Azure Firewall + Network Watcher

Azure Firewall — the L4-L7 enforcement plane

Simple explanation

Azure Firewall is Azure’s managed stateful firewall — deployed in a hub VNet, inspecting traffic between spokes, between VNets and Internet, and between Branches and VNets. It handles three rule types: Application rules (FQDN/URL filtering for HTTP/HTTPS/MSSQL), Network rules (L3/L4 5-tuple), NAT rules (inbound DNAT for publishing services).

Three SKUs: Basic (small / dev workloads, no threat intel), Standard (mainstream, includes Microsoft threat intel + IDPS for selected categories), Premium (TLS inspection, URL filtering, web categories, full IDPS, important when you need outbound TLS inspection or content-based blocking).

Azure Network Watcher is the diagnostic toolkit: Effective Security Rules shows the merged rule set on a NIC, Connection Troubleshoot tests a flow end-to-end, NSG Flow Logs stream allow/deny events to Storage for analysis.

SKU comparison

Azure Firewall SKUs — pick by inspection requirements
Feature	Basic	Standard	Premium
Throughput	~250 Mbps	Up to 30 Gbps	Up to 100 Gbps
Application rules (FQDN filtering)	✓	✓	✓
Network rules (5-tuple)	✓	✓	✓
DNAT rules	✓	✓	✓
Microsoft threat intelligence	Limited	✓	✓
IDPS (Intrusion Detection + Prevention)	✗	Limited categories	Full IDPS (~67 categories)
TLS inspection (decrypt outbound TLS)	✗	✗	✓
URL filtering with web categories	✗	Category-based partial	✓ (full web categories)
When to pick	Cost-sensitive small/dev	Mainstream enterprise	Regulated, content-inspection required, internet egress full control

The SC-500 pattern: scenarios mentioning outbound TLS inspection, content-based blocking (block ‘Gambling’ or ‘Malware’ web categories), or full IDPS point to Premium. Mainstream “block known-bad outbound, allow corporate apps by FQDN” works on Standard.

Application rules vs Network rules

Azure Firewall application rules vs network rules
Feature	Application rules	Network rules
Operates at	L7 — HTTP/HTTPS/MSSQL (FQDN matching)	L3/L4 — source IP/CIDR, destination IP/CIDR/service tag/FQDN, port, protocol
Source	IP/CIDR or IP Group	IP/CIDR, IP Group, or service tag
Destination	FQDN, FQDN tag (e.g. `WindowsUpdate`), Web Category (Premium)	IP/CIDR, IP Group, FQDN, service tag
Best for	'Allow this app outbound to *.microsoft.com' patterns	'Allow web-tier subnet outbound to 443 on app-tier' patterns

Threat intelligence + IDPS

Threat intelligence (Standard+): Microsoft-curated IP/FQDN deny list. Modes: Off, Alert (log + permit), Deny (log + block). Production default: Deny.
IDPS (Standard with limited cat / Premium with full): inspects traffic against signatures of known attacks (botnet C2, malware, exploits). Modes per signature: Alert / Deny / Off.

DNS Proxy

When enabled, the Firewall acts as a DNS proxy for VNet clients. Why this matters:

FQDN-based network rules require reliable resolution; DNS proxy ensures the Firewall and clients see the same IP for an FQDN
Custom DNS server config on Firewall (e.g. point at corporate DNS) — clients inherit that resolution path via the proxy

Azure Firewall Manager

A central management plane for Azure Firewall instances:

Hierarchical policies — base policy at the org level + child policies per region/business unit
vWAN secured hub Firewalls plus standalone VNet Firewalls in one view
Pre-built policy snippets for common patterns (Microsoft 365 allowlists, Windows Update bypass, etc.)

Network Watcher

Network Watcher is Azure’s per-region network diagnostics service. SC-500-relevant features:

Azure Network Watcher diagnostic surfaces
Feature	What it does
Effective Security Rules	Shows the merged rule set on a NIC — subnet NSG + NIC NSG + AVNM security admin rules — with priority order. The 'why is this traffic blocked?' diagnostic.
Connection Troubleshoot	Tests a connection from a source (Azure VM or App Service) to a destination (IP/FQDN/Azure resource), reporting hops, status (Reachable / Unreachable), and the rule/route that affected the outcome.
NSG Flow Logs	Streams Allow/Deny decisions per NSG to a Storage account; queryable via Traffic Analytics for usage patterns and security analysis.
Packet Capture	VM-level packet capture initiated from Network Watcher — for deep-dive investigation.
Topology	Visualisation of network resources in a resource group.

For SC-500, Effective Security Rules is the most-tested diagnostic — “why is traffic blocked from A to B?” → check the merged rule set including AVNM rules + subnet NSG + NIC NSG.

Scenario: Asha sets up central egress inspection

Aurora Health Service’s central egress requirement: all outbound traffic from hospital VNets must traverse a central Azure Firewall with content inspection and TLS decryption.

Azure Firewall Premium in each region’s hub VNet (or vWAN secured hub).
Firewall Policy managed via Firewall Manager — base policy at the org-level:
- Threat intel: Deny mode
- IDPS: Alert mode for most signatures, Deny for known-bad C2 categories
- TLS inspection enabled for outbound HTTPS; CA certificate from internal PKI imported
- Application rule allow-list: *.microsoft.com, *.azure.com, *.hospital-domain.health, etc.
- URL filtering category Deny: Gambling, Adult, Malware, Cryptocurrency Mining
Routing intent on each vWAN hub: private + internet → Firewall.
NSG default deny outbound to Internet on application subnets (defence in depth on top of Firewall routing).
Diagnostic settings to Log Analytics; Azure Firewall workbook in Sentinel.

When a hospital admin reports “the new clinical app can’t reach cdn.clinical-vendor.com”:

Asha opens Network Watcher → Effective Security Rules on the app’s NIC — confirms NSGs allow the traffic
Opens Network Watcher → Connection Troubleshoot from a VM in the app subnet to cdn.clinical-vendor.com:443 — reports “blocked by Azure Firewall application rule deny”
Adds the FQDN to the allow-list in Firewall Policy; verifies