Govern your Azure Firewall configuration with Azure Policies

Introduction: 

In the rapidly evolving digital landscape, securing cloud environments is more critical than ever. Azure Firewall emerges as a pivotal defense mechanism, offering stateful, cloud-native, and intelligent network firewall security services. It's designed to protect Azure Virtual Network resources and maintain the integrity of cloud workloads. With its high availability and unrestricted cloud scalability, Azure Firewall ensures robust protection against a myriad of cyber threats. 

However, the true strength of Azure Firewall lies not only in its protective capabilities but also in its governability. The configuration of Azure Firewall is a vital aspect that demands meticulous management to ensure that security policies are not only enforced but also aligned with the organization's compliance and governance standards. This is where Azure Policy comes into play, providing a framework to enforce organizational standards and to assess compliance at scale. Its compliance dashboard offers an aggregated view to evaluate the overall environment state, allowing drill-down analysis at the per-resource and per-policy level. 

In this blog, we will unravel how Azure Policy can be leveraged to govern Azure Firewall configurations, ensuring a fortified and compliant network security posture.  

Azure Policy for Azure Firewall: 

Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment or to enforce a specific tag on resources. 

Azure Policy can be used to govern Azure Firewall configurations by applying policies that define what configurations are allowed or disallowed. This helps ensure that the firewall settings are consistent with organizational compliance requirements and security best practices. 

Available Policies for Azure Firewall:  

1. Enable Threat Intelligence in Azure Firewall Policy:  This policy makes sure that any Azure Firewall configuration without threat intel enabled will be marked as non-compliant. 
2. Deploy Azure Firewall across Multiple Availability Zones: The policy restricts Azure Firewall deployment to be only allowed with Multiple Availability Zone configuration. 
3. Upgrade Azure Firewall Standard to Premium: This policy recommends the upgradation of Azure Firewall Standard Deployments to Premium so that all the Next Gen Protection firewalls of the Premium SKU can be utilized. This will further enhance the security posture of the environment. 
4. Azure Firewall Policy Analytics should be enabled: This policy ensures that the Policy Analytics is enabled on the firewall to effectively tune and optimize firewall rules. 
5. Azure Firewall should only allow Encrypted Traffic: This policy analyses existing rules and ports in azure firewall policy and audits firewall policy to make sure that only encrypted traffic is allowed into the environment. 
6. Azure Firewall should have DNS Proxy Enabled: This Policy Ensures that DNS proxy feature is enabled on Azure Firewall deployments. 
7. Enable IDPS in Azure Firewall Premium Policy: This policy ensures that the IDPS feature is enabled on Azure Firewall deployments to effectively protect the environment from various threats and vulnerabilities. 
8. Enable TLS inspection on Azure Firewall Policy: This policy mandates the enablement of TLS inspection feature to detect, alert, and mitigate malicious activity in HTTPS traffic. 
9. Migrate from Azure Firewall Classic Rules to Firewall Policy: This policy recommends migrating from Firewall Classic Rules to Firewall Policy. 
10. VNET with specific tag must have Azure Firewall Deployed: This policy finds all VNETs with a specified Tag and checks if there is an Azure Firewall deployed and flags as non-compliant if no Azure Firewall exists. 

Using Azure Policy to Govern Azure Firewall Configuration: The following steps outline the process of creating and assigning a policy definition to a particular Resource Group within Azure. 

• Define the Policy: Start by defining the policy that aligns with your security requirements. This includes specifying the allowed firewall SKUs, required tags, and the necessary rules and settings. Check out the Policy Definition Structure and Aliases from Azure documentation to understand how a custom policy can be built. Additionally, you can leverage the pre-built policy definitions that are available in the Net Sec GitHub Repository to build a custom policy. Moreover, Azure offers built-in policies which are accessible from the Definitions tab in the Policy blade. These policies can be directly assigned to a scope as outlined in the process below. Note that most of the policies from the above-mentioned GitHub repository will soon be integrated as built-in policies within Azure.  

Creating a New Policy Definition: The policy depicted in the image below performs an audit on the Azure Firewall Policy deployments in the specified scope. If Threat Intelligence is not enabled the policy marks the audited resource as ‘non-compliant’. This allows the Firewall Administrator to take the necessary action of enabling the required feature to address the compliance issues. Additionally, we can also deploy a policy that blocks any resources which do not match the specified condition.  

• Assign the Policy: Once the policy is defined, assign it to the relevant scope, such as a subscription, resource group, or individual resources. This determines where the policy will be enforced. 

• Monitor Compliance: Use Azure Policy's compliance data to monitor and ensure that your Azure Firewall configurations remain compliant with the assigned policies. Non-compliant resources can be identified and remediated. 

• Audit and Enforce: Policies can be set to audit existing configurations and enforce new configurations, ensuring ongoing compliance and security of your Azure Firewall. 

Conclusion: By leveraging Azure Policy in conjunction with Azure Firewall, you can maintain a strong security posture, automate compliance tasks, and ensure that your cloud environment adheres to the necessary regulations and standards. This integration simplifies the governance of your network security and helps protect your resources from potential threats.