Few weeks ago, Microsoft released the Premium SKU of Azure Firewall. This new SKU provides new functionalities, like TLS inspection, IDPS, Web categories and URL filtering:

Next-generation firewall capabilities with Azure Firewall Premium | Azure Blog and Updates | Microsoft Azure

Azure Firewall

The cost is approximatively 1077€ per months, plus 0.014€/GB processed:

Pricing – Azure Firewall | Microsoft Azure

To start, we will create a new Azure Firewall, with Premium SKU, in our HUB VNet. You need to create a dedicated subnet, AzureFirewallSubnet:

Create a firewall

After few minutes, you have your firewall deployed, with a basic configuration:

Firewall deployed

To manage the Firewall, you need to go to the firewall manager. You can see virtual network that are protected:

Firewall Manager

As you can see, I can now access many websites:

Many websites

I created a route table to forward all the traffic of my spoke subnet, to my hub Azure Firewall. To do that, get the private IP of your firewall:

Firewall Overview

And forward the traffic, to the virtual appliance Azure Firewall, with the IP that you get from it:

Forward the traffic

Now I have errors when I want to access something, because by default, the Azure Firewall is blocking everything:


If I want to allow a website, for example Facebook, I will create an allow rule, with Web Category Social Networking. All categories are mentioned here:

Azure Firewall web categories | Microsoft Docs

In the Rule Collections, create a new rule, with the following information:

Rule Collections

Apply it. After few seconds, the website is working again:

The website is working again

If you want to allow only a social website in the social networking category, create a rule with a priority 100 for example, with the url that you want and an allow, and after a rule with Deny, on the social networking category.

I can modify the rule, to allow for example only google.com. With the Premium SKU, it is possible to do the inspection in the URL, after the /, for example, google.com/example:

Edit rule collection

And it works:

Site works

If you go into Application Rules, you can see rules that we created before:

Application Rules

It is just an example of what you can do. But with Premium SKU, you can do more, like:

– TLS inspection to have an end-to-end encryption

– IDPS (Intrusion Detection and Prevention System) to monitor malicious traffic, log it (in Log Analytics), report it and block it

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

You will find more information here: Azure Firewall Premium features | Microsoft Docs

If you want to protect rapidly, without having Firewall knowledge, your Azure infrastructure, it is a great solution. But be careful, it has not the same full functionality as a real firewall, like Palo Alto, Checkpoint, etc. For example, a great feature will be to allow an Active Directory group to access to a specific category of URL, and deny for all others. But Azure Firewall is a young product, and I am sure that it will evolve in the near future.

Back to blog
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.