Azure – You can now use a central configuration and management point for Azure Firewall

You may already know Azure Firewall, the managed, cloud-based network security solution protecting your Azure virtual network resources.

Well, good news, you can now have a central configuration and management point for Azure Firewall, called Azure Firewall Manager, to help you manage your cloud-based security perimeters.

Azure Firewall Manager works with Azure Virtual WAN Hub (see to know more about it).

With Azure Firewall Manager you can deploy and manage from a central point multiple Azure Firewall instances across different Azure regions, while being able to integrate with third-party services (like zScaler).


During the public preview, Azure Firewall Manager is available in the following regions:

  • West Europe
  • North Europe
  • France Central
  • France South
  • UK South
  • UK West
  • Australia East
  • Australia Central
  • Australia Central 2
  • Australia Southeast
  • Canada Central
  • East US
  • West US
  • East US 2
  • South Central US
  • West US 2
  • Central US
  • North Central US
  • West Central US

To start using it, you must first register the required network provider using the below command (here I’m using the Cloud Shell so I don’t need to connect to Azure first Smile)

Register-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network


It may take up to 30 minutes to get it registered.

If you have multiple subscription you want to get it register you will need to switch the subscription and run the above command again

Set-AzureRmContext –SubscriptionId <your subscription id>

Once registered, you can then create a new Azure Firewall Manager by searching for Azure Firewall Manager


From there you can create:

  • New Azure Firewall Policies
  • New Secured Virtual Hub
  • Convert existing Hubs



You can migrate your existing Azure Firewall configurations to Azure Firewall policies using the below script

$FirewallName = “<your Azure Firewall name>”
$ResourceGroupName = “<your resource group where the Azure Firewall is hosted”
$PolicyName = “<your Azure Policy Name>”
$Location = “<the Azure region>”

$DefaultAppRuleCollectionGroupName = “ApplicationRuleCollectionGroup”
$DefaultNetRuleCollectionGroupName = “NetworkRuleCollectionGroup”
$DefaultNatRuleCollectionGroupName = “NatRuleCollectionGroup”
$ApplicationRuleGroupPriority = 300
$NetworkRuleGroupPriority = 200
$NatRuleGroupPriority = 100

#Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
    Param([Object[]] $Protocols)
    $output = “”
    ForEach ($protocol in $Protocols) {
        $output += $protocol.ProtocolType + “:” + $protocol.Port + “,”
    return $output.Substring(0, $output.Length – 1)

Function GetApplicationRuleCmd
    Param([Object] $ApplicationRule)
    $cmd = “New-AzFirewallPolicyApplicationRule”
    $cmd = $cmd + ” -Name ” + $ApplicationRule.Name
    $cmd = $cmd + ” -SourceAddress ” + $ApplicationRule.SourceAddresses
    if ($ApplicationRule.Description) {
        $cmd = $cmd + ” -Description ” + $ApplicationRule.Description
    if ($ApplicationRule.TargetFqdns) {
        $protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
        $cmd = $cmd + ” -Protocol ” + $protocols
        $cmd = $cmd + ” -TargetFqdn  ” + $ApplicationRule.TargetFqdns
    if ($ApplicationRule.FqdnTags) {
        $cmd = $cmd + ” -FqdnTag  ” + $ApplicationRule.FqdnTags
    return $cmd

$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $ResourceGroupName
Write-Host “creating empty firewall policy”
$fwp = New-AzFirewallPolicy -Name $PolicyName -ResourceGroupName $ResourceGroupName -Location $Location -ThreatIntelMode $azfw.ThreatIntelMode
Write-Host $fwp.Name “created”
Write-Host “creating ” $azfw.ApplicationRuleCollections.Count ” application rule collections”

#Translate ApplicationRuleCollection
If ($azfw.ApplicationRuleCollections.Count -gt 0) {
    $firewallPolicyAppRuleCollections = @()
    ForEach ($appRc in $azfw.ApplicationRuleCollections) {
        If ($appRc.Rules.Count -gt 0) {
            Write-Host “creating ” $appRc.Rules.Count ” application rules for collection ” $appRc.Name
            $firewallPolicyAppRules = @()
            ForEach ($appRule in $appRc.Rules) {
                $cmd = GetApplicationRuleCmd($appRule)
                $firewallPolicyAppRule = Invoke-Expression $cmd
                Write-Host “Created appRule ” $firewallPolicyAppRule.Name
                $firewallPolicyAppRules += $firewallPolicyAppRule
            $fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
            Write-Host “Created appRuleCollection ”  $fwpAppRuleCollection.Name
        $firewallPolicyAppRuleCollections += $fwpAppRuleCollection
    $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
    Write-Host “Created ApplicationRuleCollectionGroup ”  $appRuleGroup.Name

#Translate NetworkRuleCollection
Write-Host “creating ” $azfw.NetworkRuleCollections.Count ” network rule collections”
If ($azfw.NetworkRuleCollections.Count -gt 0) {
    $firewallPolicyNetRuleCollections = @()
    ForEach ($rc in $azfw.NetworkRuleCollections) {
        If ($rc.Rules.Count -gt 0) {
            Write-Host “creating ” $rc.Rules.Count ” network rules for collection ”  $rc.Name
            $firewallPolicyNetRules = @()
            ForEach ($rule in $rc.Rules) {
                $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
                Write-Host “Created network rule ” $firewallPolicyNetRule.Name
                $firewallPolicyNetRules += $firewallPolicyNetRule
            $fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
            Write-Host “Created NetworkRuleCollection ”  $fwpNetRuleCollection.Name
        $firewallPolicyNetRuleCollections += $fwpNetRuleCollection
    $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
    Write-Host “Created NetworkRuleCollectionGroup ”  $netRuleGroup.Name

#Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPOlicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, tranlated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.

Write-Host “creating ” $azfw.NatRuleCollections.Count ” network rule collections”
If ($azfw.NatRuleCollections.Count -gt 0) {
    $firewallPolicyNatRuleCollections = @()
    $priority = 100
    ForEach ($rc in $azfw.NatRuleCollections) {
        If ($rc.Rules.Count -gt 0) {
            Write-Host “creating ” $rc.Rules.Count ” nat rules for collection ”  $rc.Name
            ForEach ($rule in $rc.Rules) {
                $firewallPolicyNatRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
                Write-Host “Created nat rule ” $firewallPolicyNatRule.Name
                $natRuleCollectionName = $rc.Name+$rule.Name
                $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRule -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort
                $priority += 1
                Write-Host “Created NatRuleCollection ”  $fwpNatRuleCollection.Name
                $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
    $natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
    Write-Host “Created NatRuleCollectionGroup ”  $natRuleGroup.Name

Leave a Comment

Your email address will not be published. Required fields are marked *