Skip to main content

Cloud

Navigating Azure Firewalls

To gain insights into firewall relationships with VNETs (differentiated by hub and spoke), firewall policy details, and traffic flows passing through the firewall, you will need to apply the correct filters and drill down through the results displayed on the Map. This makes it easier to see which VNets talk to each other at a glance, as well as to see which VNets need to have firewalls applied. You can also browse from an application to its Details Page Map tab to visualize Azure Firewalls specific to that application.

Note

Illumio Cloud does not support Classic Azure Firewall.

For navigating the Infrastructure View, see Cloud Map navigation.

For an overview of Azure Firewalls, see Azure Firewalls Overview.

Here are guidelines and instructions for navigating Azure Firewalls in the Map and from an application. There are three scenarios described:

Filtering the Map by Azure Firewall Example

Follow these steps to get a broad view of your environments firewalls.

  1. In the Map, use the filter to select Azure Firewalls (Resource Type = Microsoft.Network/azureFirewalls) and click Apply.

    The Map shows VNets containing Azure Firewalls but does not show which ones are hubs or spokes. An example VNet with an Azure Firewall:

    firewall-filter-feb-20-copy.jpg

    You will need to show the firewall topology to see which ones are hubs vs. spokes, as described in the next step.

  2. Click the gear icon to open the Map Configuration dialog and select Show Firewall Topology.

    The Map displays your VNets containing firewalls and reveals the Firewall Topology, showing peering traffic and labeling them as hubs and spokes. To see how to expand hub VNets and hover over them for more details, see Filtering by Account Example.

    firewall-filter-then-topology-crop.png
Filtering the Map by Account Example

Follow these steps to filter the Map by an account that you want to check for firewalls.

  1. In the Map, use a filter like Account = <account name> and click Apply. It shows the Illumio Cloud Map for that account. You can also filter by region, resource type, etc.

  2. Click the gear icon to open the Map Configuration dialog and select Show Firewall Topology.

    If none of the VNets associated with the filter query have firewalls, a message displays to that effect.

  3. To use the filter to select for different query, click the back arrow icon in the Illumio Cloud Map (not the browser) and use a filter like Region = eastus and click Apply.

    If the VNets associated with the filter query do have firewalls, the Illumio Cloud Map displays the regions and the accounts that match the filter, including those accounts that have Azure firewalls, as indicated border highlighting. Click an account with firewall topology to expand it. In this example you see this:

    azure-firewall-one.png

  4. When you see hubs and spokes, which are labeled as such, look for things like the following:

    • Peering connections between hubs and spokes, as indicated by dashed lines

    • Traffic entering or leaving the firewall, as indicated by green lines. Note that if a VNet or virtual hub is collapsed you see traffic from it, and if it is open you see traffic from the particular resource.

  5. Expand the hub VNet.

    The expanded hub is "pulled out" to facilitate the enlarged view and shows an Azure Firewall indicated by the flame icon, along with peering traffic lines.

    azure-firewall-two.png

  6. Hover on a hub VNet to see its details. In this example you see this:

    azure-firewall-three.png
Browsing from an Application Example

Follow these steps to navigate from an application to its application-specific map to gain visual insights for firewalls associated with that application.

  1. Instead of starting from the Map, browse to Explore > Applications and select an application that you know to have a firewall.

    The application's Details page opens to the the Summary tab by default.

  2. Click the Map tab in the Details page.

    The Map shows the application's VNets that contain firewalls but does not show which ones are hubs or spokes.

    app-map-no-topo.png

    You will need to show the firewall topology to see which ones are hubs vs. spokes, as described in the next step.

  3. Click the gear icon to open the Map Configuration dialog and select Show Firewall Topology.

    The map displays your application VNets containing firewalls and reveals the Firewall Topology, showing peering traffic and labeling them as hubs and spokes. To see how to expand hub VNets and hover over them for more details, see Filtering by Account Example.

    app-map-topo.png