3.4.1. Azure Firewall and Firewall Manager

💡 First Principle: Azure Firewall is a cloud-native, stateful firewall-as-a-service. It provides centralized network and application rule processing across VNets and subscriptions.

Scenario: Your organization wants all outbound internet traffic from workload VNets to be inspected and logged. You need to block access to malicious domains and allow only approved destinations.

Azure Firewall Features

• Network rules: Filter by IP address, port, protocol (Layer 3-4)
• Application rules: Filter by FQDN (Layer 7)
• Threat intelligence: Block known malicious IPs/domains
• NAT rules: DNAT for inbound traffic

Firewall Rule Priority

• Rules are processed by priority (100-65000)
• Lower number = higher priority
• First matching rule wins

⚠️ Exam Trap: Setting a rule priority to 0. Azure Firewall rule priorities range from 100 to 65000. Priority 0 is invalid.

Azure Firewall Manager

• Purpose: Centrally manage firewall policies across multiple firewalls
• Secured Virtual Hub: Integrates Azure Firewall with Virtual WAN
• Firewall Policies: Reusable rule collections across firewalls