Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
iSmile Technologies will configure Azure Firewall to capture all egress traffic from your Virtual Machine by defining a routeing table with a default route pointing to the Azure Firewall. We’ll configure Azure Firewall policies to allow outbound Internet connections only to the PowerShell Gallery.
Azure Firewall offers the following features:
Built-in high availability
High availability is built-in, so no additional load balancers are required, and you need to configure nothing.
Unrestricted cloud scalability
Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.
Application FQDN filtering rules
You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN), including wild cards. This feature does not require SSL termination.
Network traffic filtering rules
You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful to distinguish legitimate packets for different connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
FQDN tags make it easy for you to allow well known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.
Outbound SNAT support
All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic from your virtual network to remote Internet destinations.
Inbound DNAT support
Inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
Azure Monitor logging
All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.
Steps For Implementation:
Phase 1: Discovery and Assessment Phase (2 Days)
Gather below Details from Customer on Current Active Directory Infrastructure
- Audit Current Infrastructure on Azure – IaaS, PaaS, Storage with the existing security posture
- Gather information on Client Application, 3rd Party integration / API and Database deployed
- Discuss with Clients on their business goals, strategic objectives, and security compliance requirements
- Audit Internal; External Users are accessing Environment
Phase 2: Solution Design and Documentation Phase (2 Days)
- Document – Azure Infrastructure summary – Asset List, Concurrent Hits, RPO /RTO required etc
- Propose Fortinet Infrastructure sizing for target environment based on performance metrics
- Document Approach for rules Migration from Existing Firewall if any to Fortinet Firewall (If compatible)
- Provide Azure Estimated Consumption; Fortinet components Estimate
Phase 3: Setup of Fortinet Firewall Under Azure Infrastructure (3 Days)
- Set up Azure VM for Fortinet Firewall with or without HA
- Deploy and Configure Fortinet Firewall Configuration, Rules, Establish VPN etc
- Bring Existing or New Azure IaaS or PaaS infrastructure Fortinet Firewall
- Monitor the Fortinet Firewall working with Azure Client Infrastructure
- Monitor replication health status in case of HA
Phase 4: DR Test (1 Day)
- Carry DR test Drill in case of Fortinet HA Firewall
- Hand over to Client