Azure Firewall

Welcome to this segment of Azure Firewall, which is an alternative and sometimes even an additional service to the default network security groups or NSGs you might already know. Azure firewall went live only a few months ago so definitely worth watching this video if you never really heard about it.

Now most of you understand the concept of NSGs as software-based firewalls. I often compare it with the built-in Windows Firewall. It’s there. It does what it needs to do. But it’s not always easy to manage in a larger or more complex network setup. Or, like discussed earlier, you might look into deploying a network virtual appliance reusing any of the well-known firewall vendors.

And obviously, where this is a good choice, given the familiarity with a firewall product you already have, it also comes with a downside, mainly being the virtual machine dependency where you need to manage the system. You need to patch it. You need to build it in a high variable topology. And that’s where Azure firewall could be a good alternative.

Just like most other firewalls, Azure firewall allows you to control network flow based on port and IP settings allowing or defining traffic. The main advantage compared to deploying a network virtual appliance is that it runs as a service. So there’s no virtual machines to patch, no virtual machines to manage.

And besides this, as a service aspect of Azure firewall, it also comes with additional log in capabilities, where the logs are getting archived to an Azure storage account. They can be sent along to Azure central storage. And integrating with, for example, event hubs, it would also be possible to stream logging information to a custom SIEM solution that you already have on-prem.

So besides NSGs and Azure firewall, a third option is network virtual appliances. You could use the familiar network security brands you already know by deploying NVAs on Azure to tackle issues like application delivery controllers, optimization of WAN, and security through firewall and encryption. These virtual machine images allow you to bring the network, the security, and all other features and functionalities of your favorite provider to Azure using a familiar experience. They’re getting deployed from the Azure marketplace. And the licensing is a pay-as-you-go model. Or sometimes, depending on what you run on-prem, they also support bring-your-own-device licenses.

Now each deployment of a network virtual appliance is a little bit specific. But what I want to do in this next demo is showing you an overall approach on how to deploy a network virtual appliance giving you at least some idea how this works from the Azure marketplace. So let me show you how you create a network virtual appliance using the Azure Marketplace.

So, first of all, if you go through the full category Networking, you can already see a couple of options where Check Point is only one of them. So if I extend this list, then this is basically the list of approved Azure Marketplace images from different vendors. So Check Point is in there. Sophos Firewall is in there. Riverbed packet here like a network optimizer, Kemp Load Balancers are in there, so quite a lot of options. And then seeing more, you can basically extended with other brands as well.

So let’s say we want to deploy like a Fortinet Firewall using a single virtual machine. So it provides you a description, what it delivers, like what is the functionality you get. What are the admin ports that you need to enable? And what is the protection coming with the product? So from here, we’re going to create it. And the base solution is nothing really different than deploying any other Azure virtual machine where here it’s asking me some specific settings for the firewall appliance.

So this could be the Apress demo 40, specifying the resource group, and my region. So sometimes, depending on the template, it’s not allowing me to create a resource in an existing one, so we can easily create a new one. Next, it’s going to ask me for specific subnets so accepting all the defaults here and then also selecting the virtual machine under the hood. Some specific IP addresses that I’m going to use, so this could be the Fortinet public IP address. So for the ones who aren’t familiar with the overall Azure configurations of deployment of resources, a lot of it looks really similar.

I’m not going to complete the deployment but mainly wanted to show you why and how that deployment is similar to deploying any other Azure virtual machine, where in between, it’s going to ask you already some specific appliance settings where maybe one of the most important ones if I go back– sorry– is what license I want to use here. So I’m going for the pay-as-you-go model where I’m basically paying a monthly fee for using the appliance on top of the virtual machine running cost.

Or if I have a compatible Fortigate on-prem that I’m not using anymore once I’m starting to migrate workloads to Azure, I could reuse part of my license in that bring-your-own-license model. But you need to check your firewall vendor for the characteristics and specifics for that one. From here, you would complete the deployment, logging on to the web interface or the management portal. And the management of the Fortigate Firewall in this scenario would be identical to the counterpart in a physical appliance running in my own on-prem data center.

And this completes my demo on deploying a virtual appliance in Azure. And this brings me to the end of this video in which I only covered Azure firewall, positioning Azure firewall as a service, but also talking a little bit about how you can deploy your more familiar or traditional vendor appliance as a firewall and load balancing solution if you want in an Azure virtual machine concept.