We’re happy to announce a number of new Azure Firewall options that permit your group to enhance safety, have extra customization, and handle guidelines extra simply. These new capabilities had been added based mostly in your high suggestions:

  • Customized DNS help now in preview.
  • DNS Proxy help now in preview.
  • FQDN filtering in community guidelines now in preview.
  • IP Teams now typically out there.
  • AKS FQDN tag now typically out there.
  • Azure Firewall is now HIPAA compliant. 

As well as, in early June 2020, we announced Azure Firewall compelled tunneling and SQL FQDN filtering are actually typically out there.

Azure Firewall is a cloud-native firewall as a service (FWaaS) providing that lets you centrally govern and log all of your visitors flows utilizing a DevOps strategy. The service helps each software and network-level filtering guidelines and is built-in with the Microsoft Menace Intelligence feed for filtering identified malicious IP addresses and domains. Azure Firewall is extremely out there with built-in auto scaling.

Customized DNS help now in preview

Since its launch in September 2018, Azure Firewall has been hardcoded to make use of Azure DNS to make sure the service can reliably resolve its outbound dependencies. Customized DNS gives separation between buyer and repair identify decision. This lets you configure Azure Firewall to make use of your personal DNS server and ensures the firewall outbound dependencies are nonetheless resolved with Azure DNS. You might configure a single DNS server or a number of servers in Azure Firewall and Firewall Coverage DNS settings.

Azure Firewall can be able to identify decision utilizing Azure Private DNS, so long as your personal DNS zone is linked to the firewall digital community.

DNS Proxy now in preview

With DNS proxy enabled, outbound DNS queries are processed by Azure Firewall, which initiates a brand new DNS decision question to your customized DNS server or Azure DNS. That is essential to have dependable FQDN filtering in community guidelines. You might configure DNS proxy in Azure Firewall and Firewall Coverage DNS settings. 

DNS proxy configuration requires three steps:

  1. Allow DNS proxy in Azure Firewall DNS settings.
  2. Optionally configure your customized DNS server or use the supplied default.
  3. Lastly, you need to configure the Azure Firewall’s personal IP handle as a Customized DNS server in your digital community DNS server settings. This ensures DNS visitors is directed to Azure Firewall.


Determine 1. Customized DNS and DNS Proxy settings on Azure Firewall.

FQDN filtering in community guidelines now in preview

Now you can use absolutely certified domains (FQDN) in community guidelines based mostly on DNS decision in Azure Firewall and Firewall Coverage. The required FQDNs in your rule collections are translated to IP addresses based mostly in your firewall DNS settings. This functionality lets you filter outbound visitors utilizing FQDNs with any TCP/UDP protocol (together with NTP, SSH, RDP, and extra). As this functionality relies on DNS decision, it’s extremely really helpful you allow the DNS proxy to make sure your protected digital machines and firewall identify decision are constant.

FQDN filtering in software guidelines for HTTP/S and MSSQL relies on software stage clear proxy. As such, it could actually discern between two FQDNs which are resolved to the identical IP handle. This isn’t the case with FQDN filtering in community guidelines, so it’s at all times really helpful you utilize software guidelines when doable.


Determine 2. FQDN filtering in community guidelines.

IP Teams now typically out there

IP Teams is a brand new top-level Azure useful resource that lets you group and handle IP addresses in Azure Firewall guidelines. You may give your IP group a reputation and create one by getting into IP addresses or importing a file. IP Teams eases your administration expertise and cut back time spent managing IP addresses by utilizing them in a single firewall or throughout a number of firewalls. IP Teams is now typically out there and supported inside a standalone Azure Firewall configuration or as a part of Azure Firewall Coverage. For extra info, see the IP Groups in Azure Firewall documentation.


Determine 3. Creating a brand new IP Group.

AKS FQDN tag now in typically out there

An Azure Kubernetes Service (AKS) FQDN tag can now be utilized in Azure Firewall software guidelines to simplify your firewall configuration for AKS safety. Azure Kubernetes Service (AKS) provides managed Kubernetes cluster on Azure that reduces the complexity and operational overhead of managing Kubernetes by offloading a lot of that accountability to Azure.

For administration and operational functions, nodes in an AKS cluster have to entry sure ports and FQDNs. For extra steering on the way to add safety for Azure Kubernetes cluster utilizing Azure Firewall, see Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments


  Determine 4. Configuring software rule with AKS FQDN tag.

Subsequent steps

For extra info on the whole lot we coated right here, see these further assets:

Leave a Reply

Your email address will not be published. Required fields are marked *