Azure firewall is a stateful firewall that is managed and cloud-based for our Azure resources. It has been build for high availability that is built in so no need for additional load balances which other NVA need.
Azure firewall also has the following features
- Application FQDN filtering rules
- Outbound HTTP(s) can be limited to a specific list of fully qualified domain names (FQDN)
- Network traffic filtering rules
- Traffic can be filtered on the five tuples of source and destination IP address, source and destination port, and protocol.
- FQDN tags
- Tags make it easy for allowing specific traffic through the firewall, for example, the Windows Update tag can be used to allow Windows Update traffic through the firewall.
- Service tags
- These are tags that are created by Microsoft to minimize the complexity of rule creation.
- Threat intelligence
- This can be enabled so that the firewall denies traffic from known malicious IP addresses or domains.
- Outbound SNAT
- Outbound traffic is translated through the firewall by doing source NAT to the public IP address of the firewall.
- Inbound DNAT
- Inbound traffic that has been allowed it translated and filtered to the private IP addresses on your virtual networks doing Destination Network Address Translation.
- Multiple public IP addresses
- Azure Firewall can have multiple public IP addresses associated with it, up to 100.
- Azure Monitor logging
- Firewall events are integrated with Azure monitor which allows for the tracing of events through the firewall.