Skip to main content

Cloud

Azure Firewalls Overview

You can gain visibility into your Azure Firewalls and enforce policy on them using Illumio Segmentation for the Cloud. This visibility includes a clear view of your Azure Firewall inventory, with details about your firewalls and their current policies. The Map provides Azure firewall visualization within a hub-spoke architecture. This provides you with insights into firewall relationships with virtual hubs and VNETs (differentiated by hub and spoke), firewall policy details, and traffic flows passing through the firewall. You can also see your firewall network flows using the Traffic page. These combined capabilities make it easier to see which VNets talk to each other at a glance, as well as to see which VNets need to have firewalls applied.

Note

Illumio Segmentation for the Cloud does not support Classic Azure Firewall.

Benefits of Using Azure Firewall

This visual inspection feature lets you:

  • Understand all your onboarded Azure subscriptions' firewall deployments within the Azure network topology

  • Gain deeper insights into your Azure accounts' firewall configuration regarding network topology, policy details, and traffic from source to firewall and firewall to source

With Azure Firewalls you can:

  • Open the Cloud Map configuration panel to select the Firewall Topology view. Highlighting lets you see which VNets and virtual hubs have firewalls.

  • Distinguish between hubs and spokes immediately. (Hub VNets contain firewalls, and VNets peered to hub VNets are spoke VNets).

    • Hubs are labeled as such and specify whether they are virtual hubs or VNet hubs

    • Spokes are labeled as such

  • Determine immediately whether a virtual hub or VNet has a firewall deployed (firewall icon) or has a peering connection to a firewall (dashed peering line). In peering mode, the line will be purple. In the Firewall topology view the line will be orange.

  • Apply filters by application, region, resource, and more to display associated Azure firewalls, resources, and traffic flows. Displayed traffic flows include:

    • Traffic passing through the firewalls,

    • Traffic between resources within the region,

    • Traffic across the region, cloud, and the internet

A Typical Use Use Case

For security operations administrators, gaining complete visibility into the firewalls associated with critical applications, is essential to minimizing exposure to risks. This visibility ensures that payments applications are protected from potential security threats. If any VNets lack firewalls, follow this workflow to put the firewalls in place:

  1. Use the Illumio Segmentation for the Cloud Azure Firewalls feature to see which of your applications' VNets have firewalls associated with them. See Navigating Azure Firewalls.

  2. Identify VNets. See Inventory.

    • Compile a list of all VNets associated with payments applications

    • Determine whether each VNet has an active firewall

    • Evaluate the risks posed by VNets without firewalls, considering application sensitivity and compliance requirements

  3. Define Firewall Rules. See Writing Azure Firewall policy.

    • Configure rules in Illumio Segmentation for the Cloud to meet application requirements while adhering to the principle of least privilege.

    • Set up alerts in Azure to monitor traffic anomalies

  4. Validate and Monitor. See Navigating Azure Firewalls.

    • After deployment, validate the configuration and monitor traffic to ensure the firewall operates as intended.