Deploy Azure Firewall across multiple availability zones
Impact:HighCategory:High Availability
APRL GUID:c72b7fee-1fa0-5b4b-98e5-54bcae95bb74
Description:
Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.
Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.
Configure DDoS Protection on the Azure Firewall VNet
Impact:HighCategory:Security
APRL GUID:1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d
Description:
Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.
Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.
Click the Azure Resource Graph tab to view the query
//under-development
Configure 2-4 PIPs for SNAT Port utilization
Impact:MediumCategory:High Availability
APRL GUID:d2e4a38e-2307-4299-a217-4c0cebc9a7f6
Description:
Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.
Click the Azure Resource Graph tab to view the query
//underdevelopment
Monitor "AZFW Latency Probe" metric
Impact:HighCategory:Monitoring and Alerting
APRL GUID:8faace2d-a36e-425c-aa58-2ad99e3e0b7a
Description:
Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.