HomeAzure NetworkingAzure Firewall
Last updated: May 2026
Azure Networking Intermediate AZ-104 ⏱ 12 min read

Azure Firewall

Azure Firewall is a managed, cloud-native network security service that protects your Azure VNet resources. Unlike NSGs (which are simple allow/deny rules on ports/IPs), Azure Firewall is a full stateful firewall — it understands application protocols, can filter by FQDNs (domain names), integrates threat intelligence, and provides centralised logging and policy management across your entire Azure environment.

What you'll learn Azure Firewall vs NSGs — when to use which · Azure Firewall SKUs · Rule types — Network, Application, NAT · FQDN filtering · Threat intelligence · Azure Firewall Manager · Azure Firewall in hub-spoke · Forced tunnelling · Firewall deployment
Table of Contents
  1. Firewall vs NSG
  2. Azure Firewall SKUs
  3. Rule Types
  4. FQDN Filtering
  5. Threat Intelligence
  6. Azure Firewall Manager
  7. Firewall in Hub-Spoke
  8. Deploying Azure Firewall
  9. Practice Questions

Firewall vs NSG

FeatureNSGAzure Firewall
TypeLayer 4 allow/deny rulesFull stateful Layer 4 + Layer 7 firewall
FQDN filteringNo — IP/port onlyYes — filter by domain names
Application rulesNoYes — HTTP/S, SQL, etc.
Threat intelligenceNoYes — known malicious IPs/domains
Centralised policyPer-VNet/subnetSingle policy across all VNets
LoggingNSG Flow LogsStructured logs in Azure Monitor
CostFree~₹55,000+/month
Best forBasic subnet/NIC filteringCentralised enterprise firewall
💡
Use Both Together NSGs and Azure Firewall complement each other. Use NSGs for fast, cheap subnet-level filtering (East-West traffic within VNets). Use Azure Firewall for centralised policy, FQDN filtering, and North-South traffic inspection (internet-bound traffic).

Azure Firewall SKUs

SKUKey FeaturesBest For
BasicBasic L3-L7 filtering, threat intel (alert only), limited throughputSMBs, non-critical workloads
StandardFull L3-L7, threat intel (alert+deny), Firewall ManagerEnterprise production workloads
PremiumStandard + TLS inspection, IDPS, URL filtering, web categoriesHighly sensitive environments, compliance

Rule Types

Azure Firewall processes rules in this order: NAT rules → Network rules → Application rules. First matching rule wins.

NAT Rules (DNAT)

Translate and forward inbound internet traffic to specific backend resources. Example: forward port 3389 from your firewall's public IP to a specific VM.

Network Rules

Allow/deny traffic based on source IP, destination IP, protocol, and port — similar to NSG rules but processed centrally. Used for non-HTTP protocols and cross-VNet traffic.

Application Rules

Allow/deny outbound HTTP/HTTPS traffic based on FQDNs (domain names), URLs, or web categories. Example: allow VMs to access *.microsoft.com but block all other internet browsing.

ExampleApplication rule — allow specific FQDNs only
Allow Rule:
  Source: 10.0.0.0/16 (VNet)
  Protocol: HTTPS:443
  Target FQDNs: *.microsoft.com, *.azure.com, *.windows.net

Deny Rule (implicit — everything else blocked)

FQDN Filtering

One of Azure Firewall's most powerful features — filtering by Fully Qualified Domain Names instead of IP addresses. This matters because:

  • Cloud services use dynamic IPs — you can't rely on IP-based rules
  • FQDNs can represent CDNs with thousands of IPs
  • Azure Firewall resolves FQDNs to IPs and keeps the filter updated automatically

FQDN Tags

Pre-defined groups of FQDNs for common Microsoft services — WindowsUpdate, Office365, AzureBackup. Use these to allow common services without listing every URL.

Threat Intelligence

Azure Firewall can alert on or block traffic to/from known malicious IP addresses and domains — automatically updated by Microsoft's threat intelligence feed. In Premium SKU, it also includes IDPS (Intrusion Detection and Prevention System).

ModeAction
OffThreat intel disabled
Alert onlyLogs known malicious traffic but allows it
Alert and denyBlocks known malicious traffic + logs it

Azure Firewall Manager

Centralised security management for Azure Firewall across multiple VNets and subscriptions. Instead of managing firewall policies individually on each firewall, Firewall Manager lets you define a single Firewall Policy and apply it to all firewalls in your environment.

Firewall in Hub-Spoke

Azure Firewall is deployed in the hub VNet's dedicated subnet (AzureFirewallSubnet, minimum /26). User Defined Routes (UDRs) in each spoke subnet direct traffic through the firewall:

  • All internet-bound traffic (0.0.0.0/0) → Azure Firewall's private IP
  • All cross-spoke traffic → Azure Firewall's private IP

This gives you centralised inspection of all traffic — East-West and North-South.

Deploying Azure Firewall

Azure CLIDeploy Azure Firewall in hub VNet
# Create AzureFirewallSubnet
az network vnet subnet create \
  --name AzureFirewallSubnet \
  --resource-group myRG \
  --vnet-name hubVNet \
  --address-prefix 10.0.0.0/26

# Create public IP for firewall
az network public-ip create \
  --name fw-pip \
  --resource-group myRG \
  --sku Standard \
  --allocation-method Static

# Deploy Azure Firewall
az network firewall create \
  --name myFirewall \
  --resource-group myRG \
  --location centralindia \
  --vnet-name hubVNet \
  --public-ip myFirewallPublicIP \
  --sku AZFW_VNet \
  --tier Standard
💡
AZ-104 Exam Tip Know that Azure Firewall requires AzureFirewallSubnet (/26 minimum). Know the three rule types — NAT, Network, Application — and their processing order. Know that FQDN filtering is an advantage over NSGs. Know that UDRs are needed to route traffic through the firewall.
📝 Practice Questions
Click an option to check your answer.
Q1. What is the key advantage of Azure Firewall's Application rules over NSG rules?
A — Application rules can filter by IP address and port
B — Application rules filter by FQDN (domain names), not just IP addresses
C — Application rules support TCP protocol filtering
D — Application rules apply to multiple subnets simultaneously
Q2. In what order does Azure Firewall process rule types?
A — Application → Network → NAT
B — NAT → Network → Application
C — Network → Application → NAT
D — All rule types are evaluated simultaneously
Q3. What is the minimum subnet size for AzureFirewallSubnet?
A — /28
B — /27
C — /26
D — /24
Q4. What networking feature routes spoke VNet traffic through Azure Firewall in a hub-spoke topology?
A — NSG rules on each spoke subnet
B — User Defined Routes (UDRs) pointing to the firewall as next hop
C — VNet Peering configuration
D — Service Endpoints on spoke subnets
Q5. What does Azure Firewall's threat intelligence feature do in "Alert and deny" mode?
A — Logs all traffic patterns for security analysis
B — Blocks traffic to/from known malicious IPs and domains AND generates alerts
C — Alerts administrators but allows the traffic through
D — Requires manual IP blacklist updates
Related Topics
Azure NetworkingNetwork Security Groups Azure NetworkingAzure DDoS Protection Azure NetworkingVNet Peering
← PreviousAzure DNS
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.