Azure Firewall vs Network Virtual Appliances

Network security plays a vital role in public cloud infrastructure design. Azure cloud is providing multiple network security options for the cloud infra and application services.

Few of Azure offerings in network and application security service are below

  • Network Security Group
  • Application Security Group
  • Isolated Virtual Network
  • Access Control List
  • Azure DDoS protection
  • Azure Front Door
  • App Service Environment
  • Azure Firewall (firewall-as-a-service)
  • Third party Network Virtual Appliances (Cisco, F5, Barracuda, Palo Alto etc.)

In this article we are going to focus on the high-level functionality, design decision and best practices for Azure Firewall and Network Virtual Appliances (NVA).

Azure Firewall:

Azure firewall is a cloud native stateful firewall as a service. This offers high availability and scalability form azure side. You can avail the service with pay as you go model. It has a published and committed SLA. It fits into DevOps model for deployment and uses cloud native monitoring tools.

Below rules and tags are supported by Azure Firewall

  • Application FQDN filtering rules
  • Network traffic filtering rules
  • FQDN tags
  • Service tags
  • Threat intelligence
  • Outbound SNAT support
  • Inbound DNAT support
  • Multiple public IP addresses
  • Azure Monitor logging
  • Forced tunneling
  • Certifications

See more here.

Third party Network Virtual Appliances:

There are large number of brands offering their network appliance to Azure echo system. You may easily get your favorite network solution provider’s NVA in Azure marketplace. This will give you the same experience that you are already getting with your on-premises network devices. Technically the NVAs are virtual machine instances so you are fully responsible for high availability and scalability of your firewall services.

NVAs today are provide a diverse set of capabilities such as

  • Firewalls
  • WAN optimizers
  • Application delivery controllers
  • Routers
  • Load balancers,
  • Proxies, and more

Considering the facts before designing the network security for the organization:

 Azure FirewallThird Party NVA
CostAzure Firewall is about 30-50% less cost than NVAVM+ Software
Business NeedCustomer’s CallCustomer’s Call
Existing Skills and TrustMust learn few new concepts for configuring Azure firewallIf you trust the brand and you have a large skill base
LicensingConsumption: instance + per GBVM + Software
MaintenanceAzure will take careCustomer responsibility
OwnershipSet & monitorManage VM / OS / Software
SupportIncluded in your Azure Support planPer NVA vendor billing model
ComplexitySimpleDifficult
Azure Firewall versus Network Virtual Appliances

Best Practices for implementing Network Security:

  • Use strong network controls
  • Logically segment subnets
  • Adopt a Zero Trust approach
  • Control routing behavior
  • Deploy perimeter networks for security zones
  • Avoid exposure to the internet with dedicated WAN links
  • Optimize uptime and performance
  • Disable RDP/SSH Access to virtual machines
  • Secure your critical Azure service resources to only your virtual networks

For more in depth understanding on Azure network security and design see Azure security best practices and patterns .

Author