Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.
Impact:HighCategory:Monitoring and AlertingPG Verified:Verified
APRL GUID:3c8fa7c6-6b78-a24a-a63f-348a7c71acb9
Description:
Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.
Configure DDoS Protection on the Azure Firewall VNet
Impact:HighCategory:SecurityPG Verified:Verified
APRL GUID:1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d
Description:
Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.
Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.
Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.
Click the Azure Resource Graph tab to view the query
//underdevelopment
Monitor "AZFW Latency Probe" metric
Impact:HighCategory:Monitoring and AlertingPG Verified:Preview
APRL GUID:8faace2d-a36e-425c-aa58-2ad99e3e0b7a
Description:
Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.