Enhanced DNS features in Azure Firewall

iFour Team -June 18, 2021

Listening is fun too.

Straighten your back and cherish with coffee - PLAY !

A cloud-based, managed network security service that is used to protect your Azure Virtual Network resources and filter allow and deny traffic flow is called Azure Firewall. Azure Firewall provides built-in availability and unrestricted cloud scalability because Azure Firewall is a fully stateful Firewall service. Using the azure Firewall user can create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

The static public IP address is used by Azure for your virtual network resources allow outside firewalls to identify traffic originating from your virtual network. Azure provides a fully integrated service with Azure Monitor which is used for logging and analytics.

Azure Firewall includes the following features:

Built-in high availability

Azure provides high availability so no additional load balance is required and no need to configure.

Availability Zones

For increasing availability, Azure Firewall can be configured during deployment to span multiple Availability Zones. Using Availability Zones, availability increases to 99.99% uptime. when two or more Availability Zones are selected then a 99.99% uptime Service Level Agreement (SLA) is offered. Using the service standard 99.95% SLA, you can also associate Azure Firewall to a specific zone just for proximity reasons.

Unrestricted cloud scalability

According to network traffic flows Azure Firewall can be scaled up as much as you need. There is no need to budget for your peak traffic.

Application FQDN filtering rules

Outbound HTTP/S traffic or Azure SQL traffic can be limit to a specified list of fully qualified domain names (FQDN) including wild cards.

Network traffic filtering rules

A allow or deny network filtering rules can be created centrally by source and destination IP address, port, and protocol. Azure Firewall can distinguish legitimate packets for different types of connections because Azure Firewall is fully stateful.

FQDN tags

Using FQDN tags makes it easier for you to allow well-known Azure service network traffic through your firewall. Using a Firewall, you can create an application rule and include the Windows Update tag.

Service tags

A service tag is used to represents a group of IP address prefixes which helps to minimize complexity for security rule creation. Address prefixes are managed by Microsoft and automatically updates the service tag as addresses changes.

Threat intelligence

Threat intelligence based filtering can be used for the firewall to alert and deny traffic from known malicious IP addresses and domains. The Microsoft Threat Intelligence feed provide the IP addresses and domains.

Outbound SNAT support

All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation) so that you can identify and allow traffic originating from your virtual network to remote Internet destinations. When the destination IP is a private IP range per IANA RFC 1918 Azure Firewall doesn't SNAT.

Inbound DNAT support

Using Azure Firewall, Inbound Internet network traffic public IP address is translated and filtered to the private IP addresses on virtual networks.

Multiple public IP addresses

Multiple public IP addresses (up to 250) can be associated with your firewall.

This enables the following scenarios:

DNAT - In DNAT, you can translate multiple standard port instances to your backend servers. For example, you can translate TCP port 3389 (RDP) for two public IP addresses.
SNAT – Using Additional ports for outbound SNAT connections, reduce the potentiality for SNAT port exhaustion. At that time, a Random public IP address was selected by Azure Firewall for connection to the user.

Azure Monitor logging

Azure Monitor allows you to archive logs to a storage account, stream events to your Event Hub or send them to Azure Monitor logs.

Flexible canvas is provided by Azure Firewall Workbook for Azure Firewall data analysis so that you can create rich visual reports within the Azure portal.

Forced tunnelling

Using force tunnelling, Azure Firewall can be configured to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. To process network traffic before it's passed to the Internet Azure Firewall provide an on-premises edge firewall or other networks virtual appliance (NVA).

Certifications

Azure Firewall has certification of Payment Card Industry (PCI), Service Organization Controls (SOC), and International Organization for Standardization (ISO), and ICSA Labs compliant.

Azure Firewall provides the following new upgraded DNS features

Custom DNS support is now generally available

Azure Firewall launched in September 2018 and Azure DNS is hardcoded for ensuring the service which can be reliably resolve its outbound dependencies. Azure Firewall can be configured to use your own DNS server or Firewall outbound dependencies that are still resolved with Azure DNS using custom DNS support. In Azure Firewall and Firewall Policy DNS settings a single DNS server or multiple servers can be configured.

Using Azure Private DNS Azure Firewall can resolve names. The Virtual Network must be linked to the Azure Private Zone which resides on Azure Firewall.

DNS proxy is now generally available

If DNS proxy is enabled, Azure Firewall can process and forward DNS queries from a Virtual Network(s) to your desired DNS server. The DNS proxy is required to have reliable FQDN filtering in network rules because this functionality is crucial and required to have reliable FQDN filtering in network rules.

Op zoek naar een vertrouwd ASP.Net-softwareontwikkelingsbedrijf ? Uw zoekopdracht eindigt hier.

Connect us now

Using the following step, you can enable DNS proxy in Azure Firewall and Firewall Policy settings.

In Azure Firewall DNS settings enable DNS proxy option.
You can use your custom DNS server or use the provided default.
Last, configured the Azure Firewall’s private IP address as a custom DNS server in your virtual network DNS server settings. This ensures that your DNS traffic is directed to your Azure Firewall.
DNS proxy listens for requests from TCP port 53 and forwards them to Azure DNS or the custom DNS specified.

Figure 1. Custom DNS and DNS proxy settings

FQDN filtering in network rules now generally available

In Azure Firewall and Firewall Policy, you can now use fully qualified domain names (FQDNs) in network rules based on DNS resolution.

Based on your firewall DNS settings, the specified FQDNs are translated to IP addresses. Using FQDNs with any TCP/UDP protocol (including NTP, SSH, RDP, and more) allows you to filter outbound traffic. FQDN filtering is based on DNS resolution, so it is highly recommended you to enable the DNS proxy to ensure name resolution is consistent for your virtual machines and firewall.

Figure 2. FQDN filtering in network rules.

Using Azure Firewall as a DNS proxy to enable private endpoints to access from on-premises

Azure Private Link is used to connect to Microsoft PaaS services, including storage accounts, app services, and more, over a private connection, using private endpoints.

A private endpoint is a network interface used to connect you privately and securely to a PaaS service powered by Azure Private Link.

The advantage of Azure Private Link is that it has the ability to consume Microsoft PaaS services over hybrid connections.

Each Azure PaaS service FQDN that is mapped and stored in an Azure Private DNS zone is provided to Private Link. Requests to Azure DNS Private Zones go to the platform address of 168.63.129.16 which is only reachable from inside of Azure. So that if the DNS request originates from outside of Azure, there is a requirement to proxy the DNS request via a service inside of a Virtual Network.

Conclusion

In the above blog, we have discussed the Azure firewall and features of the Azure firewall. We have also discussed the new enhanced features of the Azure firewall.