Getting Started with Azure Firewall REST API: A Step-by-Step Guide – Part I
This blog is written in collaboration with andrewmathu. The REST API is essential for managing resources in Azure, providing a structured way to perform create, read, update, and delete (CRUD) operations. By using HTTP methods such as GET, POST, PUT, and DELETE, the REST API makes it straightforward for administrators to interact with Azure resources. It supports various data formats, including JSON and XML, ensuring flexibility in data exchange. This capability is particularly useful for automating workflows, streamlining deployments, and integrating with continuous deployment and integration processes. Azure Firewall is a cloud-native, intelligent network firewall security service that provides top tier threat protection for your cloud workloads running in Azure. It is a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. The Azure Firewall REST API allows users to automate firewall configurations, retrieve policy details, and manage rules programmatically. This blog provides step-by-step guidance on interacting with the Azure Firewall REST API and serves as Part I of our series. In this part, we will focus on the prerequisites, initial setup, and specific tasks such as creating an Azure Firewall instance, creating a firewall policy, associating policies, updating threat intelligence settings, and defining network and application rules. Getting Started In this blog, we will use Bruno, a lightweight, offline and user-friendly API testing tool, to send REST API requests to Azure Resource Manager for managing Azure Firewall configurations. While other API testing tools such as Postman, PowerShell, Azure CLI, and Swagger can also be used to interact with Azure REST APIs, the fundamental principles remain the same, with only the interface differing. Before diving into the API requests, we will first cover the prerequisites and initial setup. Then, we will demonstrate how to use Bruno to perform essential Azure Firewall operations such as creating a firewall instance, configuring policies, associating policies, updating threat intelligence settings, and defining firewall rules Prerequisites: Link to download Bruno: Bruno API Client | Downloads. Bruno documentation: What is Bruno? – Bruno Docs Link to blog that covers how to prepare your identities: Azure REST APIs with Postman (2021) | Jon Gallant. Note: While this blog focuses on using Postman to send REST API commands, the steps can be adapted for other API testing tools, such as Bruno, which we are using in this blog. Using the steps outlined in the blog, we can configure a collection for Bruno with the variables defined as below: Bruno supports pre-request scripts for modifying requests, but unlike Postman, it lacks built-in request chaining for authentication. While it's possible to use fetch() to obtain an access token, Bruno does not ensure the request waits for the token before execution. Other tools such as PowerShell or Insomnia can automate token retrieval, but in our case, we manually fetch the token via a POST request and use it in the Authorization header for subsequent API calls. Since tokens expire after about 60 minutes, this process will need to be repeated periodically. The access token that we obtain from our POST request is used in the collection to authenticate API requests to Azure Resource Manager. It is included in the Authorization header of each request to ensure that the API calls have the necessary permissions to interact with Azure Firewall. Azure Firewall Configurations via REST API With our prerequisites complete, we now proceed with some Azure Firewall configurations through REST API: Creating a new Azure Firewall instance. Creating a new Azure Firewall policy. Associating an Azure Firewall policy to an Azure Firewall instance. Updating Azure Firewall Threat Intelligence mode. Creating Rule Collections for Network and Application Rules. Listing our created resources. Azure Firewall REST API offers a wide range of configuration and management capabilities beyond these tasks. The steps covered in this section represent just a subset of the available operations that can be performed programmatically, enabling automation and streamlined management of firewall resources. To get us started, we need to have a resource group, a virtual network and a public IP address for the firewall to be created. The resource group has been created with the help of API, as shown below: To create the Virtual Network and the Firewall public IP address, we have utilized the portal as shown below: Creating a new Azure Firewall instance: The following are the parameters required for Azure Firewall instance via REST API: By using the PUT command and request body, we can create a firewall instance as shown below: Method URL PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{azureFirewallName}?api-version=2024-05-01 As we can confirm on the portal, that the firewall has now been created Creating a new Azure Firewall policy: The following are the parameters required for Azure Firewall Policy creation via REST API By using the PUT command and request body, we can create a firewall policy as shown below: HTTP Method URL PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}?api-version=2024-05-01 Associating an Azure Firewall policy to an Azure Firewall instance: To associate a Firewall Policy with an Azure Firewall instance, use the following parameters. HTTP Method URL PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{{azureFirewallName}}?api-version=2024-05-01 As we can see below, the firewall policy has now been associated with the firewall AZFW-RestAPI Updating Azure Firewall Threat Intelligence Mode: Updating the threat intelligence mode for your Azure Firewall instance can be done similarly by using the parameters below Method URL PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/RestAPI-FirewallPolicy-Standard?api-version=2024-05-01 Creating Rule Collections for Network and Application Rules: To create rule collection groups for network and application rules, use the following parameters. By using the below Put Command we will be able to create Network and Application rule collection groups as shown below: Method URL PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}/ruleCollectionGroups/{ruleCollectionGroupName}? api-version=2024-05-01 Listing Created Resources: To list the resources you've created, you can use the following GET command. When sending a GET request, we no longer require the request body, only the URI parameters to pull the information for the resource we want. HTTP Method URL GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}/ruleCollectionGroups?api-version=2024-05-01 As we can see from the above screenshot, we are able to list the rule collections that we created using the GET command. Similarly, we can use the GET command to list or get details of any created resources using the respective URL. Conclusion: By utilizing the Azure REST API, you can efficiently create, update, and configure Azure Firewall and Firewall Policies, streamlining deployment and management processes. This guide has shown how to set up and manage firewall instances, create policies, rule collection groups, and view resources, ultimately automating and securing your cloud environment with Azure Firewall. References: Azure Firewalls - Create Or Update - REST API (Azure Firewall) | Microsoft Learn Firewall Policies - REST API (Azure Virtual Networks) | Microsoft Learn Getting Started with Azure WAF REST API for Application Gateway: A Step-by-Step Guide | Microsoft Community Hub Getting Started with Azure WAF REST API for Azure Front Door: A Step-by-Step Guide | Microsoft Community Hub Getting Started with Azure DDoS Protection REST API: A Step-by-Step Guide | Microsoft Community HubProtecting the Public IPs of Secured Virtual Hub Azure Firewalls against DDoS Attacks
As discussed previously in the blog post “Fortify Your Azure Firewall: Custom Public IP Configuration on Secured Virtual Hub Deployments”, in the current cloud-focused environment, the management of network security has become increasingly important. Azure Firewall has long been an effective solution for securing virtual networks and virtual hubs, but recent updates have further enhanced its capabilities. The ability to specify your own Azure public IP to be used by your Azure Firewall within an Azure Virtual WAN Secured Virtual Hub, rather than relying on Azure to automatically assign one is a great feature that provides enhanced control over your network's public-facing IPs, enabling alignment with organizational security policies and compliance standards. In this blog, we'll discuss enhancing your secured virtual hub Azure firewall security by configuring Azure DDoS IP Protection for a comprehensive solution. Recap of the key benefits of using specific Public IPs for your Secured Virtual Hub Azure Firewalls Full Control: Gain complete ownership and management over the lifecycle of your firewall's public IP address. This means you can assign, reassign, and retire IP addresses as needed, ensuring that your network infrastructure remains agile and responsive to changing demands. By having full control, you can also implement custom configurations and policies that align with your specific security and operational requirements. Enhanced Security: Strengthen your network's defenses by enabling Distributed Denial of Service (DDoS) mitigation. This advanced security feature helps protect your infrastructure from malicious attacks that aim to overwhelm your network with excessive traffic. By proactively identifying and neutralizing potential threats, DDoS mitigation ensures that your services remain available and secure, providing peace of mind and uninterrupted access for your users. IP Address Flexibility: Enjoy the flexibility of allocating public IP addresses from a predefined IP prefix pool. This allows you to efficiently manage your IP resources, ensuring that you have the right number of addresses available for your current and future needs. With this flexibility, you can easily scale your network, accommodate new devices, and optimize IP address usage, all while maintaining a streamlined and organized IP address management system. How-to enable Azure DDoS IP Protection In this section we’ll configure Azure DDoS Protection to prevent DDoS attacks against the deployment. This is a key benefit that comes with the ability to configure your own public IPs on the Azure Firewall with Secured Virtual Hub. Select any of the public IPs you have associated with the firewall, this should bring you to the Overview blade of that resource. From the Overview blade, select the Protect button under Get Started. This will be how we enable the protection level for the public IP today, since the SKU that can be used for the protection will be Azure DDoS IP Protection, not Azure DDoS Network Protection. Since the virtual network used for the Virtual Hub is a managed virtual network, we cannot use the DDoS Network Protection SKU. You do have the option to enable this level of protection via Azure PowerShell or Azure CLI. From this view, we can see the various ways to configure DDoS protection for a public IP in Azure. As mentioned before, public IPs associated with an Azure Firewall in Secured Virtual Hub must use IP protection. In case you already have a DDoS Protection Plan, you will have the option to link it to the DDoS IP SKU when enabling the IP protection. When a DDoS IP SKU is linked to a plan, you will only be charged by your DDoS Protection Plan, instead of being charged for both. Once DDoS IP Protection is enabled, you can check the following 3 metrics, under the public IP resource, to validate the threshold levels applied to the public IP. Inbound SYN packet to trigger DDoS mitigation Inbound UDP packets to trigger DDoS mitigation Inbound TCP packet to trigger DDoS mitigation This indicates that the Azure DDoS IP Protection is on and protecting the workload behind the public endpoint. Conclusion Configuring specific public IP addresses for your Azure Firewall within a secured virtual hub represents a major leap forward in network security management. This feature not only offers enhanced control over your firewall's public-facing IPs but also significantly bolsters your security posture by incorporating Azure DDoS IP Protection. By utilizing this capability, you can safeguard your firewall against potential DDoS attacks, ensuring a more resilient and secure environment for your applications and services.Fortify Your Azure Firewall: Custom Public IP Configuration on Secured Virtual Hub Deployments
Written in collaboration with davidfrazee and gusmodena. In today's cloud-centric world, managing network security is more critical than ever. Azure Firewall has always been a robust solution for protecting your virtual networks, but recent updates have made it even more powerful. One of the latest enhancements allows you to configure which public IP addresses are used on your Azure Firewall in an Azure Virtual WAN Secured Virtual Hub, rather than having Azure automatically assign one for you. This new feature provides greater control over your network's public-facing IPs, enabling you to align them with your organization's security policies and compliance requirements. Moreover, this capability opens the door to leveraging Azure DDoS IP Protection. By selecting specific public IPs for your firewall, you can ensure that these addresses are shielded from distributed denial-of-service (DDoS) attacks, enhancing the overall security posture of your Azure environment. This integration not only fortifies your defenses but also simplifies the management of your network security infrastructure. In this blog, we will discuss our newly announced feature for Azure Firewall, detailing how to configure public IP addresses from your own subscription and highlighting the benefits of this enhancement. Key Benefits Full control – Own and manage the lifecycle of your firewall’s public IP. Enhanced security – Enable DDoS mitigation for better protection. IP address flexibility – Allocate public IPs from an IP prefix pool. How-To To get started with configuring public IP addresses on your Azure Firewall, you'll need to follow a few straightforward steps. This guide will walk you through the process, ensuring that you can take full advantage of this new feature. By the end of this section, you'll have a clear understanding of how to assign specific public IPs to your firewall, enhancing your control over network security and enabling the integration of Azure DDoS IP Protection. You’ve created an Azure Virtual WAN and now need to deploy secured virtual hubs. A great place to start with building out the environment in the Azure Portal will be in the Azure Firewall Manager. Here you’ll be able to have a centralized management portal to view your Azure Firewalls, firewall policies, Azure DDoS Protection plans, and more. Once you’re in Azure Firewall Manager, select Virtual Hubs to build a new secured virtual hub. Once you’ve configured the basic configurations for the secured virtual hub, you’ll have the option to start creating the Azure Firewall. You’ll notice a new option called Select source of public IP. Here we will select Customer provided (Preview) to define which public IPs will be used for the new secured virtual hub. You’ll have the option to choose a pre-created public IP or to create new from the firewall manager blade. With the secured virtual hub created, we can navigate back to Azure Firewall Manager and manage the new deployment from there. Under Virtual Hubs, select on the Firewall name to manage the public IP addresses. To add more public IPs to your Azure Firewall, you can either create new public IP resources or select from pre-created ones. This feature ensures that Azure won't just assign an IP for you; instead, you have the flexibility to choose or create the specific public IPs that align with your network requirements. This approach provides greater control and customization for your firewall's public-facing IP addresses. Now that we’ve added public IPs to the Azure Firewall, we can configure Azure DDoS Protection to prevent DDoS attacks against the deployment. This is a key benefit that comes with the ability to configure your own public IPs on the Azure Firewall with Secured Virtual Hub. Stay tuned for our next blog post where we’ll go through the steps needed to protect the Public IP associated to your secured virtual hub Azure Firewall. Conclusion The ability to configure specific public IP addresses for your Azure Firewall in a secured virtual hub marks a significant advancement in network security management. This feature not only grants you greater control over your firewall's public-facing IPs but also enhances your security posture by enabling the integration of Azure DDoS IP Protection. As we continue to navigate the complexities of cloud security, features like these empower organizations to tailor their security strategies to meet their unique needs and compliance requirements. Stay tuned for more updates and best practices on optimizing your Azure Firewall and protecting your network infrastructure.Enhancing Azure Firewall Management with Change Tracking
Azure Firewall's Change Tracking (Preview) feature is a powerful enhancement that provides administrators with insights into changes made to firewall configurations, particularly Rule Collection Groups. This feature leverages Azure Resource Graph (ARG) to enable efficient monitoring and analysis of changes, improving visibility, accountability, and troubleshooting capabilities. Key Benefits of Change Tracking Enhanced Visibility Monitor modifications to Rule Collection Groups, enabling administrators to track configuration changes in real time. Improved Accountability Identify when changes were made and what changed, addressing compliance and audit requirements. Efficient Troubleshooting Detect unintended changes quickly to resolve issues affecting security or performance. How Azure Resource Graph (ARG) Powers Change Tracking Azure Resource Graph is the backbone of the Change Tracking feature, providing an efficient query and analysis engine designed for large-scale Azure environments. ARG collects metadata and property changes from Azure resources, including Azure Firewall, and enables administrators to query and analyze this data. Key ARG Features for Change Tracking: Scalable Querying: ARG supports querying changes across multiple subscriptions, management groups, or even tenants, ensuring insights are accessible for large environments. Detailed Change Insights: Administrators can query historical data, revealing what property changed and when. Kusto Query Language (KQL): ARG queries use KQL, allowing for flexible filtering, grouping, and analysis. ARG’s recent support for Rule Collection Groups ensures precise tracking of firewall rule changes, such as: Addition or removal of rule collections. Updates to specific rules (e.g., IP ranges, protocols, actions). Reordering of rule collections affecting priority and execution. How to Use Change Tracking with ARG Administrators can use the Azure Resource Graph Explorer in the Azure Portal to execute custom queries. Here’s an example query to retrieve changes in Rule Collection Groups: networkresourcechanges | where properties contains "microsoft.network/firewallpolicies/rulecollectiongroups" | where properties contains "properties.rulecollections" For more readable logs, you can use the following enhanced query: networkresourcechanges | where properties contains "microsoft.network/firewallpolicies/rulecollectiongroups" | extend parsedProperties = parse_json(properties) | extend TargetResource = tostring(parsedProperties.targetResourceId), Timestamp = todatetime(parsedProperties.changeAttributes.timestamp), Changes = todynamic(parsedProperties.changes), ChangeType = tostring(parsedProperties.changeType), PreviousSnapshotId = tostring(parsedProperties.changeAttributes.previousResourceSnapshotId), NewSnapshotId = tostring(parsedProperties.changeAttributes.newResourceSnapshotId), CorrelationId = tostring(parsedProperties.changeAttributes.correlationId), ChangesCount = toint(parsedProperties.changeAttributes.changesCount), TenantId = tostring(tenantId), Location = tostring(location), SubscriptionId = tostring(subscriptionId), ResourceGroup = tostring(resourceGroup), FirewallPolicyName = extract('/firewallPolicies/([^/]+)/', 1, tostring(id)) | mv-expand ChangeKey = bag_keys(Changes) | extend ChangeDetails = todynamic(Changes[tostring(ChangeKey)]) | extend RuleCollectionName = extract('properties\\.ruleCollections\\["([^"]+)"\\]', 1, tostring(ChangeKey)) | where isnotempty(RuleCollectionName) | summarize Changes = make_list(pack("ChangeKey", ChangeKey, "PreviousValue", tostring(ChangeDetails.previousValue), "NewValue", tostring(ChangeDetails.newValue))) by Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss'), TenantId, SubscriptionId, ResourceGroup, Location, TargetResource, FirewallPolicyName, RuleCollectionName, ChangeType, PreviousSnapshotId, NewSnapshotId, CorrelationId, ChangesCount | project Timestamp, TenantId, SubscriptionId, ResourceGroup, Location, TargetResource, FirewallPolicyName, RuleCollectionName, ChangeType, PreviousSnapshotId, NewSnapshotId, CorrelationId, ChangesCount, Changes This enhanced query filters changes related to Azure Firewall's Rule Collection Groups, parses and extracts key details like timestamps, change types, and rule collection names, and formats the output for readability. This provides a clear and detailed log of configuration changes, making it easier for administrators to monitor and analyze changes over time. Here is a screenshot showing an example of the output from this query: Real-World Use Cases Change Management Maintain a historical record of configuration changes for audits and compliance. Security Monitoring Detect unauthorized changes to firewall rules, ensuring configurations remain aligned with organizational security policies. Operational Efficiency Quickly identify and resolve issues caused by recent changes to Rule Collection Groups. Conclusion With Change Tracking (Preview), powered by Azure Resource Graph, Azure Firewall becomes a more robust tool for managing and securing your network environment. Administrators gain enhanced control and insight into firewall configurations, improving their ability to maintain compliance, troubleshoot issues, and enforce security policies effectively. Start exploring Change Tracking today using the Azure Resource Graph Explorer and enhance your network security posture.Azure Firewall integration in Security Copilot: protect networks at machine speed with gen AI
Today, at Microsoft Build, we are excited to announce the availability of the Azure Firewall integration in Security Copilot. It helps analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their firewalls across their entire fleet using natural language questions in the Security Copilot portal. Azure Firewall is a cloud-native and intelligent network firewall security service that provides best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. In this blog we will walk through the newly announced Azure Firewall integration in Security Copilot. These capabilities were announced at RSA. Take a look at this blog to learn more about the user journey and value that Copilot can deliver: Bringing generative AI to Azure network security with new Microsoft Copilot integrations. There are four primary capabilities now in preview which are outlined below. Get top IDPS signature hits This capability retrieves the top IDPS signature hits for an Azure Firewall. It helps the user get information about the traffic intercepted by the IDPS feature by simply asking natural language questions instead of the user having to construct KQL queries manually. Get details on an IDPS signature This capability enriches the threat profile of an IDPS signature beyond the information found in logs. It helps the user get additional details about an IDPS signature instead of requiring them to manually source this information. Search across firewalls for an IDPS signature This capability looks for a given IDPS signature across your tenant, subscription or resource group. It helps users perform a fleet-wide search (over any scope) for a threat across all their Firewalls instead of searching for the threat manually. Secure your environment using IDPS This capability generates recommendations to secure your environment using Azure Firewall’s IDPS feature. It helps users get information from documentation about using Azure Firewall’s IDPS feature to secure their environment instead of having to look up this information manually. Get started Learn more in our documentation about these capabilities and how to access them today!Copilot in Azure embedded experience for Azure Firewall integration in Security Copilot
Today, at Microsoft Ignite, we are excited to announce that we are building on our announcement at RSA and Microsoft Build earlier this year and integrating Security Copilot even more closely with our Network Security products. These capabilities were launched on the Security Copilot portal (also called the standalone experience) earlier this year. The Security Copilot attack investigation capabilities for Azure Firewall can now be queried via the Copilot in Azure experience (also called the embedded experience) directly on the Azure portal where you regularly interact with your Azure Firewalls, bringing interactive, generative AI-powered capabilities even closer to where you work. To learn more about the user journey and value that Copilot can deliver, see Bringing generative AI to Azure network security with new Microsoft Copilot integrations | Microsoft Azure Blog. Investigating Azure Firewall IDPS attacks using Copilot As a member of your organization’s network security team, it is imperative that you understand the kinds of threats your network security devices are intercepting. Azure Firewall intercepts and blocks malicious traffic using a deep-packet inspection technology called IDPS (Intrusion Detection and Prevention System) today. However, when you need to perform a deeper investigation of the threats that Firewall catches using IDPS, you need to do this manually - which is a non-trivial and time-consuming task. The Azure Firewall integration in Security Copilot helps analysts perform these investigations with the speed and scale of AI. Retrieve the top IDPS signature hits for an Azure Firewall The first step in an investigation is to pick a specific Azure Firewall and see the threats it has intercepted. Analysts today spend hours writing custom queries or navigating through several manual steps to retrieve threat information from Log Analytics workspaces. With Copilot, you just need to ask about the threats you'd like to see, and Copilot will present you with the requested information. Azure Copilot presents the top 5 IDPS signatures flagged in the requested time period along with a brief summary of why each signature is a threat and volumetric information on the number of flows associated with each signature. Enrich the threat profile of an IDPS signature beyond log information The next step in an investigation is to better understand the nature and impact of these threats. Today, analysts must retrieve additional contextual information such as geographical location of IPs, threat rating of a fully qualified domain name (FQDN), details of common vulnerabilities and exposures (CVEs) associated with an IDPS signature and more, manually from various sources. This process is slow and involves a lot of effort. Copilot pulls information from the relevant sources to enrich your threat data in a fraction of the time. Copilot provides a brief summary of both the attacks as well as a comparison between the two, emphasizing the differing severities and why it is crucial to respond to these threats quickly. You can drill deeper if you’d like by asking follow up questions or by asking the same question again to get Copilot to reinforce or substantiate any of its answers. For example, reinforcing that you’d like to understand how much of a threat an attack is, even though Copilot may have already provided an answer to that question, is a great way for junior analysts, or anyone operating outside of their normal area of focus to truly understand what is happening. Look for a given IDPS signature across your environment Once a detailed investigation has been performed for a single Azure Firewall and single threat, analysts would like to determine if these threats were seen elsewhere in their environment. All the manual work you performed for an investigation for a single Azure Firewall is something you would have to repeat fleet wide. Copilot can do this at machine speed and help correlate this information with other security products to better understand how attackers are targeting your entire infrastructure. Copilot searches across your entire tenant and finds that another Firewall also saw one of the attacks over the timespan you defined. Your suspicions are unfortunately confirmed. This is a threat that is targeting multiple points of entry in your environment. You can ask a follow up question to search for another high severity threat as well, now that you know that at least one threat was not contained to a single Firewall and has proliferated across your environment. Secure your environment using IDPS Now that you are convinced this attack warrants attention from your organization, as a first step, you can ask Copilot for some recommendations on how to better use your Firewall to protect against these kinds of attacks. Copilot produces a response that combines contextual information from your conversation alongside general network security best practices and specific guidance from Azure Firewall documentation to produce a response that is informative. Looking forward In addition to the open prompting experience covered in this blog. We are also working on embedding Copilot directly into the Firewall portal so that you can simply click buttons with suggested prompts that automatically pull relevant information from context and generate helpful responses – making it easy to invoke Copilot when contextually relevant while still giving you complete control over its usage. embedded experiences on the Azure portal We are also excited to share a sneak peek of upcoming capabilities like Natural language to KQL for IDPS that are currently being tested by a small group of customers. This capability can act as a query assistant helping you craft complex queries but can also help find answers to questions you have by running automatically generated queries on the appropriate Log Analytics workspaces to retrieve the relevant data. This is only the start of our journey toward infusing AI into every aspect of our Network Security offerings making it easier for our customers to be more productive and quickly analyze threats and mitigate vulnerabilities to stay ahead of their adversaries. These capabilities are in preview and over the coming weeks we look forward to adding new capabilities and making improvements based on your feedback. Get started Learn more in our documentation about these capabilities and how to use them today!Enhancements to the Azure Firewall User Experience
This blog was co-authored by Abhinav Sriram, with contributions from Gopikrishna Kannan. Introduction Everyday, IT administrators face the challenge of securing networks while maintaining application uptime and performance. With a constantly evolving threat landscape and an influx of new vulnerabilities, staying ahead is no easy task. Cloud applications are increasingly leveraging AI to access critical data with reliability, and new applications are rapidly being onboarded. At the same time, organizational security requirements continue to expand in response to government regulations and customer expectations. CIOs are demanding that IT teams do more with less, and the demands can feel daunting. To meet these challenges, IT administrators need modern tools and resources that simplify operations, maintain security, and ensure application performance and compliance. The Azure Firewall team understands these operational needs and the proactive measures administrators require to minimize risk. We're excited to introduce new experiences and capabilities that streamline firewall management, making it easier to monitor, diagnose, and resolve issues quickly. Improved governance and compliance: Through Azure Policies and Azure Advisor recommendations, IT teams can maintain alignment with product and organizational standards, minimizing risk through proactive guidance. Optimized management and diagnostics: Through Azure Firewall Policy Change Tracking and the Diagnose and Solve Blade, administrators can monitor configuration changes and identify solutions to resolve issues quickly. In addition, the new user experiences for setting up a Management NIC and upcoming features like Packet Capture and Maintenance Configuration provide users with the kind of enhanced control and visibility they need for critical services like Firewall. Stay Updated with New Capabilities: The "What's New" experience in Azure Firewall Manager and the Private Preview Program keep administrators informed about updates and provide early access to new features. In this blog, we'll walk through each of these features more in-depth and explore how they assist administrators with tasks at different stages of firewall management beginning with features that bring enhanced governance and compliance to Azure Firewall. Built-In Azure Policies Azure Firewall now includes support for Azure Policy, designed to enhance governance and enforce security best practices. When administrators are initially configuring their firewalls or shortly after deployment, managing configurations across multiple firewalls to meet organizational standards can be complex and prone to oversight or error. These built-in policies simplify this process by automatically applying rules across your firewall resources and ensuring compliance with essential security and operational requirements. For example, administrators can enforce policies requiring Threat Intelligence to be enabled on all firewalls for added protection or mandating that only encrypted traffic is allowed into the environment. These policies offer a streamlined way to maintain consistent security practices, aligning firewall settings with organizational and regulatory standards. For detailed information on configuration and enforcement of these policies, see this blog. Image: Built-in Azure Policies Image: Azure Policy compliance enforcement across Firewall resources Built-In Azure Advisor Recommendations After deploying a firewall, it's essential to monitor any limitations that could impact its performance, particularly in large or complex environments with high traffic volumes. Azure Advisor, a personalized service, offers recommendations to help users optimize Azure resources across five key areas: reliability, security, operational excellence, performance, and cost. With this integration, Azure Advisor can proactively notify you if your Azure Firewall deployment is reaching any limitations, experiencing performance impacts, or has potential misconfigurations. This means you’ll be able to receive timely recommendations to address issues before they affect your network security, ensuring a seamless and secure experience. The current Azure Advisor recommendations include the following: Exceeding rule limitations on Firewall policy: Get notified if your firewall policy is reaching the maximum allowed rules, which may impact performance. Exceeding IP Group limitations on Firewall policy: Alerts for when IP groups used in your firewall policies exceed their defined limits. Exceeding Firewall Policy or Rule Collection Group size: Suggestions to optimize or restructure policies when they grow too large, potentially affecting management or performance. By leveraging these recommendations, you can maintain optimal firewall performance, address potential security risks, and reduce unnecessary costs. Stay tuned for more enhancements as we continue to add more recommendations into Azure Advisor for Azure Firewall. Policy Analytics is another Firewall capability that provides you with insights and recommendations for your environment. Image: Azure Advisor recommendation for “Firewall policy is reaching network rule limitations” Next, let’s dive into the capabilities that help with optimized management and diagnostics. Change Tracking (Preview) Azure Resource Graph (ARG) is an Azure service designed to provide efficient and performant resource exploration at scale. Azure Resource Graph (ARG) provides change analysis data for various management and troubleshooting scenarios. Users can find when changes were detected on an Azure Resource Manager (ARM) property, view property change details and query changes at scale across their subscription, management group, or tenant. ARG change analysis recently added support for RuleCollectionGroups. You can now track changes to Azure Firewall Rule Collection Groups using an Azure Resource Graph query from the Azure Portal ResourceGraphExplorer page using a query like this: Below is a sample change output. This capability can help you track changes made to your Firewall rules helping ensure accountability for a sensitive resource like a Firewall. Diagnose and Solve Blade The Diagnose and Solve problems blade is a feature in Azure that helps customers troubleshoot and solve Azure issues. It helps you explore the most common problems for your Azure Firewalls by providing quick access to service/resource health insights, automated troubleshooters, curated do-it-yourself troubleshooting guides, and additional troubleshooting tools that are all part of the self-help experience designed to help customers solve their problems even before bringing it to Microsoft support teams. To use this feature, you need to navigate to your Firewall in the Azure portal and select Diagnose and solve problems. Image: The Diagnose and Solve blade in Azure Firewall Portal This feature allows you to troubleshoot failures without needing to go through the standard process of filing a support ticket and also provides you with a summarized view of resource health and changes made to the resource in the last 72 hours. Management NIC Changes An Azure Firewall Management NIC separates Firewall management traffic from customer traffic. The firewall routes its management traffic via the dedicated AzureFirewallManagementSubnet (minimum subnet size /26) and its associated public IP address. This feature was previously called Forced Tunneling, as originally, a Management NIC was required only for Forced Tunneling. However, upcoming Firewall features will also require a Management NIC. To support any of these capabilities, you must create an Azure Firewall with the Firewall Management NIC enabled or enable it on an existing Azure Firewall. This is a mandatory requirement to avoid service disruption. To learn more, see Azure Firewall Management NIC | Microsoft Learn. Image: The updated Firewall Management Portal UX in the Create Azure Firewall workflow Lastly, let’s take a look at some of the ways in which you can stay updated with the latest going on with Azure Firewall. Updates to What’s new in Firewall Manager The “What’s new” page in Firewall Manager is kept updated with the most recent product releases across the Network Security portfolio and now easily links to the Copilot for Security integration for Azure Firewall. The Azure Firewall Plugin has four capabilities that help analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their firewalls across their entire fleet using natural language questions in the Copilot for Security standalone experience. To learn more about the user journey and value that Copilot can deliver, see the Azure blog. To see these capabilities in action, take a look at this Tech Community blog, and to get started, see the documentation. Image: Snapshot of the What's New user experience in Azure Firewall Manager Azure Connection Program The Azure Connection Program is an engineering feedback community for Azure customers and partners allowing you to directly engage with the product team of Azure Firewall and get early access to upcoming features like Packet Capture and Maintenance Configurations. This is an avenue where the product team actively engages with customers to get valuable feedback that can help impact the product roadmap. If you’re interested in joining and trying out new features early, please sign up here.
