Aug 29 2023 03:51 PM - edited Sep 26 2023 05:31 PM
UPDATED, post-AMA: Here is the AMA recording in case you
missed the live session.
*************************************************************
Please join us in this Ask Me Anything session with the Azure Network Security CxE PM team. During this session, the Azure Network Security SME (Subject Matter Experts), will answer your questions on Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure DDoS. This will be a great forum for our Public Community members to learn, interact and have their feedback listened to by the Azure Network Security team.
Feel free to post your questions about Azure Network Security solution areas anytime in the comments before the event starts. The team will be answering questions during the live session, with priority given to the pre-submitted questions from the comments below. If you are new to Microsoft Tech-Community, please follow the sign-in instructions.
To register for the upcoming live AMA Sep 26, 2023, visit aka.ms/SecurityCommunity.
|
|
Sep 01 2023 03:24 PM
Sep 12 2023 08:22 AM
@Valon_Kolica Since Azure Firewall is a highly available solution, I assume that the underlying mechanism for this resource employs some sort of VM/app cluster. Could you give us a bit more insight into how HA is achieved at the backend level? Also, could you let us know if such HA mode is done via either an active-passive (where only one firewall device takes care of the entire traffic load) or active-active (where two or more firewall devices handle the traffic) modes? Finally, how is traffic flow consistency, especially in regard to stateful connections, achieved if HA is done following an active-active model? Thank you
Sep 14 2023 02:30 PM
It might seem obvious but I have not got a consensus (or even a strong trend) on whether it is recommended to have a Firewall in front of the WAF, since we know that this has disadvantages like the visibility and tuning of WAF policies. I would like to hear the architecture recommendation for WAF and FW in a typical hub and spoke customer scenario. If I use WAF in the Hub I could have limitations on distributing Billing per subscription. If I put the WAF with PIP on the spokes I think it goes against the practice of not allowing connectivity from the Internet to an application in an internal zone. I would like to hear clear recommendations on this.
Sep 21 2023 01:50 PM
Sep 24 2023 10:56 PM
I would like to know how Azure Firewall IDPS can be configured in following sceanrio. That is Website traffic/incoming request for site from Internet->ApplicationGateway (Sku1)->Azure Firewall Premium->Azure App service
In above scenario How do we configure IDPS (Firewall) Certificate. can we use website's third part certificate (intermediate) while configuring TLS/IDPS or do we need to generate Firewall certificate. Also in Application Gateway do i need to Configure Azure Firewall as backend also upload firewall certificate on Azure Application Gateway.
Sep 24 2023 11:30 PM
Sep 25 2023 05:25 AM
Sep 26 2023 08:13 AM
Sep 26 2023 08:13 AM
Sep 26 2023 08:20 AM
Is it possible to use the Azure WAF to create an allow list of IP ranges and block traffic from all other sources?
Sep 26 2023 08:20 AM
Sep 26 2023 08:36 AM
Sep 26 2023 08:41 AM
Sep 26 2023 12:11 PM
@RodrigoFerraz, Azure Firewall is a cloud-native resource. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It is based off Virtual Machine Scale Set, and by default, there are two active VMSS instances. Azure Firewall gradually scales out when the average throughput or CPU consumption is at 60%, and it takes 5 to 7 minutes. The scale in also happens gradually when the average throughput or CPU consumption is below 20%. Note: The scaling doesn't apply to the Basic SKU, as it has a fixed scale unit to run the service on two virtual machine backend instances.
Azure Firewall doesn't share connection state between the instances. So, in case of scale in a VM instance is put in drain mode for 90 seconds before being recycled. It may also happen when there's a planned maintenance of the Firewall.
For reliability, we recommend deploying Azure Firewall with Availability Zones.
Sep 26 2023 12:21 PM
@Rahulggupta25, please find my comments below:
1.how we can backup our rules in firewall? Answer: Take a look at the following blog post describing the steps to backup your Azure Firewall.
2.whats best practice for north-south and east west traffic? Answer: Could you elaborate more? You can use the same Azure Firewall deployment to protect both north-south and east-west traffic. Check the recommendations at this Well-Architected Framework document for Azure Firewall.
3.do we need to have ELB in front of firewall? Answer: No, you don't need to create an ELB in front of Azure Firewall. Azure Firewall is high available by design.
Sep 26 2023 12:24 PM
Sep 26 2023 12:33 PM
@joshuabales, yes you can create a custom rule on Azure Web Application Firewall using RemoteAddr (IP address) as your match variable as described here. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF and hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated. Custom rules can be enabled/disabled on demand.
Sep 26 2023 01:34 PM
@Tomáš Bohuněk, please submit your feedback via https://aka.ms/azurenetsecfeedback. I would also recommend you joining the Private Community where you can make a difference in helping us shape our products together by reviewing our product roadmaps, co-design participation, feature previews and stay up to date on announcements.
Sep 27 2023 02:38 AM