This chapter covers Azure Firewall, a managed, cloud-native network security service that protects Azure Virtual Network resources. It is a critical topic for the AZ-104 exam, typically appearing in 5-10% of questions, especially those related to network security, traffic filtering, and hybrid connectivity. You will learn its architecture, rule processing, deployment options, and how it differs from other network security appliances. Mastery of Azure Firewall is essential for designing secure network topologies and passing the exam.
Jump to a section
Imagine a company building a secure embassy in a foreign country. The embassy has a single public entrance (public IP) and multiple internal departments (virtual networks). Visitors (traffic) must pass through the embassy's main gate (Azure Firewall) to enter. The gate has a security guard (stateful inspection) who checks each visitor's identity and purpose (source/destination/port/protocol) against a list of allowed visitors (network rules). If a visitor is allowed, the guard creates a temporary record (connection tracking) so that the visitor can move freely within the embassy without being rechecked at every door. When the visitor leaves, the guard removes the record. The guard also has a special protocol for VIPs (application rules) that requires additional checks (FQDN filtering). If a visitor tries to bring in prohibited items (malicious traffic), the guard can block them using threat intelligence (IDPS). The guard keeps a detailed log of all visitors (diagnostic logs) for auditing. The embassy's security is managed by a central security office (Azure Firewall Manager) that can enforce policies across multiple embassies (global deployment).
What is Azure Firewall?
Azure Firewall is a fully stateful, managed firewall-as-a-service that provides network and application-level traffic filtering for Azure virtual networks. It is deployed in a dedicated subnet (AzureFirewallSubnet) within a virtual network and can be associated with multiple virtual networks via hub-and-spoke topology using VNet peering. It offers built-in high availability, auto-scaling, and integration with Azure Monitor for logging and analytics.
Why Azure Firewall Exists
Before Azure Firewall, customers used third-party network virtual appliances (NVAs) or Network Security Groups (NSGs) for traffic filtering. NSGs are stateless or stateful only at the subnet/NIC level and cannot perform application-level inspection (FQDN filtering). NVAs require manual management, scaling, and patching. Azure Firewall fills the gap by providing a PaaS solution with:
Centralized policy management across multiple VNets and subscriptions.
Application FQDN filtering (outbound HTTP/HTTPS) based on FQDNs.
Network filtering based on source/destination IP, port, and protocol.
Threat intelligence-based filtering from Microsoft's feed.
NAT capabilities (DNAT for inbound, SNAT for outbound).
Integrated with Azure Monitor, Sentinel, and other security tools.
How Azure Firewall Works Internally
Azure Firewall is deployed as a virtual appliance in a dedicated subnet (AzureFirewallSubnet) with a /26 subnet mask minimum. It has at least one public IP address for inbound traffic and can have additional public IPs for outbound SNAT. The firewall processes traffic based on a set of rules collected into rule collections, which are grouped into rule collection groups. The rule processing order is: 1. DNAT rules – Inbound traffic destined to the firewall's public IP is translated to a private IP. 2. Network rules – Non-HTTP/HTTPS traffic (or traffic not matched by application rules) is evaluated against network rules (source, destination, port, protocol). 3. Application rules – Outbound HTTP/HTTPS traffic is evaluated against application rules (FQDN filtering). 4. Network rules (again) – Traffic not matched by application rules falls back to network rules.
Traffic that matches no rule is denied by default (implicit deny). The firewall maintains a connection table for stateful tracking. For TCP, it tracks SYN, SYN-ACK, ACK, and FIN/RST. For UDP, it tracks source/destination IP and port pairs and times out after 4 minutes of inactivity (default). ICMP is tracked similarly.
Key Components, Values, and Defaults
AzureFirewallSubnet: Must be /26 or larger. Name must be exactly 'AzureFirewallSubnet'.
Public IP: Standard SKU public IP required. Can be zone-redundant.
SNAT: Outbound traffic uses the firewall's public IP(s). Source port exhaustion limit is 1,024 ports per public IP per destination IP:port. Azure Firewall automatically uses Source Network Address Translation (SNAT) for outbound traffic.
DNAT: Inbound traffic uses Destination NAT. A DNAT rule translates the destination public IP:port to a private IP:port.
Threat Intelligence: Uses Microsoft's threat intelligence feed to alert and deny traffic from/to malicious IPs and domains. Can be set to Alert Only or Alert and Deny.
DNS Proxy: Can act as a DNS proxy to forward DNS requests from clients to custom DNS servers. This is required for FQDN filtering in network rules.
Forced Tunneling: Can be configured to route all Internet-bound traffic through the firewall to an on-premises firewall. This requires an additional subnet (AzureFirewallManagementSubnet) and a default route (0.0.0.0/0) to on-premises.
Availability Zones: Can be deployed across multiple availability zones for higher SLA (99.99% vs 99.95% without zones).
Auto-scaling: Scales up to 30 Gbps throughput. No manual configuration needed.
Configuration and Verification Commands
Azure Firewall is primarily configured via the Azure portal, Azure CLI, PowerShell, or ARM templates. Common CLI commands:
Create a firewall:
az network firewall create \
--name MyFirewall \
--resource-group MyRG \
--location eastus \
--sku AZFW_VNet \
--vnet-name MyVNet \
--public-ip-addresses MyPublicIPAdd a network rule collection:
az network firewall network-rule create \
--firewall-name MyFirewall \
--resource-group MyRG \
--collection-name MyNetColl \
--priority 200 \
--action Allow \
--source-addresses 10.0.0.0/16 \
--protocols TCP \
--destination-addresses 192.168.1.0/24 \
--destination-ports 80,443Add an application rule collection:
az network firewall application-rule create \
--firewall-name MyFirewall \
--resource-group MyRG \
--collection-name MyAppColl \
--priority 300 \
--action Allow \
--source-addresses 10.0.0.0/16 \
--protocols Http=80 Https=443 \
--target-fqdns *.microsoft.comVerify rules:
az network firewall list --resource-group MyRG --output table
az network firewall network-rule list --firewall-name MyFirewall --resource-group MyRGDiagnostic logs: Enable via Azure Monitor diagnostic settings. Logs include:
AzureFirewallApplicationRule
AzureFirewallNetworkRule
AzureFirewallDnsProxy
Interaction with Related Technologies
Network Security Groups (NSGs): NSGs provide first layer of defense at subnet/NIC level. Azure Firewall provides centralized, stateful filtering at the network perimeter. They are complementary: NSGs for micro-segmentation, Azure Firewall for north-south and east-west traffic inspection.
Azure Virtual WAN: Azure Firewall can be deployed in a Virtual WAN hub (secured virtual hub) for global transit connectivity.
Azure Firewall Manager: Central management tool for creating, enforcing, and monitoring firewall policies across multiple Azure Firewall instances. It allows hierarchical policies (parent/child).
Azure Private Link: Azure Firewall can filter traffic to PaaS services over private endpoints.
Azure Bastion: For secure RDP/SSH access to VMs behind the firewall.
Azure DDoS Protection: Can be enabled on the firewall's public IP for additional DDoS mitigation.
Performance and Scaling
Azure Firewall can handle up to 30 Gbps throughput (Standard SKU). It automatically scales based on CPU usage. Connection limits are high (millions of concurrent connections). For production, deploy with Availability Zones for resilience. For very high throughput requirements, consider Azure Firewall Premium (up to 100 Gbps) or multiple firewalls in a scale-out design.
Security Features
Threat Intelligence: Based on Microsoft's threat intelligence feed, updated continuously.
TLS Inspection: Premium SKU can decrypt and inspect HTTPS traffic.
IDPS: Intrusion Detection and Prevention System (Premium) for network and application layer attacks.
Web Categories: Filter outbound traffic based on web categories (e.g., social media, gambling).
FQDN Tags: Predefined tags for well-known services (e.g., Azure Kubernetes Service, Windows Update) that allow traffic to their FQDNs.
Limitations
Cannot be deployed in a virtual network that already has a gateway subnet.
Does not support ICMP echo requests by default (though it can be enabled via network rules).
SNAT port exhaustion can occur if many outbound connections share the same public IP. Use multiple public IPs or use Azure NAT Gateway for outbound (but note NAT Gateway cannot be used with firewall in forced tunneling mode).
Application rules only support HTTP/HTTPS (ports 80/443). For other protocols, use network rules.
Exam Relevance
AZ-104 tests your ability to:
Identify scenarios where Azure Firewall is appropriate vs NSG vs 3rd-party NVA.
Configure Azure Firewall rules (network, application, DNAT).
Understand rule processing order.
Plan for forced tunneling.
Troubleshoot connectivity issues using firewall logs.
Differentiate between Azure Firewall SKUs (Standard vs Premium).
Common Exam Traps
Trap: Using NSG instead of Azure Firewall for outbound FQDN filtering. NSGs cannot filter by FQDN (except for Azure service tags). Azure Firewall application rules are required.
Trap: Placing Azure Firewall in a subnet smaller than /26. The AzureFirewallSubnet must be /26 or larger.
Trap: Assuming Azure Firewall is stateful only for TCP/UDP. It is stateful for all protocols, including ICMP.
Trap: Forgetting that Azure Firewall uses SNAT for outbound traffic by default. This can cause source IP issues for on-premises resources.
Trap: Misunderstanding rule priority. Rules are evaluated in order of rule collection priority (lower number = higher priority). Within a collection, rules are evaluated in order they are listed.
Step-by-Step: Deploy and Configure Azure Firewall
#### 1. Create a Virtual Network with Subnets Create a VNet with two subnets: one for workload VMs (e.g., 10.0.1.0/24) and one for the firewall (AzureFirewallSubnet, 10.0.0.0/26). Ensure the firewall subnet is named exactly 'AzureFirewallSubnet'.
#### 2. Create a Public IP for the Firewall Create a Standard SKU public IP address. It must be in the same region as the firewall. For high availability, you can create multiple public IPs (up to 250).
#### 3. Deploy Azure Firewall In the Azure portal, search for 'Firewall' and create a new instance. Select the VNet and public IP. Choose SKU: Standard or Premium. Enable threat intelligence mode (Alert or Alert and Deny). Configure availability zones if needed.
#### 4. Configure Network Rules
Add network rules to allow inbound or outbound traffic based on IP addresses, ports, and protocols. For example, allow outbound HTTP/HTTPS to any IP: Allow | Any | 10.0.1.0/24 | 80,443 | TCP | *.
#### 5. Configure Application Rules
Add application rules for outbound HTTP/HTTPS traffic based on FQDNs. For example, allow access to *.microsoft.com.
#### 6. Configure DNAT Rules Add DNAT rules to translate inbound traffic on the firewall's public IP to a private IP inside the VNet. For example, map public IP:3389 to 10.0.1.4:3389 for RDP.
#### 7. Route Traffic to the Firewall Create a route table with a default route (0.0.0.0/0) with next hop set to the firewall's private IP. Associate the route table with the workload subnet(s). For inbound traffic, the firewall's public IP is the entry point.
#### 8. Enable Diagnostic Logs In the firewall's diagnostic settings, send logs to Log Analytics workspace, storage account, or Event Hubs. Monitor for denied connections.
#### 9. Test Connectivity
From a VM in the workload subnet, test outbound connectivity (e.g., curl www.microsoft.com). Verify that allowed traffic passes and denied traffic is blocked. Check firewall logs.
Real-World Scenarios
#### Scenario 1: Enterprise Hub-and-Spoke with Forced Tunneling A multinational corporation has multiple spoke VNets in Azure, each hosting application tiers. They need to inspect all outbound internet traffic and route it through an on-premises firewall for compliance. They deploy Azure Firewall in a hub VNet with forced tunneling enabled. The firewall's default route points to the on-premises firewall via VPN/ExpressRoute. All spoke VNets peer with the hub and use the firewall as the next hop for internet traffic. This ensures all outbound traffic is logged and inspected. Common misconfiguration: forgetting to create the AzureFirewallManagementSubnet for forced tunneling, or setting the default route incorrectly causing asymmetric routing.
#### Scenario 2: E-commerce Platform with DNAT and Application Filtering An e-commerce company runs web servers in a VNet. They want to allow inbound HTTPS traffic to the web servers and restrict outbound traffic from the app servers to only a few FQDNs (e.g., payment gateway, database SaaS). They deploy Azure Firewall with DNAT rules to map public IP:443 to web server private IP:443. They create application rules to allow outbound FQDNs for the app servers. They also enable threat intelligence to block known malicious IPs. Performance considerations: with high traffic, they monitor SNAT port usage and add multiple public IPs to avoid port exhaustion. Misconfiguration: using network rules instead of application rules for FQDN filtering, which would require IP addresses that may change.
#### Scenario 3: Multi-Region Deployment with Azure Firewall Manager A global SaaS provider has VNets in multiple Azure regions. They need consistent firewall policies across all regions. They use Azure Firewall Manager to create a global firewall policy with parent and child policies. Each regional firewall inherits the parent policy and can have region-specific overrides. This simplifies management and ensures compliance. Common issues: policy inheritance conflicts when child policies override parent rules incorrectly; monitoring logs centrally from all firewalls.
Exam Focus Section
Objective 4.5: Configure and manage Azure Firewall – This includes deploying, configuring rules, managing policies, and troubleshooting. The exam tests your ability to choose between Azure Firewall and other security services.
Common Wrong Answers: 1. Using NSG for FQDN filtering – Candidates assume NSGs can filter by domain name. Reality: NSGs only filter by IP address, port, and protocol. Application rules in Azure Firewall are required for FQDN filtering. 2. Placing Azure Firewall in any subnet – Candidates think any subnet works. Reality: The subnet must be named 'AzureFirewallSubnet' and have a /26 or larger mask. 3. Forgetting SNAT behavior – Candidates assume outbound traffic retains the VM's private IP. Reality: Azure Firewall SNATs outbound traffic to the firewall's public IP by default. 4. Assuming rule priority is global – Candidates think rules are evaluated in order they are created. Reality: Rule collection priority (1-65535) determines evaluation order. Lower number = higher priority.
Specific Numbers and Terms: - AzureFirewallSubnet size: /26 (64 addresses). - Rule collection priority range: 100-65000 (recommended). - Default SNAT port limit: 1,024 per public IP per destination IP:port. - Maximum throughput: Standard 30 Gbps, Premium 100 Gbps. - SLA: 99.95% with no zones, 99.99% with zones. - Diagnostic log categories: AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy.
Edge Cases: - Forced tunneling requires an additional subnet named 'AzureFirewallManagementSubnet' (minimum /26). - Application rules only work for TCP/80 and TCP/443. For other ports, use network rules. - ICMP can be allowed via network rules, but by default it is blocked. - Firewall cannot be moved between resource groups or subscriptions after creation. - When using multiple public IPs, outbound SNAT traffic is distributed among them (not per session).
How to Eliminate Wrong Answers: - If the question mentions filtering by FQDN, the answer must involve Azure Firewall application rules, not NSG or network rules. - If the question mentions centralized policy management across multiple firewalls, think Azure Firewall Manager. - If the question mentions threat intelligence, think Azure Firewall Premium (or Standard with threat intel enabled). - If the question mentions high throughput (>30 Gbps), think Azure Firewall Premium or multiple firewalls.
Misconceptions
Myth: Azure Firewall is just a cloud version of a basic firewall. Reality: It is a fully stateful, managed service with advanced features like threat intelligence, FQDN filtering, and TLS inspection (Premium).
Myth: Azure Firewall can replace NSGs entirely. Reality: NSGs are still needed for micro-segmentation within a VNet. Azure Firewall is for perimeter and east-west traffic across VNets.
Myth: Azure Firewall automatically routes traffic to itself. Reality: You must configure route tables to direct traffic to the firewall's private IP.
Myth: Azure Firewall supports any protocol. Reality: It supports TCP, UDP, and ICMP. For other protocols, you need a third-party NVA.
Myth: Azure Firewall is always the best choice for outbound traffic. Reality: For many outbound connections to Azure PaaS services, using Azure Private Link or service endpoints may be more cost-effective and simpler.
Comparisons
- Azure Firewall vs Network Security Groups (NSGs) - Scope: Centralized, VNet-wide vs subnet/NIC-level. - Statefulness: Stateful for all protocols vs stateful for TCP/UDP (stateless option available). - FQDN filtering: Yes (application rules) vs No (only service tags). - Threat intelligence: Yes vs No. - NAT: Yes (DNAT/SNAT) vs No. - Logging: Rich diagnostic logs vs NSG flow logs. - Cost: Higher cost vs lower cost.
- Azure Firewall vs Third-Party NVAs (e.g., Palo Alto, Fortinet) - Management: Azure-native vs vendor-specific. - Scaling: Auto-scaling vs manual scaling. - Features: Deep packet inspection, advanced threat prevention vs basic to advanced. - Licensing: Pay-as-you-go (included in Azure cost) vs bring-your-own-license. - Integration: Tight with Azure services vs may require additional configuration. - Performance: Up to 30/100 Gbps vs up to hundreds of Gbps.
- Azure Firewall Standard vs Premium - TLS inspection: No vs Yes. - IDPS: No vs Yes. - Web categories: No vs Yes. - Threat intelligence: Basic vs Advanced. - Throughput: Up to 30 Gbps vs up to 100 Gbps. - Cost: Lower vs Higher.
Key Takeaways
Azure Firewall is a fully stateful, managed firewall service for Azure VNets.
It requires a dedicated subnet named AzureFirewallSubnet with a /26 or larger mask.
Rule processing order: DNAT → Network → Application → Network (fallback).
Application rules filter outbound HTTP/HTTPS traffic by FQDN.
Network rules filter traffic by IP, port, and protocol.
Outbound traffic is SNATed to the firewall's public IP by default.
Use Azure Firewall Manager for centralized policy management across multiple firewalls.
Enable diagnostic logs for troubleshooting and monitoring.
For forced tunneling, create AzureFirewallManagementSubnet and set default route to on-premises.
Premium SKU adds TLS inspection, IDPS, and web categories.
Azure Firewall does not automatically route traffic; you must configure route tables.
FAQ
- Q: What is the difference between Azure Firewall and Azure Firewall Manager? A: Azure Firewall is the actual firewall instance. Azure Firewall Manager is a management tool that allows you to create, enforce, and monitor firewall policies across multiple Azure Firewall instances. You can use Firewall Manager to apply consistent policies globally.
- Q: Can Azure Firewall filter traffic between VNets (east-west)? A: Yes. If you route traffic between VNets through the firewall (e.g., via VNet peering and user-defined routes), the firewall can inspect and filter east-west traffic. This is a common pattern for security segmentation.
- Q: Does Azure Firewall support ICMP? A: Yes, but by default it is blocked. You must create a network rule to allow ICMP. For example, allow ICMP from source to destination.
- Q: How do I troubleshoot connectivity issues through Azure Firewall? A: Enable diagnostic logs and send them to Log Analytics. Use queries to view denied connections. Also, check route tables to ensure traffic is directed to the firewall. Verify that the firewall's public IP is reachable and that DNAT rules are correctly configured.
- Q: Can I use Azure Firewall with Azure Virtual WAN? A: Yes. You can deploy Azure Firewall as a secured virtual hub in Azure Virtual WAN. This allows you to use the firewall for traffic inspection across all branches and VNets connected to the Virtual WAN.
- Q: What is the default rule priority? A: There is no default priority. You must assign a priority (100-65000) to each rule collection. A lower number means higher priority.
- Q: Can I have multiple Azure Firewalls in the same VNet? A: No. You can only have one Azure Firewall per VNet. If you need more throughput or redundancy, you can deploy multiple firewalls in different VNets and use Azure Firewall Manager.
- Q: Does Azure Firewall support custom DNS? A: Yes. You can configure DNS proxy to forward DNS requests to custom DNS servers. This is required for FQDN filtering in network rules.
Quiz
- Q: You need to filter outbound HTTPS traffic from Azure VMs based on fully qualified domain names (FQDNs). Which Azure service should you use? A: Azure Firewall with application rules. NSGs cannot filter by FQDN; they only filter by IP address. Azure Firewall application rules allow you to specify allowed FQDNs for HTTP/HTTPS traffic.
- Q: You are deploying Azure Firewall and need to ensure high availability. Which two actions should you take? A: Deploy the firewall in an availability zone (or across multiple zones) and use at least two public IPs. Availability zones provide resilience against datacenter failures, and multiple public IPs help avoid SNAT port exhaustion.
- Q: A user reports that outbound internet traffic from VMs in a spoke VNet is failing. The VNet is peered to a hub VNet with Azure Firewall. What is the most likely cause? A: Missing route table on the spoke subnet to direct traffic to the firewall's private IP. Azure Firewall does not automatically route traffic; you must create a user-defined route with next hop as the firewall's private IP.
- Q: You need to forward all outbound internet traffic from Azure VMs to an on-premises firewall for inspection. Which Azure Firewall feature should you configure? A: Forced tunneling. This requires an additional subnet (AzureFirewallManagementSubnet) and a default route (0.0.0.0/0) pointing to the on-premises firewall.
- Q: What is the minimum subnet size required for Azure Firewall? A: /26 (64 IP addresses). The subnet must be named 'AzureFirewallSubnet'.
- Q: You have multiple Azure Firewall instances across different regions. You need to enforce a common set of firewall rules. What should you use? A: Azure Firewall Manager. It allows you to create a global firewall policy that can be applied to all firewalls, with optional local overrides.
- Q: Which Azure Firewall SKU supports TLS inspection? A: Premium SKU. Standard SKU does not support TLS inspection.
- Q: A VM behind Azure Firewall cannot connect to an external HTTPS website. The firewall has a network rule allowing outbound TCP/443 to any IP. What could be the issue? A: The network rule might be missing, or the traffic might be matched by an application rule that denies the FQDN. Check application rules first, as they are evaluated before network rules for HTTP/HTTPS traffic.
Meta Title
Azure Firewall AZ-104 Study Guide: Configuration & Exam Tips
Meta Description
Master Azure Firewall for AZ-104: learn deployment, rule processing, SNAT, DNAT, and common exam traps. Includes step-by-step guide and real-world scenarios.
Estimated Read Minutes
25
Create Virtual Network with Subnets
Create a VNet with at least two subnets: one for workload VMs (e.g., 10.0.1.0/24) and one for the firewall named exactly 'AzureFirewallSubnet' with a prefix of /26 or larger (e.g., 10.0.0.0/26). The firewall subnet must be dedicated; no other resources can be deployed in it. Use Azure portal, CLI, or ARM template. In the portal, navigate to Virtual Networks, click Add, specify address space, and add subnets. Ensure the firewall subnet name is exactly 'AzureFirewallSubnet' – any other name will cause deployment failure.
Create Public IP for Firewall
Create a Standard SKU public IP address in the same region as the firewall. This IP will be used for inbound DNAT and outbound SNAT. For high availability and to avoid SNAT port exhaustion, you can create multiple public IPs (up to 250). In the portal, search for Public IP addresses, click Add, select Standard SKU, and choose a name. Optionally, enable availability zone redundancy. Note: Basic SKU public IP is not supported with Azure Firewall.
Deploy Azure Firewall Instance
In the portal, search for 'Firewall' and click Create. Select the resource group, region, and the VNet you created. Choose the firewall subnet (AzureFirewallSubnet). Select the public IP(s) created earlier. Choose SKU: Standard (default) or Premium for advanced features. Configure threat intelligence mode (Alert or Alert and Deny). For forced tunneling, you would also need to create an additional subnet (AzureFirewallManagementSubnet) and configure a default route. Click Review + Create. Deployment takes a few minutes.
Configure Network and Application Rules
After deployment, navigate to the firewall resource. Under Settings, select Rules. Add rule collections: first DNAT rules (inbound), then network rules (non-HTTP/HTTPS), then application rules (HTTP/HTTPS FQDN). Each rule collection has a priority (100-65000, lower is higher). For a network rule, specify source IP, destination IP, port, and protocol. For an application rule, specify source IP, protocol (HTTP/HTTPS), and target FQDNs. Use FQDN tags for well-known services. Rules are evaluated in order of collection priority, then within collection in order listed.
Configure Routing to Firewall
Create a route table and associate it with the workload subnet(s). Add a route with address prefix 0.0.0.0/0 (default route) and next hop type 'Virtual appliance', next hop address set to the firewall's private IP (found in the firewall overview). This ensures all outbound traffic from the subnet goes through the firewall. For inbound traffic, the firewall's public IP is the entry point; no route is needed. For forced tunneling, the default route points to on-premises via VPN/ExpressRoute.
Enable Diagnostics and Test Connectivity
In the firewall's diagnostic settings, enable logs to be sent to Log Analytics, storage account, or Event Hubs. Select categories: AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy. Then, from a VM in the workload subnet, test outbound connectivity (e.g., curl https://www.microsoft.com). Check the firewall logs to see allowed/denied connections. Use Network Watcher's next hop to verify traffic is routed to the firewall. Troubleshoot by checking route tables, NSGs, and firewall rules.
Enterprise Hub-and-Spoke with Forced Tunneling
A global financial services company has multiple Azure subscriptions, each containing application VNets (spokes). Compliance requires that all outbound internet traffic be inspected by an on-premises firewall. They deploy Azure Firewall in a central hub VNet with forced tunneling enabled. The firewall is configured with a default route (0.0.0.0/0) pointing to the on-premises firewall via a site-to-site VPN or ExpressRoute. An additional subnet, AzureFirewallManagementSubnet, is created for management traffic. All spoke VNets peer with the hub, and each spoke subnet has a route table with a default route pointing to the firewall's private IP. This architecture ensures that all outbound traffic flows through the on-premises firewall, meeting compliance. Common misconfigurations include: forgetting to create the management subnet, incorrect route propagation causing asymmetric routing, or not allowing necessary traffic (e.g., DNS) through the firewall.
E-commerce Platform with DNAT and Application Filtering
An online retailer runs web servers in a VNet. They need to allow inbound HTTPS traffic from the internet to the web servers and restrict outbound traffic from app servers to only a few external services (e.g., payment gateway, email service). They deploy Azure Firewall with DNAT rules to map public IP:443 to the web server's private IP:443. For outbound traffic, they create application rules allowing specific FQDNs (e.g., api.payment.com, smtp.email.com) from the app server subnet. They also enable threat intelligence to block known malicious IPs. Performance considerations: with high traffic volumes (e.g., Black Friday), they must monitor SNAT port usage. They add multiple public IPs to the firewall to distribute the load. A common issue is SNAT port exhaustion, which manifests as intermittent connectivity failures. They use Azure Monitor alerts to notify when port usage exceeds 80%.
Multi-Region Deployment with Azure Firewall Manager
A global SaaS provider has VNets in multiple Azure regions. They need consistent firewall policies across all regions but allow regional variations. They use Azure Firewall Manager to create a global firewall policy (parent policy) that includes common rules (e.g., block known malicious IPs, allow Azure services). Each regional firewall has a child policy that inherits from the parent and adds region-specific rules (e.g., allow local regulatory IPs). This simplifies management and ensures compliance. Common issues: policy inheritance conflicts when child policies override parent rules unintentionally; troubleshooting becomes complex when logs from multiple firewalls need to be correlated. They use Azure Sentinel for centralized log analysis.
What Goes Wrong with Misconfiguration
Asymmetric routing: If the route table on the workload subnet points to the firewall but the firewall's return traffic goes directly to the VM (e.g., due to a missing route on the firewall's subnet), traffic is dropped. This is often caused by not enabling 'IP forwarding' on the firewall's NIC (though Azure Firewall handles this automatically) or incorrect route propagation.
SNAT port exhaustion: When many outbound connections share a single public IP, the firewall runs out of source ports. Symptoms: intermittent failures for new connections. Solution: add more public IPs or use Azure NAT Gateway (but NAT Gateway cannot be used with forced tunneling).
Rule misordering: A high-priority deny rule can accidentally block traffic that should be allowed by a lower-priority rule. Always test rules in a non-production environment.
Firewall subnet size too small: A /28 subnet (16 addresses) is insufficient. The firewall requires at least /26 (64 addresses) to scale. This causes deployment failure or performance issues.
Exactly What AZ-104 Tests
Objective 4.5: Configure and manage Azure Firewall. This includes:
Deploying Azure Firewall (subnet requirements, public IP, SKU selection).
Configuring network and application rules (rule collection priority, FQDN filtering).
Configuring DNAT for inbound traffic.
Implementing forced tunneling.
Using Azure Firewall Manager for centralized policy.
Troubleshooting connectivity using firewall logs.
Common Wrong Answers and Why Candidates Choose Them
Using NSG for FQDN filtering – Candidates see 'filter outbound traffic' and immediately think NSG. They forget that NSGs cannot filter by FQDN. The exam will present a scenario requiring FQDN filtering, and the correct answer will always involve Azure Firewall application rules.
Placing Azure Firewall in any subnet – Candidates assume any subnet works. The exam tests the specific requirement: subnet must be named 'AzureFirewallSubnet' and be /26 or larger. A wrong answer might say 'any subnet with a /24 mask'.
Assuming outbound traffic retains VM's private IP – Candidates think the firewall acts like a router. The exam tests SNAT behavior: by default, Azure Firewall SNATs outbound traffic to the firewall's public IP. A wrong answer might claim that the source IP remains the VM's private IP.
Misunderstanding rule priority – Candidates think rules are evaluated in the order they appear in the portal. The exam tests that rule collection priority (lower number = higher priority) determines evaluation order. A wrong answer might say 'rules are evaluated top-down within the same collection' (which is true, but only after collection priority).
Specific Numbers, Values, and Terms
AzureFirewallSubnet size: /26 (64 addresses).
Rule collection priority range: 100-65000 (commonly used: 100, 200, etc.).
Default SNAT port limit: 1,024 per public IP per destination IP:port.
Maximum throughput: Standard 30 Gbps, Premium 100 Gbps.
SLA: 99.95% without zones, 99.99% with zones.
Diagnostic log categories: AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy.
FQDN tags: AzureKubernetesService, WindowsUpdate, etc.
Threat intelligence modes: Alert, Alert and Deny.
Edge Cases and Exceptions
Forced tunneling requires an additional subnet named 'AzureFirewallManagementSubnet' (minimum /26).
Application rules only work for TCP/80 and TCP/443. For other ports, use network rules.
ICMP can be allowed via network rules, but by default it is blocked.
Firewall cannot be moved between resource groups or subscriptions after creation.
When using multiple public IPs, outbound SNAT traffic is distributed among them (not per session).
Azure Firewall does not support IP fragments (they are dropped).
The firewall's private IP cannot be changed after deployment.
How to Eliminate Wrong Answers
If the question mentions filtering by FQDN, eliminate any answer that doesn't include Azure Firewall application rules.
If the question mentions centralized policy across multiple firewalls, eliminate answers that don't mention Azure Firewall Manager.
If the question mentions forced tunneling, look for mention of AzureFirewallManagementSubnet and a default route to on-premises.
If the question mentions high throughput (>30 Gbps), the answer must involve Azure Firewall Premium or multiple firewalls.
If the question mentions SNAT port exhaustion, the solution is to add more public IPs or use Azure NAT Gateway (but note NAT Gateway cannot be used with forced tunneling).
Azure Firewall requires a dedicated subnet named AzureFirewallSubnet with a /26 or larger mask.
Rule processing order: DNAT → Network → Application → Network (fallback).
Application rules filter outbound HTTP/HTTPS by FQDN; network rules filter by IP/port/protocol.
Outbound traffic is SNATed to the firewall's public IP by default.
Use Azure Firewall Manager for centralized policy across multiple firewalls.
For forced tunneling, create AzureFirewallManagementSubnet and set default route to on-premises.
Premium SKU adds TLS inspection, IDPS, and web categories.
Always configure UDRs to route traffic to the firewall's private IP.
Monitor SNAT port usage; add public IPs to avoid exhaustion.
Enable diagnostic logs for troubleshooting and auditing.
These come up on the exam all the time. Here's how to tell them apart.
Azure Firewall
Fully stateful, managed service
Supports FQDN filtering (application rules)
Centralized policy across VNets and subscriptions
Includes threat intelligence and IDPS (Premium)
Provides DNAT and SNAT capabilities
Network Security Groups (NSGs)
Stateful for TCP/UDP (stateless option available)
No FQDN filtering (only service tags)
Applied at subnet or NIC level
No built-in threat intelligence
No NAT capabilities
Mistake
Azure Firewall automatically routes traffic to itself.
Correct
No, you must configure user-defined routes (UDRs) on the workload subnets to direct traffic to the firewall's private IP. Without UDRs, traffic bypasses the firewall.
Mistake
Azure Firewall can filter traffic based on FQDN for any protocol.
Correct
Application rules only support HTTP/HTTPS (ports 80 and 443). For other protocols (e.g., FTP, SMTP), you must use network rules with IP addresses.
Mistake
Azure Firewall is stateful only for TCP connections.
Correct
Azure Firewall is stateful for all protocols, including UDP and ICMP. It maintains connection state for UDP with a 4-minute idle timeout by default.
Mistake
You can deploy Azure Firewall in any subnet of a VNet.
Correct
The subnet must be named exactly 'AzureFirewallSubnet' and have a minimum size of /26. No other resources can be in that subnet.
Mistake
Azure Firewall replaces the need for Network Security Groups (NSGs).
Correct
NSGs are still needed for micro-segmentation within a VNet (e.g., between subnets). Azure Firewall is for perimeter and cross-VNet traffic.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Firewall is the actual firewall instance that processes traffic. Azure Firewall Manager is a management tool that allows you to create, enforce, and monitor firewall policies across multiple Azure Firewall instances. You can use Firewall Manager to apply consistent policies globally, with hierarchical parent/child policies.
Yes. If you route traffic between VNets through the firewall (e.g., via VNet peering and user-defined routes), the firewall can inspect and filter east-west traffic. This is a common pattern for security segmentation in hub-and-spoke topologies.
Yes, but by default it is blocked. You must create a network rule to allow ICMP. For example, allow ICMP from source to destination. Note that ICMP is not supported in application rules.
Enable diagnostic logs and send them to Log Analytics. Use queries to view denied connections. Also, check route tables to ensure traffic is directed to the firewall. Verify that the firewall's public IP is reachable and that DNAT rules are correctly configured. Use Network Watcher's next hop to verify the path.
Yes. You can deploy Azure Firewall as a secured virtual hub in Azure Virtual WAN. This allows you to use the firewall for traffic inspection across all branches and VNets connected to the Virtual WAN, providing a global transit network with security.
There is no default priority. You must assign a priority (100-65000) to each rule collection. A lower number means higher priority. Within a collection, rules are evaluated in the order they are listed.
No. You can only have one Azure Firewall per VNet. If you need more throughput or redundancy, you can deploy multiple firewalls in different VNets and use Azure Firewall Manager for centralized management.
Yes. You can configure DNS proxy to forward DNS requests to custom DNS servers. This is required for FQDN filtering in network rules. Enable DNS proxy in the firewall's settings and configure the DNS servers.
You've just covered Azure Firewall — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?