• 3 min read

Announcing new capabilities for Azure Firewall

We are happy to share several key Azure Firewall capabilities as well as updates on recent important releases into general availability (GA) and preview.

We are happy to share several key Azure Firewall capabilities as well as updates on recent important releases into general availability (GA) and preview.

  • New GA regions in Qatar central, China East, and China North
  • IDPS Private IP ranges now generally available.
  • Single Click Upgrade/Downgrade now in preview.
  • Enhanced Threat Intelligence now in preview.
  • KeyVault with zero internet exposure now in preview.

Azure Firewall is a cloud-native firewall as a service offering that enables customers to centrally govern and log all their traffic flows using a DevOps approach. The service supports both application and network-level filtering rules and is integrated with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Azure Firewall is highly available with built-in auto-scaling.

New GA regions in Qatar central, China East, and China North

We are happy to announce that Azure Firewall Standard, Azure Firewall Premium, and Azure Firewall Manager are now generally available in three new regions: Qatar Central, China East, and China North.

With these three new regions, Azure Firewall is now available in 51 regions worldwide!

IDPS Private IP ranges now GA

A network intrusion detection and prevention system (IDPS) allow you to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it.

In Azure Firewall Premium IDPS, Private IP address ranges are used to identify traffic direction (inbound, outbound, or internal) to allow accurate matches with IDPS signatures. By default, only ranges defined by Internet Assigned Numbers Authority (IANA) RFC 1918 are considered private IP addresses. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.

Portal experience for IDPS Private IP range capability for Azure Firewall.

Single Click Upgrade/Downgrade (preview)

With this new capability, customers can easily upgrade their existing Firewall Standard SKU to Premium SKU as well as downgrade from Premium to Standard SKU. The process is fully automated and has zero service downtime.
In the upgrade process, users can select the policy to be attached to the upgraded Premium SKU. Either by using an existing Premium Policy or by utilizing their existing Standard Policy. Customers can utilize their existing Standard policy and let the system automatically duplicate, upgrade to Premium Policy, and attach it to the newly created Premium Firewall.

This new capability is available through the Azure portal as seen in the screenshot below, as well as via PowerShell and Terraform.

Portal experience for single click upgrade/downgrade capability for Azure Firewall

Enhanced Threat Intelligence (preview)

Threat Intelligence is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources. Azure Firewall Threat intelligence information is sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.

Threat Intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and FQDNs. With the new enhancement, Azure Firewall Threat Intelligence has more granularity for filtering based on malicious URLs. This means that customers may have access to a certain domain through a specific URL in this domain will be denied by Azure Firewall if identified as malicious.

For optimal granularity, customers can utilize Threat Intelligence allow list to bypass threat intelligence validation on trusted FQDNs, IP addresses, ranges, and subnets.

In HTTPS, the URL is encrypted, thus customers can utilize Azure Firewall Premium TLS inspection to allow URL-based Threat Intelligence also for their encrypted traffic.

With Azure Firewall IDPS, Threat Intelligence, and TLS inspection, customers can improve their security posture to become better protected against future threats.

KeyVault with zero internet exposure (preview)

In Azure Firewall Premium TLS inspection, customers are required to deploy their intermediate CA certificate in Azure KeyVault. Now that Azure firewall is listed as a trusted Azure KeyVault service, customers can eliminate any internet exposure of their Azure KeyVault.

At Microsoft, we are constantly evolving Azure Firewall to meet our customers’ needs and help them strengthen their security and gain efficiencies. Last month, we announced the preview of Policy Analytics for Azure Firewall, which helps improve your security posture by providing critical insights and recommendations for optimizing firewall rules. We also recently announced the preview of Azure Firewall Basic, a new SKU of Azure Firewall designed to meet the needs of SMBs by providing enterprise-grade protection of their cloud environment at an affordable price point. We plan to share further enhancements to Azure Firewall very soon, including new troubleshooting capabilities. Please stay tuned!

Learn more