Your trusted source for Azure Cloud information
Azure Firewall is a cloud-native security service that provides robust protection for your Azure workloads. It offers a range of features designed to enhance security and streamline network management. However, like any service, it also has its limitations. In this blog post, we'll explore both the features and limitations of Azure Firewall, providing you with a comprehensive understanding of what it can and cannot do.
Azure Firewall supports DNAT (Destination Network Address Translation) for private IP addresses, allowing you to connect between overlapping IP networks and hybrid scenarios. This feature is particularly useful for enterprises that need to manage complex network configurations.
Flow Trace Logs provide detailed visibility into TCP handshake logs, including SYN-ACK, FIN, FIN-ACK, RST, and INVALID. This feature helps identify packet drops and asymmetric routes, making it easier to troubleshoot network issues.
Azure Firewall can automatically scale based on the number of connections, in addition to throughput and CPU usage. This ensures that your firewall can handle varying levels of traffic without manual intervention.
This feature allows multiple IP Groups to be updated in parallel, reducing the risk of errors when managing multiple IP Groups. This is especially beneficial for large-scale deployments with complex network rules.
DNAT support for private IP addresses is limited to the Standard and Premium versions of Azure Firewall. This means that enterprises using the Basic version will not have access to this feature.
Network filtering rules for non-TCP/UDP protocols (e.g., ICMP) do not work for Internet-bound traffic. This limitation can impact scenarios where non-TCP/UDP protocols are required for communication.
Azure PowerShell and CLI currently do not support ICMP as a valid protocol in network rules. While it is possible to use ICMP via the portal and REST API, this limitation can be inconvenient for users who prefer scripting.
Moving a firewall to a different resource group or subscription is not supported. To move a firewall, you must delete the current instance and recreate it in the new resource group or subscription.
Network rules with destination ports 80/443 for outbound filtering can mask threat intelligence alerts when configured to alert-only mode. To avoid this, you should create outbound filtering rules using application rules or change the threat intelligence mode to Alert and Deny.
Azure Firewall offers a robust set of features that enhance network security and management. However, it is important to be aware of its limitations to ensure that it meets your specific needs. By understanding both the strengths and weaknesses of Azure Firewall, you can make informed decisions about how to best utilize this powerful security service.