So around a year ago I gave my first impressions on Azure Firewall which had just been released as a preview. An update is long overdue on my part on how this service has evolved over the last year.
Like everything in the cloud the pace of change is rapid, when I first wrote about the Azure Firewall I concluded it was a welcome addition but lacked some key features, well this is no longer the case. Over the last year Microsoft have added new and enhanced existing capabilities to this service regularly and the service is now much richer in terms of capabilities offered.
Thinking back, the biggest shortcoming of the preview (in my opinion) was it focused on filtering outbound traffic only, you couldn’t filter inbound requests and still had to rely on NSGs to filter inbound traffic. While at the time this was a welcome capability that had been lacking previously (i.e. url based filtering) it limited the overall value an Azure Firewall provided.
If memory serves Microsoft added inbound filtering around the time the service went GA and more details on DNAT are discussed here. So my biggest complaint was short lived, Azure Firewall now supports both inbound and outbound filtering!
Another limitation was that initially you couldn’t stop an Azure Firewall once it had been deployed, this was a major pain if like me you deploy things to evaluate and don’t want to have to pay for them to run long term while also not wanting to delete and redeploy to test when you have the time. This capability now exists, you can deallocate an Azure Firewall with PowerShell as discussed here.
Azure Firewall also now supports Availability Zones which when used increases the SLA offered to 99.99%. At the time of posting this feature is currently in Public Preview but again is a major additional in terms of the value it brings to the service and does so in a way that is transparent to the end user.
Azure Firewall now supports up to 100 public IP addresses being attached the the service instance which greatly increases the scalability of the service for both inbound and outbound traffic flows. At the time of posting this feature is currently in Public Preview.
So in summary the service has matured greatly in the last year and most of the negatives I called out in my original post no longer exist. While some NVA firewalls offered by vendors may offer additional capabilities, Azure Firewall as a native, scriptable service with REST API support is a viable choice as firewall within Azure.