This post was co-authored by Gopikrishna Kannan, Principal Program Manager, Azure Networking, and Suren Jamiyanaa, Program Manager 2, Azure Networking.
After Preview version announced in February 2021, we are announcing the general availability version of Microsoft Azure Firewall Premium.
The main features of this version include:
- TLS inspection: Azure Firewall Premium terminates outbound and east-west Transport Layer Security (TLS) connections. In-depth TLS verification is supported in conjunction with Azure Application Gateway, which enables end-to-end encryption. Azure Firewall performs the required value-added security functions and re-encrypts the traffic sent to the original destination.
- IDPS: Azure Firewall Premium offers a signature-based Intrusion Detection and Prevention System (IDPS) to enable rapid detection of attacks by looking for specific patterns, such as:
- Web categories: Allows administrators to filter outbound user access to the Internet based on categories (e.g. social networks, search engines, gambling, etc.), reducing the time it takes to manage individual fully qualified domain names (FQDNs) and URLs. This feature is also only available for Azure Firewall Standard based on FQDNs.
- URL filtering: Allow administrators to filter outbound access to specific URLs, not just FQDNs. This feature works for both plain text and encrypted traffic when TLS checking is enabled.
Benefits of Azure Firewall Premium
Azure Firewall Premium offers advanced threat protection that meets the needs of highly sensitive and regulated environments such as the payment and healthcare industries. Organizations can leverage Premium Stock Keeping Unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance requirements of IDPS and TLS verification, Azure Firewall Premium uses a higher performing VM SKU. Like the standard SKU, the premium SKU can be seamlessly scaled up to 30 Gbit / s and integrated into availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU meets the requirements of the Payment Card Industry Data Security Standard (PCI DSS) environment.
To make migration easier for standard SKU customers, we used a common configuration approach with Azure Firewall Policy. This approach enables existing API integration to be reused with minimal changes and allows Azure Firewall to be managed with Firewall Manager. Customers using firewall rules (classic) take an additional step first to migrate to Azure Firewall Policy. Azure Firewall Policy has several advantages, such as: For example, you can share a common configuration across multiple firewalls, group rules using rule collection groups, and manage rules over time using policy analysis (private preview). Further information can be found in the Azure Firewall Policy Documentation page.
The Azure Firewall Premium SKU is optimally priced to provide the best value for money for a state-of-the-art cloud-native firewall service. The premium SKU with its advanced threat protection features offers compelling reasons to migrate local high-security networks to the cloud. This approach helps avoid latency associated with backhauling Internet traffic to local perimeter networks.
Figure 1: Features of Azure Firewall Premium.
Migration from Azure Firewall Standard to Premium
As part of this general availability release, we are offering two new features for a smooth migration:
- Convert the existing Azure firewall rules (classic) to the Azure firewall policy.
Figure 2: Migrating Classic Rules to Azure Firewall Policy.
2. Create a new Azure Firewall Premium and map it to an existing policy.
Figure 3: Create a new Azure Firewall Premium and assign an Azure policy.
After you’ve exported the Azure Firewall configuration and decommissioned your existing Azure Firewall Standard, you can deploy a new Azure Firewall Premium while assigning the default firewall configuration to it and keeping its public IP.
More details can be found at Migration to Azure Firewall Premium Documentation.
Azure Firewall Premium pricing
As with the standard SKU, Azure Firewall Premium pricing includes both deployment and compute fees.
The deployment fee is 40 percent higher than Azure Firewall Standard and the compute fee remains the same as Azure Firewall Standard.
For more details visit the Azure Firewall pricing page.
For more information on everything we’ve covered in this blog post, please visit: