Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

azureFirewalls

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Deploy Azure Firewall across multiple availability zonesHighHigh AvailabilityYesVerified
Monitor Azure Firewall metricsHighMonitoring and AlertingYesVerified
Configure DDoS Protection on the Azure Firewall VNetHighSecurityYesVerified
Leverage Azure Firewall policy inheritance modelMediumGovernanceNoVerified
Configure 2-4 PIPs for SNAT Port utilizationMediumHigh AvailabilityNoPreview
Monitor "AZFW Latency Probe" metricHighMonitoring and AlertingNoPreview

Details

Deploy Azure Firewall across multiple availability zones

Impact:  High Category:  High Availability PG Verified:  Verified

APRL GUID:  c72b7fee-1fa0-5b4b-98e5-54bcae95bb74

Description:

Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.

Potential Benefits:

Enhanced SLA and reliability
Learn More:
Azure Well Architected Framework - Azure Firewall
Deploy Azure Firewall across multiple availability zones

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone
resources
| where type == 'microsoft.network/azurefirewalls'
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where array_length(zones) <= 1 or isnull(zones)
| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
| project recommendationId = "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74", name, id, tags, param1="multipleZones:false"

Monitor Azure Firewall metrics

Impact:  High Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  3c8fa7c6-6b78-a24a-a63f-348a7c71acb9

Description:

Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.

Potential Benefits:

Improve health and performance monitoring
Learn More:
Azure Firewall metrics supported in Azure Monitor
Azure Firewall performance

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// List all Azure Firewalls resources in-scope, along with any metrics associated to Azure Monitor alert rules, that are not fully configured.
resources
| where type == "microsoft.network/azurefirewalls"
| project firewallId = tolower(id), name, tags
| join kind = leftouter (
    resources
    | where type == "microsoft.insights/metricalerts"
    | mv-expand properties.scopes
    | mv-expand properties.criteria.allOf
    | where properties_scopes contains "azureFirewalls"
    | project metricId = tolower(properties_scopes), monitoredMetric = properties_criteria_allOf.metricName, tags
    | summarize monitoredMetrics = make_list(monitoredMetric) by tostring(metricId)
    | project
        metricId,
        monitoredMetrics,
        allAlertsConfigured = monitoredMetrics contains("FirewallHealth") and monitoredMetrics contains ("Throughput") and monitoredMetrics contains ("SNATPortUtilization")
) on $left.firewallId == $right.metricId
| extend alertsNotFullyConfigured = isnull(allAlertsConfigured) or not(allAlertsConfigured)
| where alertsNotFullyConfigured
| project recommendationId = "c8fa7c6-6b78-a24a-a63f-348a7c71acb9", name, id = firewallId, tags, param1 = strcat("MetricsAlerts:", monitoredMetrics)

Configure DDoS Protection on the Azure Firewall VNet

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d

Description:

Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.

Potential Benefits:

Enhanced DDoS attack defense
Learn More:
Azure DDoS Protection overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// List all in-scope Azure Firewall resources, where the VNet is not associated to a DDoS Protection Plan
resources
| where type =~ "Microsoft.Network/azureFirewalls"
| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
| mv-expand ipConfig = properties.ipConfigurations
| project
    name,
    firewallId = id,
    tags,
    vNetName = split(ipConfig.properties.subnet.id, "/", 8)[0],
    vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, "/subnet")))
| join kind=fullouter (
    resources
    | where type =~ "Microsoft.Network/ddosProtectionPlans"
    | mv-expand vNet = properties.virtualNetworks
    | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id)
    )
    on vNetId
| where isempty(ddosProtectionPlanId)
| project recommendationId = "1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d", name, id = firewallId, tags, param1 = strcat("vNet: ", vNetName), param2 = "ddosProtection: Disabled"

Leverage Azure Firewall policy inheritance model

Impact:  Medium Category:  Governance PG Verified:  Verified

APRL GUID:  3a63560a-1ed3-6140-acd1-d1d23f9a2e12

Description:

Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.

Potential Benefits:

Enhanced compliance and rule hierarchy
Learn More:
Azure Firewall Policy hierarchy

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Configure 2-4 PIPs for SNAT Port utilization

Impact:  Medium Category:  High Availability PG Verified:  Preview

APRL GUID:  d2e4a38e-2307-4299-a217-4c0cebc9a7f6

Description:

Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.

Potential Benefits:

Avoids SNAT exhaustion.
Learn More:
Azure Well-Architected Framework review - Azure Firewall

ARG Query:

Click the Azure Resource Graph tab to view the query

// under development

Monitor "AZFW Latency Probe" metric

Impact:  High Category:  Monitoring and Alerting PG Verified:  Preview

APRL GUID:  8faace2d-a36e-425c-aa58-2ad99e3e0b7a

Description:

Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.

Potential Benefits:

Improved CPU stress detection
Learn More:
Azure Well-Architected Framework review - Azure Firewall
Azure Firewall metrics overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// under development