Azure Firewall Supervisor is now typically out there and contains Azure Firewall Coverage, Azure Firewall in a Digital WAN Hub (Safe Digital Hub), and Hub Digital Community. As well as, we’re introducing a number of new capabilities to Firewall Supervisor and Firewall Coverage to align with the standalone Azure Firewall configuration capabilities.

Key options on this launch embody:

  • Risk intelligence-based filtering permit record in Firewall Coverage is now typically out there.
  • A number of public IP addresses help for Azure Firewall in Safe Digital Hub is now typically out there.
  • Compelled tunneling help for Hub Digital Community is now typically out there.
  • Configuring safe digital hubs with Azure Firewall for east-west visitors (personal) and a third-party security as a service (SECaaS) partner of your choice for north-south visitors (web certain).
  • Integration of third-party SECaaS companions at the moment are typically out there in all Azure public cloud areas.
  • Zscaler integration shall be typically out there on July 3, 2020. Check Point is a supported SECaaS associate and shall be in preview on July 3, 2020. iboss integration shall be typically out there on July 31, 2020.
  • Help for area title system (DNS) proxy, customized DNS, and fully-qualified area title (FQDN) filtering in community guidelines utilizing Firewall Coverage at the moment are in preview.


Azure Firewall Manager partners Zscaler, Check Point, and iboss.

Firewall Coverage is now typically out there

Firewall Coverage is an Azure useful resource that comprises community deal with translation (NAT), community, and utility rule collections, in addition to menace intelligence and DNS settings. It’s a worldwide useful resource that can be utilized throughout a number of Azure Firewall situations in Secured Virtual Hubs and Hub Virtual Networks. Firewall insurance policies work throughout areas and subscriptions.

You do not want Firewall Supervisor to create a firewall coverage. There are various methods to create and handle a firewall coverage, together with utilizing REST API, PowerShell, or command-line interface (CLI).

After you create a firewall coverage, you may affiliate the coverage to a number of firewalls utilizing Firewall Supervisor or utilizing REST API, PowerShell, or CLI.  Check with the policy-overview doc for a extra detailed comparability of guidelines and coverage.

Migrating standalone firewall guidelines to Firewall Coverage

You too can create a firewall coverage by migrating guidelines from an present Azure Firewall. You should use a script emigrate firewall guidelines to Firewall Coverage, or you should use Firewall Supervisor within the Azure portal.

Example of importing rules from an existing Azure Firewall.

Importing guidelines from an present Azure Firewall.

Firewall Coverage pricing

Should you simply create a Firewall Coverage useful resource, it doesn’t incur any expenses. Moreover, a firewall coverage shouldn’t be billed whether it is related to only a single Azure firewall. There aren’t any restrictions on the variety of insurance policies you may create.

Firewall Coverage pricing is mounted per Firewall Coverage per area. Inside a area, the value for Firewall Coverage managing 5 firewalls or 50 firewalls is identical. The next instance makes use of 4 firewall insurance policies to handle 10 distinct Azure firewalls:

  • Coverage 1: cac2020region1policy—Related to six firewalls throughout 4 areas. Billing is completed per area, not per firewall.
  • Coverage 2: cac2020region2policy—Related to three firewalls throughout three areas and is billed for 3 areas whatever the variety of firewalls per area.
  • Coverage 3: cac2020region3policy—Not billed as a result of the coverage shouldn’t be related to multiple firewall.
  • Coverage 4: cacbasepolicy—A central coverage that’s inherited by all three insurance policies. This coverage is billed for 5 areas. As soon as once more, the pricing is decrease in comparison with per-firewall billing method.

Example of Firewall Policy billing.

Firewall Coverage billing instance.

Configure a menace intelligence permit record, DNS proxy, and customized DNS

With this replace, Firewall Coverage helps further configurations together with customized DNS and DNS proxy settings (preview) and a menace intelligence permit record. SNAT Private IP address range configuration shouldn’t be but supported however is in our roadmap.

Whereas Firewall Coverage can sometimes be shared throughout a number of firewalls, NAT guidelines are firewall particular and can’t be shared. You possibly can nonetheless create a dad or mum coverage with out NAT guidelines to be shared throughout a number of firewalls and a neighborhood derived coverage on particular firewalls so as to add the required NAT guidelines. Learn more about Firewall Policy.

Firewall Coverage now helps IP Teams

IP Teams is a brand new top-level Azure useful resource in that permits you to group and handle IP addresses in Azure Firewall guidelines. Help for IP Teams is roofed in additional element in our recent Azure Firewall blog.

Configure secured digital hubs with Azure Firewall and a third-party SECaaS associate

Now you can configure digital hubs with Azure Firewall for personal visitors (digital community to digital community/department to digital community) filtering and a safety associate of your selection for web (digital community to web/department to web) visitors filtering.

A safety associate supplier in Firewall Supervisor permits you to use your acquainted, best-in-breed, third-party SECaaS providing to guard web entry to your customers. With a fast configuration, you may safe a hub with a supported safety associate, and route and filter web visitors out of your digital networks (VNets) or department places inside a area. That is performed utilizing automated route administration, with out organising and managing Consumer Outlined Routes (UDRs).

You possibly can create a safe digital hub utilizing Firewall Supervisor’s Create new secured digital hub workflow. The next screenshot exhibits a brand new safe digital hub configured with two safety suppliers.

New secure virtual hub configured with two security providers.

Creating a brand new safe digital hub configured two safety suppliers.

Securing connectivity

After you create a safe hub, you have to replace the hub safety configuration and explicitly configure the way you need web and personal visitors within the hub to be routed. For personal visitors, you don’t have to specify prefixes if it’s within the RFC1918 vary. In case your group makes use of public IP addresses in digital networks and branches, you have to add these IP prefixes explicitly.

To simplify this expertise, now you can specify combination prefixes as a substitute of specifying particular person subnets. Moreover, for web safety by way of a third-party safety supplier, you have to full your configuration utilizing the associate portal. Please see the security partner provider page for extra particulars.

Example of how to select a third-party SECaaS for internet traffic filtering.

Deciding on a third-party SECaaS for web visitors filtering.

Secured digital hub pricing

A secured digital hub is an Azure Virtual WAN Hub with related safety and routing insurance policies configured by Firewall Supervisor. Pricing for secured digital hubs depends upon the safety suppliers configured.

Pricing options for secure virtual hub.

See the Firewall Manager pricing page for added particulars.

Subsequent steps

For extra info on these bulletins, see the next assets:

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *