Introducing new Azure Firewall capabilities

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

We are happy to share several key Azure Firewall capabilities as well as updates on recent important releases into general availability (GA) and preview.

New GA regions have been established in central Qatar, China East, and China North.

IDPS Private IP ranges are now widely available.

Single Click Upgrade/Downgrade now in preview.

Enhanced Threat Intelligence now in preview.

KeyVault with no internet access is now in preview.

Azure Firewall is a cloud-native firewall-as-a-service offering that allows customers to centrally govern and log all of their traffic flows using a DevOps methodology. The service supports both application and network-level filtering rules and is integrated with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Azure Firewall has built-in auto-scaling and is highly available.

New GA regions have been established in central Qatar, China East, and China North.

We are pleased to announce the general availability of Azure Firewall Standard, Azure Firewall Premium, and Azure Firewall Manager in three new regions: Qatar Central, China East, and China North.

Azure Firewall is now available in 51 regions worldwide, thanks to these three new regions!

IDPS Private IP ranges are now available. GA

A network intrusion detection and prevention system (IDPS) allows you to monitor network activity for malicious activity, log information about it, report it, and potentially block it.

Private IP address ranges are used in Azure Firewall Premium IDPS to identify traffic direction (inbound, outbound, or internal) to allow accurate matches with IDPS signatures. Only ranges defined by the Internet Assigned Numbers Authority (IANA) RFC 1918 are considered private IP addresses by default. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.

Portal experience for IDPS Private IP range capability for Azure Firewall.

Upgrade/Downgrade with a Single Click (preview)

Customers can now easily upgrade their existing Firewall Standard SKU to Premium SKU or downgrade from Premium to Standard SKU using this new capability. The process is completely automated and has no downtime.

Users can select the policy to be attached to the upgraded Premium SKU during the upgrade process. Either through an existing Premium Policy or through their existing Standard Policy. Customers can use their existing Standard policy and have the system duplicate, upgrade, and attach it to the newly created Premium Firewall.

This new feature is accessible via the Azure portal, as shown in the screenshot below, as well as PowerShell and Terraform.

Portal experience for single click upgrade/downgrade capability for Azure Firewall

Enhanced Threat Intelligence (preview)

Threat intelligence is information that an organisation uses to understand the threats that have targeted, will target, or are currently targeting it. This data is used to prepare for, prevent, and identify cyber threats seeking to exploit valuable resources. Azure Firewall Threat intelligence information is sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.

Your firewall can be configured to alert and deny traffic from/to known malicious IP addresses and FQDNs using threat intelligence-based filtering. With the new enhancement, Azure Firewall Threat Intelligence has more granularity for filtering based on malicious URLs. This means that access to a specific domain via a specific URL within that domain will be denied by Azure Firewall if it is determined to be malicious.

Customers can use the Threat Intelligence allow list to bypass threat intelligence validation on trusted FQDNs, IP addresses, ranges, and subnets for maximum granularity.

Because the URL is encrypted in HTTPS, customers can use Azure Firewall Premium TLS inspection to enable URL-based Threat Intelligence for their encrypted traffic as well.

Customers can improve their security posture and be better protected against future threats by using Azure Firewall IDPS, Threat Intelligence, and TLS inspection.

KeyVault with no internet access (preview)

Customers must deploy their intermediate CA certificate in Azure KeyVault for Azure Firewall Premium TLS inspection. Customers can eliminate any internet exposure of their Azure KeyVault now that the Azure firewall is listed as a trusted Azure KeyVault service.

At Microsoft, we are constantly evolving Azure Firewall to meet the needs of our customers and assist them in strengthening their security and increasing efficiencies. We announced the preview of Policy Analytics for Azure Firewall last month, which assists in improving your security posture by providing critical insights and recommendations for optimising firewall rules. We also recently announced the preview of Azure Firewall Basic, a new Azure Firewall SKU designed to meet the needs of SMBs by providing enterprise-grade cloud environment protection at an affordable price. Microsoft intend to release additional Azure Firewall enhancements, including new troubleshooting capabilities, very soon. Please be patient!

Professional Labs is the best cloud managed service provider GCC; for more information, please contact us.
Contact Us | Professional labs (