance<\/li>\n
                                                                                                                                                  • Management group design and centralized RBAC models<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Cloud network engineer<\/li>\n
                                                                                                                                                    • Cloud security engineer<\/li>\n
                                                                                                                                                    • Solutions architect (Networking\/security focus)<\/li>\n
                                                                                                                                                    • Platform engineer<\/li>\n
                                                                                                                                                    • SRE\/operations engineer (for monitoring and incident response)<\/li>\n
                                                                                                                                                    • Security operations analyst (consuming firewall logs in SIEM)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Certification path (Azure)<\/h3>\n\n\n\n
                                                                                                                                                      Azure certifications evolve; choose based on role:\n– Networking-heavy: Azure network-focused exams (verify current exam codes)\n– Security-heavy: Azure security engineer track\n– Architecture: Azure solutions architect track\nAlways verify the latest certification paths on Microsoft Learn: https:\/\/learn.microsoft.com\/credentials\/<\/p>\n\n\n\n
                                                                                                                                                      Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Build a hub-and-spoke with:<\/li>\n
                                                                                                                                                      • Parent\/child firewall policies<\/li>\n
                                                                                                                                                      • Separate policies for prod vs non-prod<\/li>\n
                                                                                                                                                      • Central logging + alerting for deny spikes<\/li>\n
                                                                                                                                                      • Implement \u201cegress allow list\u201d for a container platform (AKS) and validate required endpoints.<\/li>\n
                                                                                                                                                      • Build an incident response playbook:<\/li>\n
                                                                                                                                                      • Add IOC block rules centrally<\/li>\n
                                                                                                                                                      • Validate propagation<\/li>\n
                                                                                                                                                      • Verify logs and rollback<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Azure Firewall Manager<\/strong>: Central management service\/experience for Azure Firewall Policies and security configurations (especially hubs and Virtual WAN).<\/li>\n
                                                                                                                                                        • Azure Firewall<\/strong>: Managed, stateful network firewall that inspects and controls traffic.<\/li>\n
                                                                                                                                                        • Azure Firewall Policy<\/strong>: Resource that defines firewall rules and settings to be enforced by Azure Firewall.<\/li>\n
                                                                                                                                                        • Hierarchical policy<\/strong>: Parent\/child policy model for baseline + workload-specific rules.<\/li>\n
                                                                                                                                                        • Hub-and-spoke<\/strong>: Network topology where a central hub VNet connects to multiple spoke VNets.<\/li>\n
                                                                                                                                                        • UDR (User Defined Route)<\/strong>: Custom route in an Azure route table used to steer traffic (for example, to a firewall).<\/li>\n
                                                                                                                                                        • NAT (Network Address Translation)<\/strong>: Translating addresses\/ports, commonly used for inbound publishing (DNAT) or outbound SNAT.<\/li>\n
                                                                                                                                                        • Application rule<\/strong>: Layer 7-ish rule based on FQDNs and protocols (HTTP\/HTTPS), enforced by Azure Firewall.<\/li>\n
                                                                                                                                                        • Network rule<\/strong>: Layer 3\/4 rule based on IPs, ports, and protocols.<\/li>\n
                                                                                                                                                        • Secured virtual hub<\/strong>: An Azure Virtual WAN hub with a security provider enabled for traffic inspection.<\/li>\n
                                                                                                                                                        • Log Analytics<\/strong>: Azure service for log ingestion, query (KQL), and retention.<\/li>\n
                                                                                                                                                        • Microsoft Sentinel<\/strong>: Cloud-native SIEM\/SOAR built on Log Analytics.<\/li>\n
                                                                                                                                                        • RBAC<\/strong>: Role-based access control in Azure.<\/li>\n
                                                                                                                                                        • PIM<\/strong>: Privileged Identity Management for just-in-time privileged access.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          23. Summary<\/h2>\n\n\n\n
                                                                                                                                                          Azure Firewall Manager (Azure) is a Networking<\/strong> security management service that centralizes Azure Firewall Policy<\/strong> creation and policy association across Azure Firewall deployments and (optionally) Virtual WAN secured hubs. It matters because it helps organizations apply consistent firewall rules, reduce configuration drift, and operate at scale with clearer governance and auditing.<\/p>\n\n\n\n
                                                                                                                                                          Cost-wise, Firewall Manager is mainly a control-plane layer; your bill is driven by Azure Firewall runtime + data processing<\/strong>, Virtual WAN<\/strong> (if used), logging<\/strong>, and data transfer<\/strong>. Security-wise, treat policy changes as high impact, enforce least privilege with RBAC\/PIM, and design routing and DNS carefully to avoid traffic bypass and rule mismatch.<\/p>\n\n\n\n
                                                                                                                                                          Use Azure Firewall Manager when you need centralized, reusable, governable firewall policy<\/strong> across multiple VNets, hubs, subscriptions, or regions. Next, deepen your skills by learning Azure Firewall Policy design, logging with Azure Monitor\/Log Analytics, and\u2014if needed\u2014Virtual WAN secured hub architectures on Microsoft Learn: https:\/\/learn.microsoft.com\/azure\/firewall-manager\/.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                          Networking<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,50,10],"tags":[],"class_list":["post-502","post","type-post","status-publish","format-standard","hentry","category-azure","category-networking","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=502"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/502\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}