Firewall

The presented resiliency recommendations in this guidance include Firewall and associated Firewall settings.

Summary of Recommendations

Recommendations Details

AFW-1 - Deploy Azure Firewall across multiple availability zones

Category: Availability

Impact: High

Guidance

Azure Firewall provides different SLAs when it’s deployed in a single availability zone and when it’s deployed in two or more availability zones.

Resources

Resource Graph Query

// Azure Resource Graph Query
// List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone
resources
| where type == 'microsoft.network/azurefirewalls'
| where array_length(zones) <= 1 or isnull(zones)
| project recommendationId = "afw-1", name, id, tags, param1="multipleZones:false"



AFW-2 - Monitor Azure Firewall metrics

Category: Monitoring

Impact: Medium

Guidance

Monitor metrics related to availability and performance issues. More specifically:

  • FirewallHealth: Indicates the overall health of the firewall.
  • Throughput: Throughput processed by the firewall. An alert should be triggered if throughput gets close to the documented limits.
  • SNATPortUtilization: Percentage of outbound SNAT ports currently in use. An alert should be triggered if this metric gets close to 100% (at which point Source-NATted connections, such as outbound internet connections will start to fail). If you’ll need more than 512,000 SNAT ports, deploying a NAT gateway with Azure Firewall can be considered. However, deploying NAT gateway with a zone redundant firewall is not recommended deployment option, as the NAT gateway does not support zonal deployment at this time. In order to use NAT gateway with Azure Firewall, a zonal Firewall deployment is required. In addition, Azure Virtual Network NAT integration is not currently supported in secured virtual hub network architectures.

Resources

Resource Graph Query

// Azure Resource Graph Query
// List all Azure Firewalls resources in-scope, along with any metrics associated to Azure Monitor alert rules, that are not fully configured.
resources
| where type == "microsoft.network/azurefirewalls"
| project firewallId = tolower(id), name, tags
| join kind = leftouter (
    resources
    | where type == "microsoft.insights/metricalerts"
    | mv-expand properties.scopes
    | mv-expand properties.criteria.allOf
    | where properties_scopes contains "azureFirewalls"
    | project metricId = tolower(properties_scopes), monitoredMetric = properties_criteria_allOf.metricName, tags
    | summarize monitoredMetrics = make_list(monitoredMetric) by tostring(metricId)
    | project
        metricId,
        monitoredMetrics,
        allAlertsConfigured = monitoredMetrics contains("FirewallHealth") and monitoredMetrics contains ("Throughput") and monitoredMetrics contains ("SNATPortUtilization")
) on $left.firewallId == $right.metricId
| extend alertsNotFullyConfigured = isnull(allAlertsConfigured) or not(allAlertsConfigured)
| where alertsNotFullyConfigured
| project recommendationId = "afw-3", name, id = firewallId, tags, param1 = strcat("MetricsAlerts:", monitoredMetrics)



AFW-3 - Configure DDoS Protection on the Azure Firewall VNet

Category: Access & Security

Impact: High

Guidance

Associate a DDoS protection plan with the virtual network hosting Azure Firewall. A DDoS protection plan provides enhanced mitigation features to defend your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to create your firewall infrastructure and DDoS protection plans.

Resources

Resource Graph Query

// Azure Resource Graph Query
// List all in-scope Azure Firewall resources, where the VNet is not associated to a DDoS Protection Plan
resources
| where type == "microsoft.network/azurefirewalls"
| mv-expand properties.ipConfigurations
| project name, firewallId = id, vNet = substring(properties_ipConfigurations.properties.subnet.id, 0, indexof(properties_ipConfigurations.properties.subnet, "/subnet") - 7), tags
| join kind=fullouter (
    resources
    | where type == "microsoft.network/ddosprotectionplans"
    | mv-expand properties.virtualNetworks
    | extend vNet = tostring(properties_virtualNetworks.id)
    | project ddosProtectionPlan = id, vNet
    )
    on $left.vNet == $right.vNet
| where ddosProtectionPlan == ''
| project recommendationId = "afw-5", name, id = firewallId, tags, param1 = "ddosProtectionPlan:false"



AFW-4 - Leverage Azure Policy inheritance model

Category: Governance

Impact: Medium

Guidance

Azure Firewall policy allows you to define a rule hierarchy and enforce compliance. It provides a hierarchical structure to overlay a central base policy on top of a child application team policy. The base policy has a higher priority and runs before the child policy. Use an Azure custom role definition to prevent inadvertent base policy removal and provide selective access to rule collection groups within a subscription or resource group.

Resources

Resource Graph Query

// under-development



AFW-5 - Configure 2-4 PIPs for SNAT Port utilization

Category: Availability

Impact: Medium

Guidance

Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall provides SNAT capability for all outbound traffic traffic to public IP addresses. Azure Firewall provides 2,496 SNAT ports per each additional PIP.

Resources

Resource Graphy Query/Scripts

// under development



AFW-6 - Monitor AZFW Latency Probes metric

Category: Monitoring

Impact: Medium

Guidance

Create the metric to monitor latency probes 20ms over a long period of time ( > 30mins ). When the latency probe is over a long period of time, it means the firewall instance CPUs are stressed and could possible be causing issues.

Resources

Resource Graphy Query/Scripts

// under development