Azure Firewall Features
Azure Firewall is a stateful network firewalldeveloped by Microsoft to protect resources hosted in Azure cloud environments. Azure Firewall offers a number of features, including:
- Availability:With Azure’s Availability Zones, the Azure Firewall has a 99.95% availability service level agreement (SLA).
- Scalability:The Azure Firewall scales as needed to meet business needs.
- Threat Intelligence:Azure Firewall traffic filtering can be informed by IP addresses and domains from the Microsoft Threat Intelligence feed.
- Network Address Translation (NAT):Azure Firewall offers source and destination NAT with the ability to associate multiple public IP addresses with the Azure Firewall.
- Forced Tunneling:Outbound traffic from Azure environments can be routed to a particular next hop rather than the Internet to allow additional security inspection by perimeter-based solutions.
- Tagging and Categorization:Traffic can be tagged and categorized to help with the development of firewall rules and traffic filtering.
By deploying Azure Firewall, organizations with assets hosted in Azure can rapidly and easily provide fundamental protection of these assets against cyber threats.
Azure Firewall Premium
Azure Firewall Premium is an upgrade designed for Azure environments containing highly sensitive and regulated data. It includes TLS inspection, an intrusion detection and prevention system (IDPS), URL filtering, and the ability to filter traffic based on web categories.
How Does Azure Firewall Work?
Azure Firewall is a virtual firewall implemented within the Azure Cloud environment. An organization can configure its Azure Firewall so that all traffic entering or leaving its cloud environment or moving from one spoke VNet to another passes through the firewall, where it is subject to analysis and filtering. The Azure Firewall can be monitored and managed via the Azure Monitor.
With the Premium version, the firewall gains the ability to terminate and inspect TLS connections and integrates an IDPS to provide threat prevention based on threat intelligence provided by Microsoft. This provides greater visibility and the ability to block known threats from entering an Azure cloud environment.
Limitations of Azure Firewall
Microsoft’s Azure Firewall offers native protection to resources deployed in Azure cloud environments. However, both the standard and Premium versions have their limitations, including:
- Azure Focus: As its name suggests, Azure Firewall is designed solely to protect Microsoft Azure cloud environments. Most organizations have multi-cloud environments and on-prem assets as well, that the Azure Firewall is unable to protect. Protecting cloud and on-prem resources with multiple solutions makes it difficult to consistently enforce security policies across the entire corporate ecosystem, will incur a higher Total Cost of Ownership, and may increase security risk.
- Lack of Security Integration: Azure Firewall provides some of the functions that organizations require to protect their cloud-based assets, but it is not a comprehensive solution. Additional standalone solutions are required to provide full protection, which increases the complexity of an organization’s cloud security architecture and impedes incident detection and response
- Signature-Based Detection: The IDPS functionality available in the Azure Firewall Premium provides signature-based detection of known malware variants and malicious traffic. Signature-based IDPS provides no protection against novel and zero-day attacks, which make up the majority of modern malware campaigns.
Azure Firewall provides a solid foundation for organizations wishing to protect their Azure-based resources. However, additional solutions are required to provide comprehensive protection against cloud security threats, especially for organizations with a multi-cloud strategy.
Augmenting Azure Firewall with Check Point
Azure Firewall is designed to provide a usable fundamental level of security for Azure cloud environments. Organizations looking to gain a higher level of visibility and control over the traffic entering and leaving their cloud can easily do so with Azure Firewall. By upgrading to Premium, they gain a level of threat prevention and visibility into the TLS-encrypted traffic streams that make up the majority of modern Internet traffic.
For organizations looking to protect multi-cloud environments or need functionality and advanced threat prevention beyond what Azure Firewall offers, Check Point’s CloudGuard provides the ability to enhance and complement the native security features built into Azure environments. Like Azure Firewall, CloudGuard is implemented as a cloud-native virtual appliance that enables organizations to take advantage of the full scalability and benefits of cloud-based environments with a solution tailored to Azure.
For organizations already using Check Point on-premises network security gateways, choosing CloudGuard for cloud network security should be a no-brainer, because it provides the same industry-leading threat prevention, is quickest to deploy due to reduced training and integrations, is easiest because it uses the same UI, processes and security policies as on-prem, has lowest risk compared to introducing new security solutions which may not work with their existing workloads, and enables lowest total cost of ownership because there is no need for new engineering staff to deploy and maintain the cloud security solution.
CloudGuard for Azure is available via the Azure Marketplace and offers a range of vital cloud network security features including:
- Firewall
- Intrusion Prevention System (IPS)
- Antivirus
- Anti-Bot
- IPSec VPN
- Data Loss Prevention
- Application Control
- URL Filtering
- SandBlast Zero-Day Protection including Threat Emulation and Threat Extraction
To learn more about CloudGuard for Azure and how it can augment the security of your Microsoft Azure environments, request a free demo today.
Feedback