This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Azure Firewall premium is now generally available for most Azure regions. Thank you to community members who participated in both the private and public previews. This SKU is compatible in a Virtual WAN Hub (Secure Virtual Hub), and Hub Virtual Network scenarios.
The Azure Firewall Premium SKU utilizes a more powerful compute engine for advanced content filtering and threat protection through IDPS. The Premium SKU can seamlessly scale up to 30 Gbps and integrates with availability zones to support the service level agreement (SLA) of 99.99 percent.
It provides Threat intelligence-based filtering for both encrypted and non-encrypted traffic and Intrusion detection and prevention for all ports and protocols as a managed service to our customers, with support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways.
All new features of the Firewall premium SKU will be configurable via Firewall Policy only. Azure firewall infrastructure features ported from Azure Firewall Standard and Classic rules such as Threat Intelligence and Custom DNS, including new features such as TLS inspection and Web categories etc. can all be managed via Azure Firewall premium policy SKU.
The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs and is ICSA labs certified.
- Transport Layer Security (TLS) Inspection: Azure Firewall Premium decrypts outbound East-West TLS connections, performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
- Intrusion Detection and Prevention System (IDPS): Azure Firewall Premium provides signature based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
- Web Categories: Allows administrators to allow or deny user access to the Internet based on categories (e.g., social networking, search engines, gambling), reducing the time spent on managing individual FQDNs and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
- URL Filtering: TLS inspection enables filtering beyond the FQDN root domain and allow users to access specific URLs for both plain text and encrypted traffic, typically being used in conjunction with web categories.
By using Firewall Policy, you can achieve central management of your firewalls using Azure Firewall Manager. Firewall Rules (Classic) continues to be supported and can be used for configuring existing features of Standard Firewall. Firewall Policy can be managed independently or by using Azure Firewall manager.
Migrating to the new Firewall Premium SKU
To your existing Azure firewall standard policy to Premium policy, you connect to the Azure account, retrieve the existing policy, modify the parameters by adding the features required for a premium firewall policy to the existing firewall image. The existing firewall instance is then deleted as you create a new one with the premium features. The new instance is compute intensive due to the TLS inspection and IDPS actions, hence the Azure firewall premium SKU is deployed with a more powerful compute engine.
Some helpful use case scenarios and reference architectures for Azure Firewall Premium :
For more information, see the Azure Firewall Premium documentation