Microsoft Azure Firewall is the superhero of the internet. It prevents malware from entering corporate networks, blocks phishing attacks, and protects business-critical data. Given how it takes network protection one step further, Azure Firewall Manager is also essential.
That’s because maintaining firewalls—which date back to the early days of the internet—can be a headache. They’re in constant need of updated threat definitions and newly discovered software weak points.
Microsoft Digital team, which manages IT infrastructure for Microsoft, had the task of managing corporate firewalls across Microsoft’s global operations.
“We had about 40 of them,” says Beth Garrison, a principal service engineer for Microsoft. “We would have to touch every one of them when the domain controllers would change the ISP or when the DNS servers would change. My team was constantly having to drop everything and plug holes in firewalls.”
But those days—not fondly remembered—are gone.
In the past six months, Microsoft Digital has joined a wide range of corporate clients in adopting Microsoft Azure Firewall, a cloud-native network security service, and Azure Firewall Manager, a cloud-based management service that simplifies firewall management.
One of the most powerful tools in the Microsoft Azure Firewall kit is Azure Firewall Manager. Azure Firewall Manager creates a single destination for IT administrators to configure and manage their Microsoft Azure Firewall applications.
The difference has been dramatic.
“With Azure Firewall Manager, we can update 35 firewalls in less than 10 minutes,” Garrison says. “It’s pretty amazing.”
Microsoft Azure Firewall takes the traditional firewall that’s been around for decades—think of a 1969 Ford Mustang that over the years has been upgraded with new brakes, an engine rebuild, maybe a glass-screen stereo—and moves it to the cloud.
It turns traditional hardware-based firewalls into software as a service (SaaS), provides security in near real time, and scales as needed to meet demand. It’s also backed by Microsoft’s substantial investment security, including some $1 billion spent each year on security research and development, and work performed by some 3,500 security experts.
We’ve seen customers with 100 firewalls. And if the system administrator calls in sick, then what do you do? And if there is a break-in, then their stock suffers.
– Gopikrishna Kannan, principal program manager, Microsoft Azure Firewall team
In short, it’s like trading in that Mustang for a Tesla.
Microsoft Azure Firewall was developed by the Microsoft Azure team in response to the rapid movement made to the cloud by customers of all types.
“If you look at any enterprise, they have firewalls closer to the applications and have multiple micro-perimeter networks.” says Gopikrishna Kannan, a principal program manager for the Microsoft Azure Firewall team. “This expands the network firewalls deployed by the customer. We’ve seen customers with 100 firewalls. And if the system administrator calls in sick, then what do you do? And if there is a break-in, then their stock suffers.”
In response, Microsoft Azure engineers began working on a cloud-centric firewall in 2017. It was designed to offer a central location where system engineers could update threat definitions, then rapidly deploy them across a cloud.
How Microsoft Azure Firewall works
Microsoft Azure Firewall was built in 2017, and Azure Firewall Manager was added in 2019. It allows administrators to centrally create firewall policies—the “secret sauce” in Azure Firewall Manager. It contains definitions to allow or deny Layer 3 to Layer 7 traffic, which are the layers that extend from the network layer to the application layer. Firewall policies can also be applied to multiple firewalls.
In addition, firewall rules for a specific region are customizable by defining a firewall policy that inherits a baseline Firewall policy. This helps enforce a centrally defined policy and yet provides flexibility for administrators to customize Firewall rules. This feature also allows administrators to restrict access privileges using custom role-based access controls.
“Now firewall administrators can write one set of rules, and these rules are then plumbed to all of their firewalls,” Kannan says. “It simplifies management because you have one set of rules across all firewalls.”
That’s especially true in the case of an attack. Previously, a new threat protection would have to be deployed to possibly hundreds of network firewalls, one at a time. In some cases that might come too late.
Even if some malware gets into the network, it can’t spread far. And we have the agility to deploy new firewall rules quickly to prevent malware from spreading.
– Tom McCLeery, principal engineering manager, Microsoft Digital
Moreover, traditional firewalls tended to be very complex pieces of technology, with multiple functions baked into them. Microsoft Azure Firewall, in contrast, offers simpler, task-specific security tools that streamline management.
“With an on-premises firewall, you’re deploying a Jack-of-all-trades tool,” says Tom McCleery, a principal engineering manager for Microsoft Digital. “With Azure Firewall, you have a set of capabilities specifically designed for that particular firewall, then you rely on other Azure services to provide more of a defense in depth.
“It gives us an architecture where even if some malware gets into the network, it can’t spread far. And we have the agility to deploy new firewall rules quickly to prevent malware from spreading.”
Azure Firewall Manager also prevents something called “configuration drift,” which occurs when changes to a firewall don’t find their way to other firewalls. In time, the firewalls get out of sync.
“We used to have engineers like Beth go in and keep the configuration drift down,” McCleery says. “That can become a pretty menial task. With Azure Firewall Manager, we have an environment that lends itself to automation, so we can achieve that great industry standard of ‘infrastructure as code.’”
Other benefits of moving to Microsoft Azure Firewall include cost savings, because Microsoft Digital no longer needs to purchase large volumes of third-party software to install on its various firewalls. Nor does it need to get budget permissions for building new networks for different Microsoft organizations. Rather than a capital expense, infrastructure management becomes an operating expense that can be planned and forecast.
Microsoft Digital engineers such as Garrison made several contributions to Azure Firewall Manager.
She was one of several Microsoft engineers who had access to the pre-release code and spent time working on a proof-of-concept to ensure the product performed well in Microsoft Digital’s Microsoft Azure environment. During that process, the team also caught some potentially serious bugs, such as inadvertently leaving behind old IP addresses, which could lead to security problems.
Still, for the wider team of Microsoft engineers, adopting Microsoft Azure Firewall meant a bit of a learning curve.
“I have an amazingly talented team of engineers,” McCleery says. “But I have to say they didn’t have a lot of experience working with firewalls in Azure. But they really rallied and learned the technology, and we went from managing zero firewalls to managing 35.”
The experience of working on Azure Firewall Manager has been immensely satisfying for Microsoft Digital engineers.
“I’m really proud of the team, and proud of the work we did on Firewall Manager,” Garrison says. “The partnership we had with the Azure product team was great. And now it’s a wonderful feeling to deliver a product that is being used by Fortune 500 companies.”