azureFirewalls
Summary
Details
Deploy Azure Firewall across multiple availability zones
Impact: High Category: High Availability
APRL GUID: c72b7fee-1fa0-5b4b-98e5-54bcae95bb74
Description:
Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.
Potential Benefits:
Enhanced SLA and reliability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone
resources
| where type == 'microsoft.network/azurefirewalls'
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where array_length(zones) <= 1 or isnull(zones)
| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
| project recommendationId = "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74", name, id, tags, param1="multipleZones:false"
Monitor Azure Firewall metrics
Impact: High Category: Monitoring and Alerting
APRL GUID: 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9
Description:
Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.
Potential Benefits:
Improve health and performance monitoring
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// List all Azure Firewalls resources in-scope, along with any metrics associated to Azure Monitor alert rules, that are not fully configured.
resources
| where type == "microsoft.network/azurefirewalls"
| project firewallId = tolower(id), name, tags
| join kind = leftouter (
resources
| where type == "microsoft.insights/metricalerts"
| mv-expand properties.scopes
| mv-expand properties.criteria.allOf
| where properties_scopes contains "azureFirewalls"
| project metricId = tolower(properties_scopes), monitoredMetric = properties_criteria_allOf.metricName, tags
| summarize monitoredMetrics = make_list(monitoredMetric) by tostring(metricId)
| project
metricId,
monitoredMetrics,
allAlertsConfigured = monitoredMetrics contains("FirewallHealth") and monitoredMetrics contains ("Throughput") and monitoredMetrics contains ("SNATPortUtilization")
) on $left.firewallId == $right.metricId
| extend alertsNotFullyConfigured = isnull(allAlertsConfigured) or not(allAlertsConfigured)
| where alertsNotFullyConfigured
| project recommendationId = "c8fa7c6-6b78-a24a-a63f-348a7c71acb9", name, id = firewallId, tags, param1 = strcat("MetricsAlerts:", monitoredMetrics)
Configure DDoS Protection on the Azure Firewall VNet
Impact: High Category: Security
APRL GUID: 1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d
Description:
Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.
Potential Benefits:
Enhanced DDoS attack defense
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// List all in-scope Azure Firewall resources, where the VNet is not associated to a DDoS Protection Plan
resources
| where type =~ "Microsoft.Network/azureFirewalls"
| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
| mv-expand ipConfig = properties.ipConfigurations
| project
name,
firewallId = id,
tags,
vNetName = split(ipConfig.properties.subnet.id, "/", 8)[0],
vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, "/subnet")))
| join kind=fullouter (
resources
| where type =~ "Microsoft.Network/ddosProtectionPlans"
| mv-expand vNet = properties.virtualNetworks
| project ddosProtectionPlanId = id, vNetId = tolower(vNet.id)
)
on vNetId
| where isempty(ddosProtectionPlanId)
| project recommendationId = "1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d", name, id = firewallId, tags, param1 = strcat("vNet: ", vNetName), param2 = "ddosProtection: Disabled"
Leverage Azure Firewall policy inheritance model
Impact: Medium Category: Governance
APRL GUID: 3a63560a-1ed3-6140-acd1-d1d23f9a2e12
Description:
Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.
Potential Benefits:
Enhanced compliance and rule hierarchy
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Configure 2-4 PIPs for SNAT Port utilization
Impact: Medium Category: High Availability
APRL GUID: d2e4a38e-2307-4299-a217-4c0cebc9a7f6
Description:
Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.
Potential Benefits:
Avoids SNAT exhaustion.
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under development
Monitor "AZFW Latency Probe" metric
Impact: High Category: Monitoring and Alerting
APRL GUID: 8faace2d-a36e-425c-aa58-2ad99e3e0b7a
Description:
Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.
Potential Benefits:
Improved CPU stress detection
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under development