New Azure Firewall options in Q2 CY2020
We’re happy to announce a number of new Azure Firewall options that permit your group to enhance safety, have extra customization, and handle guidelines extra simply. These new capabilities had been added primarily based in your prime suggestions:
- Customized DNS assist now in preview.
- DNS Proxy assist now in preview.
- FQDN filtering in community guidelines now in preview.
- IP Teams now typically obtainable.
- AKS FQDN tag now typically obtainable.
- Azure Firewall is now HIPAA compliant.
As well as, in early June 2020, we introduced Azure Firewall pressured tunneling and SQL FQDN filtering at the moment are typically obtainable.
Azure Firewall is a cloud-native firewall as a service (FWaaS) providing that means that you can centrally govern and log all of your site visitors flows utilizing a DevOps strategy. The service helps each utility and network-level filtering guidelines and is built-in with the Microsoft Menace Intelligence feed for filtering recognized malicious IP addresses and domains. Azure Firewall is very obtainable with built-in auto scaling.
Customized DNS assist now in preview
Since its launch in September 2018, Azure Firewall has been hardcoded to make use of Azure DNS to make sure the service can reliably resolve its outbound dependencies. Customized DNS offers separation between buyer and repair title decision. This lets you configure Azure Firewall to make use of your individual DNS server and ensures the firewall outbound dependencies are nonetheless resolved with Azure DNS. It’s possible you’ll configure a single DNS server or a number of servers in Azure Firewall and Firewall Coverage DNS settings.
Azure Firewall can be able to title decision utilizing Azure Non-public DNS, so long as your personal DNS zone is linked to the firewall digital community.
DNS Proxy now in preview
With DNS proxy enabled, outbound DNS queries are processed by Azure Firewall, which initiates a brand new DNS decision question to your customized DNS server or Azure DNS. That is essential to have dependable FQDN filtering in community guidelines. It’s possible you’ll configure DNS proxy in Azure Firewall and Firewall Coverage DNS settings.
DNS proxy configuration requires three steps:
- Allow DNS proxy in Azure Firewall DNS settings.
- Optionally configure your customized DNS server or use the offered default.
- Lastly, you could configure the Azure Firewall’s personal IP tackle as a Customized DNS server in your digital community DNS server settings. This ensures DNS site visitors is directed to Azure Firewall.
Determine 1. Customized DNS and DNS Proxy settings on Azure Firewall.
FQDN filtering in community guidelines now in preview
Now you can use absolutely certified domains (FQDN) in community guidelines primarily based on DNS decision in Azure Firewall and Firewall Coverage. The required FQDNs in your rule collections are translated to IP addresses primarily based in your firewall DNS settings. This functionality means that you can filter outbound site visitors utilizing FQDNs with any TCP/UDP protocol (together with NTP, SSH, RDP, and extra). As this functionality relies on DNS decision, it’s extremely advisable you allow the DNS proxy to make sure your protected digital machines and firewall title decision are constant.
FQDN filtering in utility guidelines for HTTP/S and MSSQL relies on utility degree clear proxy. As such, it may well discern between two FQDNs which can be resolved to the identical IP tackle. This isn’t the case with FQDN filtering in community guidelines, so it’s at all times advisable you employ utility guidelines when doable.
Determine 2. FQDN filtering in community guidelines.
IP Teams now typically obtainable
IP Teams is a brand new top-level Azure useful resource that means that you can group and handle IP addresses in Azure Firewall guidelines. You can provide your IP group a reputation and create one by getting into IP addresses or importing a file. IP Teams eases your administration expertise and scale back time spent managing IP addresses through the use of them in a single firewall or throughout a number of firewalls. IP Teams is now typically obtainable and supported inside a standalone Azure Firewall configuration or as a part of Azure Firewall Coverage. For extra data, see the IP Teams in Azure Firewall documentation.
Determine 3. Creating a brand new IP Group.
AKS FQDN tag now in typically obtainable
An Azure Kubernetes Service (AKS) FQDN tag can now be utilized in Azure Firewall utility guidelines to simplify your firewall configuration for AKS safety. Azure Kubernetes Service (AKS) provides managed Kubernetes cluster on Azure that reduces the complexity and operational overhead of managing Kubernetes by offloading a lot of that duty to Azure.
For administration and operational functions, nodes in an AKS cluster must entry sure ports and FQDNs. For extra steering on how one can add safety for Azure Kubernetes cluster utilizing Azure Firewall, see Use Azure Firewall to guard Azure Kubernetes Service (AKS) Deployments.
Determine 4. Configuring utility rule with AKS FQDN tag.
For extra data on all the pieces we coated right here, see these further sources: