We’re excited to share some key Azure Firewall features that are now generally available, as well as updates to the last major releases in General Availability (GA) and Preview.
- New GA regions in Qatar Central, China East and China North
- IDPS Private IP ranges now generally available.
- One click upgrade/downgrade now in preview.
- Enhanced Threat Intelligence now available preview.
- KeyVault without a web presence now available preview.
Azure Firewall is a cloud-native firewall-as-a-service offering that enables customers to centrally control and log all their traffic flows with a DevOps approach. The service supports both application and network level filtering rules and integrates with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Azure Firewall is highly available with built-in auto-scaling.
New GA regions in Qatar Central, China East and China North
We’re excited to announce that Azure Firewall Standard, Azure Firewall Premium, and Azure Firewall Manager are now generally available in three new regions: Qatar Central, China East, and China North.
With these three new regions, Azure Firewall is now available in 38 regions worldwide!
IDPS Private IP Ranges Now Generally Available
A network intrusion detection and prevention system (IDPS) allows you to monitor network activity for malicious activity, log information about that activity, report it, and optionally attempt to block it.
Azure Firewall Premium IDPS uses private IP address ranges to identify traffic direction (inbound, outbound, or internal) to enable exact IDPS signature matches. By default, only ranges defined by the Internet Assigned Numbers Authority (IANA) RFC 1918 are considered private IP addresses. To change your private IP addresses, you can now easily edit, remove, or add ranges as needed.
One-Click Upgrade/Downgrade (Preview)
With this new capability, customers can easily upgrade their existing Firewall Standard SKU to Premium SKU, as well as downgrade from Premium to Standard SKU. The process is fully automated and has no service downtime.
During the upgrade process, users can choose the policy to attach to the upgraded Premium SKU. Either by using an existing Premium policy or by using your existing Standard policy. Customers can use their existing default policy and automatically duplicate the system, upgrade to the premium policy and attach it to the newly created premium firewall.
This new capability is available through the Azure portal as shown in the screenshot below, as well as through PowerShell and Terraform.
Improved threat intelligence (preview)
Threat intelligence is information that an organization uses to understand the threats that the organization has, will have, or are currently attacking. This information is used to prepare for, prevent and identify cyber threats that try to exploit valuable resources. Azure Firewall Threat Intelligence information comes from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.
Threat intelligence-based filtering can be enabled for your firewall to warn and deny traffic from/to known malicious IP addresses and FQDNs. With the new improvement, Azure Firewall Threat Intelligence has more granularity for filtering based on malicious URLs. This means that customers may have access to a specific domain through a specific URL in that domain, which Azure Firewall will deny if identified as malicious.
Customers can leverage threat intelligence for optimal granularity Allow List to bypass validation of threat intelligence on trusted FQDNs, IP addresses, ranges, and subnets.
In HTTPS, the URL is encrypted, so customers can leverage Azure Firewall Premium’s TLS inspection to allow URL-based threat intelligence on their encrypted traffic as well.
With Azure Firewall IDPS, Threat Intelligence and TLS inspection, customers can improve their security posture to be better protected against future threats.
KeyVault without internet presence (preview)
Azure Firewall Premium TLS verification requires customers to deploy their intermediate CA in Azure KeyVault. With Azure Firewall now listed as a trusted Azure KeyVault service, customers can eliminate any internet exposure to their Azure KeyVault.
At Microsoft, we are constantly evolving Azure Firewall to meet the needs of our customers and help them strengthen their security and increase efficiency. We announced that last month Policy Analytics preview for Azure Firewall, which helps improve your security posture by providing key insights and recommendations for optimizing firewall rules. We also recently announced the Preview version of Azure Firewall Basic, a new Azure Firewall SKU designed to meet the needs of SMBs by providing enterprise-level protection for their cloud environment at an affordable price. We plan to release more improvements to Azure Firewall very soon, including new troubleshooting features. Please hold the line!