Azure – A new security feature available in preview in Azure: Azure Firewall

Microsoft has introduced a new security feature in Azure, in preview, called Azure Firewall.

Azure Firewall is going to help you protect your Azure vNET.

Like with other on-premises firewall solutions, Azure Firewall supports:

  • FQDN filtering
  • Traffic filtering rules
  • SNAT support
  • Integration with Azure Monitor logging


(diagram courtesy Microsoft)


As this is a preview, there is still few things:

  • If a network security group (NSG) is applied on the firewall subnet, outbound traffic may blocked. As workaround, you need to setup a new inbound rule at the NSG level

Source: VirtualNetwork

Source ports: Any

Destination: Any

Destination Ports: Any

Protocol: All Access: Allow

  • Just in Time access to virtual machine may be conflicting with Azure Firewall. As workaround, you need to isolate the virtual machine to a vNet which does not route through Azure Firewall

Ok, now time to setup Azure Firewall.

Setting up Azure Firewall

Setting up Azure Firewall suppose you already have at least one Azure vNet configured; I’m not going to cover the vNet creation in this post.

  • Register your Azure subscription for Azure Firewall preview using PowerShell

If you don’t register your subscription first, you will get a notification when trying to create your first Azure Firewall

Register your subscription for the Azure Firewall preview to create a firewall


Run the following commands to connect to Azure and register your subscription

It is recommended to use the latest version of Azure PowerShell (6.4.0) available here


Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network


It may take up to 30 minutes to complete

You can check the progress with the commands

Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network


Then run the last command

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network


  • Connect to your Azure ARM portal and update your vNet to have a subnet named AzureFirewallSubnet


  • Then create a new resource, search for Firewall


  • Then you have to fill the usual few fields to create your Azure Firewall (name, subscription, resource group…)


  • This is it, you have create your Azure Firewall. Now, time to setup your firewall rules.


  • Access the Rules configuration blade to setup your firewall rules; you can define network rule or application rule. Both are configured the same way: a rule name, priority and action (allow/deny), source and target addresses and communication ports. The network rule allows to define the protocol (TCP, UDP, ICMP or any)


If you want to automate/use PowerShell you can take a look at for a sample PowerShell script.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.