Azure Firewall

Home » Azure Cheat Sheets » Azure Security Services » Azure Firewall

Azure Firewall

Last updated on March 9, 2023

Azure Firewall Cheat Sheet

  • A service that uses a static public IP address to protect your VNet resources.
  • Azure Firewall is PCI, SOC, ISO, ICSA Labs, and HITRUST compliant.

azure firewall

Features

  • A stateful firewall service.
  • You can enable forced tunneling to route Internet-bound traffic to an additional firewall or virtual network appliance.
  • Limit outbound traffic to a given FQDN list, including wild cards.
    • Filter any TCP/UDP protocol outbound traffic.
    • To use FQDNs in your rules, you must enable DNS proxy.
  • Deny the traffic of a malicious IP address with threat intelligence-based filtering.
    • It has the highest priority rules and will always be processed first.
    • Threat intelligence modes: Off, Alert only, Alert and deny
  • With a DNS proxy, a firewall listens to port 53 and forwards the DNS requests to a DNS server.
  • Tutorials dojo strip
  • You can minimize the complexity of creating a security rule using a service tag.
  • Associate up to 250 public IP addresses in your firewall.
  • It supports SNAT and DNAT translation.
    • SNAT – Source NAT for outbound VNet traffic.
    • DNAT – Destination NAT for inbound network traffic.
  • Azure Firewall diagnostic logs (JSON format):
    • Application rule log
    • Network rule log
  • You can store all your logs in a storage account, event hubs, and Azure monitor logs.
  • Azure Firewall metrics:
    • Application/Network rules hit count
    • Data processed
    • Throughput
    • Firewall health state
    • SNAT port utilization
  • To manage multiple firewalls, you can use Azure Firewall Manager.
  • Protect your VDI deployments using Azure firewall DNAT rules and threat Intelligence filtering.

Azure Firewall Pricing

  • You are charged for each firewall deployment
  • You are charged for any data processed by your firewall

Validate Your Knowledge

Question 1

Question Type: Hotspot

For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

Correct Answer: No – No – Yes

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability.

You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

Hence, this statement is true: You can set up a Point-to-Site VPN connection that uses Internet Protocol Security (IPsec) to connect to your Azure virtual network using your home computer via the public Internet.

The statement that says: Azure Firewall uses Internet Protocol Security (IPsec) to encrypt all the network traffic between your Azure resources and on-premises network via the public Internet is incorrect because Azure Firewall doesn’t use IPSec and can’t be used to connect Azure resources and your on-premises network. It is just a fully stateful firewall-as-a-service that allows you to centrally create, enforce, and log application and network connectivity policies across subscriptions and Azure virtual networks.

The statement that says: Azure network security groups can encrypt all the network traffic between your Azure resources and on-premises network via the public Internet is incorrect because a network security group is primarily used to filter network traffic to and from Azure resources in an Azure virtual network. You have to establish a VPN connection if you need to connect between the Azure virtual network and your home computer via IPSec.

References:
https://docs.microsoft.com/en-us/azure/firewall/overview
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about

Note: This question was extracted from our AZ-900 Microsoft Azure Fundamentals Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo

Azure Firewall Cheat Sheet References:

https://azure.microsoft.com/en-us/services/azure-firewall/
https://docs.microsoft.com/en-us/azure/firewall/overview

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?