AZURE FIREWALL POLICY
A firewall policy is the set of recommendations to configure the Azure Firewall Manager. It is a resource that can be used across Azure Firewall products in Secured Virtual Hubs and Hub Virtual Networks. The policies can work across regions and subscriptions.
Standard and Premium Policies
A standard policy provides Network and Application Rules, DNS proxy, web categories and threat intelligence. Premium policies support TLS inspection, URL filtering and IDPs.
Hierarchal Policies
New policies can be formed from the beginning or created from existing approaches. Inheritance allows DevOps to build local firewall policies and organization-mandated base policies.
Policies with non-empty parent policies inherit all the rule collections from that original policy. Network rule collections taken from a parent policy are always placed above network rule collections defined as part of a new policy. This criterion also applies to application rule collections.
Threat intelligence mode is also inherited from the parent policy. The mode can be adjusted to a different value to override this but cannot be turned off.
Azure Firewall Policy Rule Sets
A firewall Policy is a top-level resource containing security and operational settings for the firewall. It can be used to manage the firewall’s rule sets to filter traffic. Firewall policy organizes and arranges the rule sets based on a hierarchy with rule collection groups, rule collections, and rules.
Rule Collection Groups
A rule collection group helps in categorizing rule collections. They are the first element to be processed by the Azure Firewall and follow a priority order based on values. There are three rule collection groups by default, and their priority values are predetermined by design. They are:
- Default DNAT
- Default Network Rule Collection Group
- Default Application Rule Collection Group
Rule collection groups contain one or more rule collections of any of the three above categories. The default groups can neither be deleted nor modified. However, their processing order can be changed using a different method. Custom rule collection groups can be created with your wanted priority values.
Rule collections
This element belongs to a rule collection group and contains one or more multiple rules. They are the second element processed by the firewall and follow a priority order based on values. Rule collections must have a defined action which could be to allow or deny. Rule collections must match their parent rule collection group category. There are three types of rule collections- DNAT, Network and Application.Â
Rules
A rule belongs to a rule collection. It outlines which traffic is allowed or denied in the network. They are the last element to be processed by the firewall and don’t follow a priority order based on values. They instead follow a top-down approach. All traffic goes through the firewall and is evaluated by the rules defined for an allow or deny category. There are three types of laws:
- DNAT
- Network
- Application
DNAT Rules
DNAT rules allow or deny incoming traffic through the firewall public IP address(es). DNAT rules can be used when a public IP address is converted into a private IP address. The Azure Firewall public IP addresses can be used to pay attention to inbound traffic from the Internet, filter it and solve this traffic to internal resources in Azure.
Network Rules
They allow or deny inbound, outbound and horizontal traffic based on the network and transport layers. Any ports, protocols and IP addresses can filter traffic using network rules.
Application Rules
Application rules allow or deny incoming, outbound, and horizontal traffic based on the application layer. An application rule can be used to filter traffic based on fully qualified domain names (FQDNs) and HTTP/HTTPS protocols.
Continuum Innovations is a Cloud service provider that caters to Azure Managed services and other cloud-related aspects, including migration, data analysis and lots more. Get in touch with us today and make us your partner in your cloud journey! Visit www.continuuminnovations.com.