Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Azure Firewall Premium now in General Availability
Published Aug 10 2021 02:52 PM 7,386 Views
Microsoft

Azure Firewall premium is now generally available for most Azure regions. Thank you to community members who participated in both the private and public previews. This SKU is compatible in a Virtual WAN Hub (Secure Virtual Hub), and Hub Virtual Network scenarios.

The Azure Firewall Premium SKU utilizes a more powerful compute engine for advanced content filtering and threat protection through IDPS. The Premium SKU can seamlessly scale up to 30 Gbps and integrates with availability zones to support the service level agreement (SLA) of 99.99 percent. 

It provides Threat intelligence-based filtering for both encrypted and non-encrypted traffic and Intrusion detection and prevention for all ports and protocols as a managed service to our customers, with support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways.

 

All new features of the Firewall premium SKU will be configurable via Firewall Policy only. Azure firewall infrastructure features ported from Azure Firewall Standard and Classic rules such as Threat Intelligence and Custom DNS, including new features such as TLS inspection and Web categories etc. can all be managed via Azure Firewall premium policy SKU.

The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs and is ICSA labs certified.

 

tobiotolorin_0-1628620276262.png

 

  1. Transport Layer Security (TLS) Inspection: Azure Firewall Premium decrypts outbound East-West TLS connections, performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
  2. Intrusion Detection and Prevention System (IDPS): Azure Firewall Premium provides signature based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
  3. Web Categories: Allows administrators to allow or deny user access to the Internet based on categories (e.g., social networking, search engines, gambling), reducing the time spent on managing individual FQDNs and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
  4. URL Filtering: TLS inspection enables filtering beyond the FQDN root domain and allow users to access specific URLs for both plain text and encrypted traffic, typically being used in conjunction with web categories.

 

By using Firewall Policy, you can achieve central management of your firewalls using Azure Firewall Manager. Firewall Rules (Classic) continues to be supported and can be used for configuring existing features of Standard Firewall. Firewall Policy can be managed independently or by using Azure Firewall manager.

tobiotolorin_0-1628621692989.png

Migrating to the new Firewall Premium SKU
To migrate your existing Azure firewall standard policy to Premium policy, you connect to your Azure account, retrieve the existing policy and modify the parameters by adding the features required for a premium firewall policy to the existing firewall policy image. The existing firewall instance is then deleted as you create a new one with the premium features.  The new instance is compute intensive due to the TLS inspection and IDPS actions, hence the Azure firewall premium SKU is deployed with a more powerful compute engine.

 

 

$NewPolicyParameters = @{ 

  Name =(GetPolicyNewName -Policy $Policy) 
  ResourceGroupName = $Policy.ResourceGroupName 
  Location = $Policy.Location 
  ThreatIntelMode = $Policy.ThreatIntelMode 
  BasePolicy = $Policy.BasePolicy 
  DnsSetting = $Policy.DnsSettings 
  Tag = $Policy.Tag 
  SkuTier = "Premium"
}

 

 

You can follow the detailed step by step guide in Azure firewall Premium migration. Once deployed, you can test and validate the different Premium features.

 

 

Some helpful use case scenarios and reference architectures for Azure Firewall Premium :

* How to use Azure Firewall Premium with WVD

* Certificate Management for Azure Firewall Premium TLS Inspection

* Deep dive video on Azure Firewall Standard and Premium SKU

* Azure Firewall Monitor Workbook with Premium feature logs.

* Getting started with Azure Firewall Manager

* Content Inspection Using TLS Termination with Azure Firewall Premium

 

For more information, see the Azure Firewall Premium documentation

 

3 Comments
Co-Authors
Version history
Last update:
‎Aug 18 2021 08:12 AM
Updated by: