- A service that uses a static public IP address to protect your VNet resources.
- Azure Firewall is PCI, SOC, ISO, ICSA Labs, and HITRUST compliant.
- A stateful firewall service.
- You can enable forced tunneling to route Internet-bound traffic to an additional firewall or virtual network appliance.
- Limit outbound traffic to a given FQDN list, including wild cards.
- Filter any TCP/UDP protocol outbound traffic.
- To use FQDNs in your rules, you must enable DNS proxy.
- Deny the traffic of a malicious IP address with threat intelligence-based filtering.
- It has the highest priority rules and will always be processed first.
- Threat intelligence modes: Off, Alert only, Alert and deny
- With a DNS proxy, a firewall listens to port 53 and forwards the DNS requests to a DNS server.
- You can minimize the complexity of creating a security rule using a service tag.
- Associate up to 250 public IP addresses in your firewall.
- It supports SNAT and DNAT translation.
- SNAT – Source NAT for outbound VNet traffic.
- DNAT – Destination NAT for inbound network traffic.
- Azure Firewall diagnostic logs (JSON format):
- Application rule log
- Network rule log
- You can store all your logs in a storage account, event hubs, and Azure monitor logs.
- Azure Firewall metrics:
- Application/Network rules hit count
- Data processed
- Firewall health state
- SNAT port utilization
- To manage multiple firewalls, you can use Azure Firewall Manager.
- Protect your VDI deployments using Azure firewall DNAT rules and threat Intelligence filtering.
- You are charged for each firewall deployment
- You are charged for any data processed by your firewall
Validate Your Knowledge
Question Type: Hotspot
For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.