This chapter covers Azure Firewall Premium features, including TLS inspection, IDPS, web categories, and URL filtering. For the AZ-104 exam, these topics are tested under objective 4.5 (Implement and manage network security) and represent approximately 5-10% of networking questions. Understanding Premium features is critical because Microsoft emphasizes them as differentiators from Standard Firewall and third-party NVA solutions. The exam expects you to know when to use Premium, how it integrates with Azure Monitor, and the specific capabilities and limitations of each feature.
Jump to a section
Imagine a standard airport security checkpoint (Standard Firewall) that checks IDs and boarding passes. Now upgrade to Premium: every passenger is scanned with a full-body scanner (TLS inspection), their travel history is checked against global watchlists (threat intelligence), and a behavioral analyst profiles their movements (IDPS). The analyst can detect if a passenger is trying to sneak a prohibited item by wrapping it in foil (packet-level evasion), and the scanner sees through the foil. Additionally, a special lane exists for VIP passengers (web categories like 'banking' or 'social media') that bypasses certain checks but is still monitored. The airport also maintains a 'no-fly list' (URL filtering) that blocks access to known malicious destinations. All scanners and analysts report to a central command center (Azure Monitor/Log Analytics) where security logs are aggregated. Just as an airport cannot allow a passenger to bypass the body scanner without missing threats, Premium Firewall must inspect all traffic (including encrypted) to enforce full security.
What is Azure Firewall Premium?
Azure Firewall Premium is an enhanced version of Azure Firewall Standard, introduced in 2021, that adds advanced security capabilities for inspecting and controlling network traffic. While Standard Firewall provides stateful filtering and basic threat intelligence, Premium goes deeper with TLS inspection (SSL/TLS decryption), Intrusion Detection and Prevention System (IDPS), web categories, and URL filtering. These features are designed to protect against application-layer attacks, malware, and data exfiltration, especially in regulated industries like finance and healthcare.
Why Premium Exists
Standard Firewall operates at Layers 3-4 (network and transport) with some Layer 7 capabilities via application rules. However, it cannot inspect encrypted traffic. With over 90% of internet traffic now encrypted, malicious actors use TLS to hide payloads. Premium solves this by acting as a man-in-the-middle (MITM) proxy that decrypts outbound traffic, inspects it, then re-encrypts it before forwarding. It also provides signature-based and anomaly-based IDPS to detect exploits, and web category filtering to enforce acceptable use policies.
How TLS Inspection Works Internally
TLS inspection in Azure Firewall Premium uses a per-firewall certificate authority (CA) that you generate or upload. When a client inside the virtual network makes an outbound TLS connection (e.g., to https://example.com), the firewall intercepts the ClientHello. It then establishes a TLS session with the remote server, presenting its own certificate signed by the internal CA. The client sees this certificate and, if the client trusts the internal CA (deployed via Group Policy or MDM), the connection proceeds. The firewall decrypts the traffic, inspects the application payload, applies IDPS signatures, and then re-encrypts it using a separate session with the client. This is transparent to the client but introduces latency (~1-5 ms per connection).
Key constraints:
TLS inspection is only for outbound traffic (from VNet to internet). Inbound traffic (e.g., from internet to a web server) is not decrypted.
Supported TLS versions: TLS 1.0, 1.1, 1.2, and 1.3. TLS 1.3 is supported but with limitations (some signatures may not apply due to encrypted extensions).
Certificate: You must provide a root CA certificate (RSA 2048-bit) uploaded to the firewall. The firewall generates intermediate and leaf certificates per domain.
Exclusions: You can exclude certain FQDNs from inspection (e.g., banking sites, corporate SaaS) to avoid breaking certificate pinning.
IDPS: Signature-Based and Anomaly Detection
Azure Firewall Premium includes an IDPS engine that inspects traffic after TLS decryption. It uses two categories:
Signature-based detection: Over 30,000 signatures from Microsoft’s threat intelligence, covering common exploits (e.g., SQL injection, cross-site scripting, buffer overflows). Signatures are updated automatically.
Anomaly-based detection: Protocol deviations, traffic patterns, and behavioral analysis. For example, a sudden spike in outbound connections to a new IP range may indicate data exfiltration.
IDPS operates in two modes:
Alert only: Logs the event but allows traffic.
Alert and deny: Blocks the traffic and logs.
You configure IDPS rules in the Firewall Policy under the IDPS blade. You can set individual rule severities (low, medium, high) to alert or deny. The default is alert only for all signatures.
Web Categories and URL Filtering
Web categories allow you to allow or deny access to entire categories of websites (e.g., Social Networking, Adult Content, News). Azure Firewall Premium uses Microsoft’s curated web category database, which categorizes over 2 million URLs. Categories are maintained by Microsoft and updated regularly.
URL filtering works at the FQDN level within application rules. You can specify FQDNs (e.g., *.contoso.com) and allow or deny. With Premium, you can also combine web categories with FQDNs for granular control.
Important: Web categories only apply to HTTP/HTTPS traffic (ports 80/443). For non-web traffic (e.g., SSH, FTP), you must use network rules.
Configuration and Verification
To deploy Premium Firewall, you must select the Premium tier when creating the firewall (or upgrade an existing Standard firewall via PowerShell/CLI). The upgrade is non-disruptive but incurs additional cost (~2x Standard).
Key configuration steps: 1. Create or select a Firewall Policy (Premium tier). 2. Upload a root CA certificate to the firewall for TLS inspection. 3. Configure IDPS settings (mode, signatures). 4. Define web categories in application rules. 5. Deploy the policy to the firewall.
Verification commands:
Check firewall tier: az network firewall show --name <fw-name> --resource-group <rg> --query "sku.tier"
Check TLS inspection status: az network firewall policy show --name <policy-name> --resource-group <rg> --query "settings.tlsCertificate"
View IDPS logs: Use Log Analytics with query AzureDiagnostics | where OperationName == "AzureFirewallIdpsSignature"
Interaction with Related Technologies
Azure Firewall Premium integrates with Azure Monitor and Log Analytics for logging and alerting. All IDPS and TLS inspection events are sent to AzureDiagnostics.
It works with Azure Policy to enforce rules across multiple firewalls.
It does NOT integrate with Azure DDoS Protection (that's a separate service).
It can be used in a hub-and-spoke topology with forced tunneling (route all traffic through the firewall).
Performance and Scale
Premium Firewall supports up to 100 Gbps throughput (with Premium tier). TLS inspection adds latency and CPU overhead; Microsoft recommends sizing the firewall accordingly. In production, monitor CPU usage; if it exceeds 80%, consider scaling out (multiple firewalls in different availability zones).
Common Pitfalls
Forgetting to deploy the root CA certificate to client machines. Without trust, clients will see certificate errors.
Excluding too many FQDNs from TLS inspection, reducing security coverage.
Setting IDPS to alert-only mode and not reviewing logs.
Assuming web categories work for non-HTTP traffic.
Create Premium Firewall Policy
Navigate to Azure Firewall Manager or portal. Create a new Firewall Policy and select 'Premium' as the tier. You cannot change tier after creation; you must create a new policy and associate it. The policy defines all rules and settings (network, application, NAT, IDPS, TLS inspection, web categories).
Upload Root CA Certificate
In the Firewall Policy, go to 'TLS Inspection' settings. Upload a root CA certificate (PFX format, password-protected) that you have generated using your internal PKI. The firewall uses this to sign leaf certificates for each domain. Ensure the certificate is trusted by all client machines via Group Policy or MDM. Without this, TLS inspection will fail.
Configure IDPS Settings
In the IDPS blade, choose the mode (Alert or Deny) and optionally adjust individual signature severities. You can upload custom IDPS rules (Snort-compatible) for specific patterns. Review the signature list to ensure you are not blocking legitimate traffic. Default mode is Alert only for all signatures.
Define Web Categories and URL Filtering
In Application Rules, add a rule collection. For each rule, specify source IPs, protocols (HTTP/HTTPS), and either FQDNs or web categories. For example, allow access to 'SocialNetworking' category but deny 'AdultContent'. Web categories only apply to port 80/443. Use network rules for other ports.
Associate Policy and Test
Associate the Premium policy with the Azure Firewall. Wait for policy update (usually 1-5 minutes). Test TLS inspection by accessing an HTTPS site from a VM behind the firewall. Check logs in Log Analytics for IDPS events or TLS errors. Verify that clients trust the firewall certificate by checking browser security indicators.
Scenario 1: Financial Institution Enforcing Data Exfiltration Protection
A bank with 10,000 employees uses Azure Firewall Premium to inspect all outbound HTTPS traffic. They deploy a root CA via Active Directory Group Policy. The security team configures IDPS to deny high-severity signatures (e.g., SQL injection attempts) and alert on medium. They also block web categories 'PersonalStorage' (e.g., Dropbox, Google Drive) to prevent data leakage. Performance: they use a Premium firewall with 20 Gbps throughput, monitoring CPU at 40% during peak hours. Common issue: employees accessing personal email (e.g., Gmail) get blocked because it falls under 'Webmail' category. The bank creates an exception for executives using a separate rule with higher priority.
Scenario 2: Healthcare Organization with Compliance Requirements
A hospital uses Azure Firewall Premium to meet HIPAA requirements for encrypted traffic inspection. They enable TLS inspection but exclude healthcare SaaS applications (e.g., Epic, Cerner) to avoid certificate pinning issues. They configure IDPS to alert on all signatures but deny only those related to malware and ransomware. They use web categories to block 'AdultContent' and 'Illegal' categories. They integrate logs with Azure Sentinel for SIEM. A problem arises when a third-party vendor's application uses certificate pinning; the hospital must add the vendor's FQDN to the TLS inspection exclusion list.
Scenario 3: E-commerce Platform Protecting Against Web Attacks
An e-commerce company uses Azure Firewall Premium to protect its web servers from OWASP Top 10 attacks. They deploy the firewall in a hub VNet with forced tunneling. They enable IDPS with deny mode for critical signatures (e.g., SQL injection, XSS) and alert mode for others. They use web categories to block 'Spam' and 'Malware' sites. They also implement URL filtering to allow only specific shopping cart endpoints. A misconfiguration occurs when they accidentally block all HTTPS traffic by setting a deny rule for the 'All' web category; they quickly correct by adding an allow rule for 'Ecommerce' category.
AZ-104 Exam Focus on Azure Firewall Premium
The AZ-104 exam tests Azure Firewall Premium under objective 4.5 (Implement and manage network security). Specifically, you need to know:
When to choose Premium over Standard (TLS inspection, IDPS, web categories).
How to configure TLS inspection (certificate requirement, client trust).
IDPS modes (Alert vs. Deny) and signature severity.
Web categories (only for HTTP/HTTPS).
The fact that Premium is a separate SKU, not an add-on.
Common Wrong Answers
"TLS inspection works for inbound traffic." Wrong. It only inspects outbound traffic from VNet to internet. Inbound traffic (internet to VNet) is not decrypted. Candidates confuse this with Application Gateway WAF which does inbound inspection.
"IDPS can block all threats automatically." Wrong. By default, IDPS is in 'Alert only' mode. You must explicitly set it to 'Alert and deny' to block traffic. Candidates assume it blocks by default.
"Web categories work for any protocol." Wrong. They only apply to HTTP/HTTPS (ports 80/443). For other protocols like SSH or RDP, you need network rules.
"You can upgrade Standard to Premium without downtime." Partially true: the upgrade is non-disruptive but requires creating a new Premium policy and associating it. Candidates think it's a simple SKU change.
Exam Numbers and Terms
TLS inspection supports TLS 1.0, 1.1, 1.2, 1.3.
IDPS has over 30,000 signatures.
Web categories cover over 2 million URLs.
Premium tier supports up to 100 Gbps (vs. 30 Gbps for Standard).
You must upload a root CA certificate (PFX) for TLS inspection.
IDPS modes: Alert only, Alert and deny.
Web categories are defined in Application Rules.
Edge Cases
If you enable TLS inspection but clients don't trust the root CA, connections fail with certificate errors. The exam may present a scenario where users get 'untrusted certificate' warnings.
If you exclude an FQDN from TLS inspection, IDPS cannot inspect that traffic. The exam may ask why certain threats are not detected.
Web categories are not customizable; you cannot add custom categories. You can only allow/deny existing ones.
How to Eliminate Wrong Answers
Focus on the mechanism: TLS inspection is a MITM proxy for outbound traffic. If a question mentions 'inspect encrypted traffic', the answer must involve TLS inspection. If it mentions 'block known malicious IPs', that's Standard threat intelligence. If it mentions 'detect SQL injection', that's IDPS. Always check the traffic direction and protocol.
Azure Firewall Premium is a separate SKU that adds TLS inspection, IDPS, and web categories to the Standard firewall.
TLS inspection only decrypts outbound traffic from VNet to internet; inbound traffic is not inspected.
IDPS has two modes: Alert only (default) and Alert and deny. You must explicitly enable deny to block threats.
Web categories only apply to HTTP/HTTPS traffic (ports 80/443). For other protocols, use network rules.
You must upload a root CA certificate (PFX) to enable TLS inspection, and clients must trust it.
Premium supports up to 100 Gbps throughput (vs. 30 Gbps for Standard).
IDPS signatures are updated automatically by Microsoft and cover over 30,000 patterns.
Web categories are predefined by Microsoft and cannot be customized; you can only allow/deny existing categories.
You can exclude specific FQDNs from TLS inspection to avoid breaking certificate pinning.
Logs for IDPS and TLS inspection are sent to AzureDiagnostics in Log Analytics.
These come up on the exam all the time. Here's how to tell them apart.
Azure Firewall Standard
No TLS inspection capability
No IDPS (only threat intelligence from Microsoft feeds)
No web categories (FQDN filtering only)
Supports up to 30 Gbps throughput
Lower cost per hour
Azure Firewall Premium
Full TLS inspection (outbound only)
IDPS with 30,000+ signatures and custom rules
Web categories (over 2 million URLs categorized)
Supports up to 100 Gbps throughput
Higher cost (approximately 2x Standard)
Mistake
Azure Firewall Premium can inspect all encrypted traffic, including inbound.
Correct
TLS inspection only applies to outbound traffic from the VNet to the internet. Inbound traffic (internet to VNet) is not decrypted. For inbound inspection, use Azure Application Gateway WAF or Azure Front Door.
Mistake
IDPS blocks threats by default.
Correct
The default IDPS mode is 'Alert only', meaning it logs threats but does not block them. You must change the mode to 'Alert and deny' to block traffic. Additionally, you can set individual signature severities to deny.
Mistake
Web categories apply to all TCP/UDP traffic.
Correct
Web categories only apply to HTTP and HTTPS traffic (ports 80 and 443). For other protocols (e.g., SSH, RDP, FTP), you must use network rules with IP addresses or FQDNs.
Mistake
You can upgrade a Standard Firewall to Premium without any configuration changes.
Correct
While you can change the SKU from Standard to Premium using PowerShell/CLI, you must also create or update the Firewall Policy to Premium tier and configure Premium features (TLS inspection, IDPS, web categories). The firewall itself is upgraded, but the policy must be separately upgraded.
Mistake
TLS inspection works automatically without any certificate setup.
Correct
You must upload a root CA certificate (PFX format) to the firewall policy. Additionally, all client machines must trust this root CA (via Group Policy or MDM). Without trust, clients will see certificate errors and connections may fail.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. TLS inspection in Azure Firewall Premium only works for outbound traffic (from VNet to internet). For inbound traffic, use Azure Application Gateway with WAF or Azure Front Door with WAF policy. The exam often tests this distinction.
You need a root CA certificate (RSA 2048-bit, PFX format) that you generate or obtain from your internal PKI. Upload it to the Firewall Policy under TLS Inspection settings. All client machines must trust this root CA for inspection to work without certificate errors.
Use web categories in Application Rules. For example, to block social media, create an application rule with destination type 'Web categories' and select 'SocialNetworking' category, then set action to 'Deny'. Alternatively, use URL filtering by specifying FQDNs (e.g., *.facebook.com).
No. The default IDPS mode is 'Alert only'. To block traffic, you must change the mode to 'Alert and deny' in the Firewall Policy. You can also set individual signature severities to 'Deny' while keeping others on 'Alert'.
No. Web categories only apply to HTTP and HTTPS traffic (ports 80 and 443). For SSH, RDP, or other protocols, you must use network rules with IP addresses or FQDNs.
Azure Firewall Premium supports up to 100 Gbps throughput, compared to 30 Gbps for Standard. Actual throughput depends on the number of rules, TLS inspection load, and IDPS processing.
You can upgrade the firewall SKU using Azure CLI or PowerShell (e.g., `az network firewall update --sku Premium`). However, you must also create or update the associated Firewall Policy to Premium tier and configure Premium features. The upgrade is non-disruptive.
You've just covered Azure Firewall Premium Features — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?