Governance Policies Azure Networking Firewall - Azure/az-prototype GitHub Wiki
Governance policies for Firewall
Domain: azure-networking
| Name | Description |
|---|---|
| Azure Firewall Premium with IDPS and TLS inspection | Hub firewall with Premium policy, threat intelligence in Deny mode, and zone-redundant deployment |
| Description | Instead |
|---|---|
| Do not deploy firewall without a dedicated firewall policy | Always create a firewallPolicy resource and reference it from the firewall |
| Do not set threat intelligence to Off | Set threatIntelMode to Deny for maximum protection |
- Azure Firewall documentation
- Azure Firewall Premium features
- WAF: Azure Firewall service guide
- Azure Firewall monitoring
- Azure Firewall policy analytics
| Check | Severity | Description |
|---|---|---|
| AZ-FW-001 | Required | Deploy Azure Firewall Premium with threat intelligence, IDPS, and TLS inspection |
| AZ-FW-002 | Required | Deploy in zone-redundant configuration across all three availability zones |
| AZ-FW-003 | Required | Enable DNS proxy on the firewall policy for FQDN-based network rules |
| AZ-FW-004 | Recommended | Organize rules into rule collection groups by function (infra, app, network) |
| AZ-FW-005 | Recommended | Use structured firewall log format and send to Log Analytics |
| AZ-FW-006 | Recommended | Monitor SNAT port utilization, firewall health state, throughput, and latency probe metrics |
| AZ-FW-007 | Recommended | Configure at least 5 public IP addresses for deployments susceptible to SNAT port exhaustion |
| AZ-FW-008 | Recommended | Use policy analytics dashboard to identify and optimize firewall policies |
| AZ-FW-009 | Recommended | Place frequently used rules early in rule collection groups to optimize latency |
Deploy Azure Firewall Premium with threat intelligence, IDPS, and TLS inspection
Severity: Required
Rationale: Premium SKU provides signature-based IDPS, TLS inspection, and URL filtering beyond Standard capabilities
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/azureFirewalls
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/firewallPolicies | fw-policy | Firewall policy with IDPS, TLS inspection, and threat intelligence enabled |
| Microsoft.Network/publicIPAddresses | pip-fw | Zone-redundant public IP for Azure Firewall |
| Microsoft.Insights/diagnosticSettings | diag-fw | Diagnostic settings for firewall logs including network rules, application rules, and threat intelligence |
Deploy in zone-redundant configuration across all three availability zones
Severity: Required
Rationale: Zone redundancy ensures firewall availability during zone failures
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/azureFirewalls
Enable DNS proxy on the firewall policy for FQDN-based network rules
Severity: Required
Rationale: DNS proxy is required for FQDN filtering in network rules and supports private DNS resolution
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/azureFirewalls
Organize rules into rule collection groups by function (infra, app, network)
Severity: Recommended
Rationale: Structured rule organization improves manageability and reduces rule processing time
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/azureFirewalls
Use structured firewall log format and send to Log Analytics
Severity: Recommended
Rationale: WAF Operational Excellence: Structured logs make data easy to search, filter, and analyze; latest monitoring tools require this format
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/azureFirewalls
Monitor SNAT port utilization, firewall health state, throughput, and latency probe metrics
Severity: Recommended
Rationale: WAF Reliability: These metrics detect when service state degrades, enabling proactive measures to prevent failures
Agents: cloud-architect, monitoring-agent
- Microsoft.Network/azureFirewalls
Configure at least 5 public IP addresses for deployments susceptible to SNAT port exhaustion
Severity: Recommended
Rationale: WAF Performance: Each public IP provides 2,496 SNAT ports per backend VMSS instance; 5 IPs increase available ports fivefold
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Network/azureFirewalls
Use policy analytics dashboard to identify and optimize firewall policies
Severity: Recommended
Rationale: WAF Performance: Policy analytics identifies potential problems like meeting policy limits, improper rules, and improper IP groups usage, improving security posture and rule-processing performance
Agents: cloud-architect, security-reviewer
- Microsoft.Network/azureFirewalls
Place frequently used rules early in rule collection groups to optimize latency
Severity: Recommended
Rationale: WAF Performance: Azure Firewall processes rules by priority; placing frequently-hit rules first reduces processing latency for common traffic patterns
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Network/azureFirewalls