First Look at Azure Firewall

Some of the most common networking related questions Codify receive during Cloudlift assessments are:

  • How do I control traffic from Azure to the internet?
  • Managing traffic entering and exiting Azure through ExpressRoute & Site-to-Site VPN’s?

While possible the only options have been a convoluted mix of a pair of Network Virtual Appliances (NVA’s), Network Security Groups (NSG’s) and Route Tables which lead to a complicated network routing patterns, and depending on your NVA vendor could involve convoluted failover processes.

The recently release Azure Firewall attempts to overcome some of these issues by offering a PaaS offering for network security. While it’s features are currently limited in Public Preview, it still covers most workloads that Codify have implemented previously. In conjunction with NSG’s & Log Analytics it comes out of the gate with a strong start.

 

The good:

  • Highly available by default
  • Simple to understand and use in the portal
  • Integration with Log Analytics & OMS

The bad:

  • Limited functionality when compared to full products such as Palo Alto, Fortigate, ASA ect.
  • Requires the use of User Defined Routes increasing complexity
  • Outbound traffic only, requires the use of a WAF for inbound traffic

Conclusion:
A great first step for a SaaS networking solution from Azure. The features released in the public preview cover over 80% of use cases that Codify have come across. Given that it is in public preview caution is advised as changes to the product may occur that impact your production environment.

Comments are closed.