5.3 Azure Firewall for Centralized Network Policy
Key Takeaways
- Azure Firewall is a managed, cloud-native, fully stateful firewall-as-a-service with built-in high availability and autoscaling that inspects east-west and north-south traffic for an entire environment.
- Threat intelligence-based filtering uses Microsoft's global feed to alert on or deny traffic to and from known malicious IPs and domains; FQDN tags and application rules allow or deny outbound access by domain name.
- Three SKUs: Basic (small environments, L3-L4 + threat intelligence, up to ~250 Mbps), Standard (L3-L7, threat intel, DNS proxy, web categories, autoscale to ~30 Gbps), and Premium (adds TLS inspection, IDPS, and URL filtering).
- Choose Azure Firewall over an NSG when the scenario needs centralized stateful policy, FQDN/application rules, threat intelligence, or a static outbound public IP; Firewall Manager manages Firewall, DDoS, and WAF policies at scale.
Centralize Firewall Enforcement in Azure
Azure Firewall is the SC-900 answer when a scenario asks for a managed network firewall service in Azure. Microsoft describes it as a cloud-native, intelligent, fully stateful firewall as a service for Azure cloud workloads, with built-in high availability and cloud scalability (autoscaling). Being stateful means it tracks the state of each connection (the conversation), so a return packet for an allowed outbound flow is permitted automatically — it does not evaluate every packet in isolation. Those phrases separate it from simpler filtering tools.
Azure Firewall inspects both east-west and north-south traffic. East-west is traffic moving across workloads inside the environment — between subnets, virtual networks, or application tiers. North-south is traffic entering or leaving the environment — internet ingress or egress. When a question asks for central control over these paths, Azure Firewall is stronger than picking an NSG alone. It is typically deployed centrally in a hub virtual network (hub-and-spoke) and gives virtual-network resources a single static public IP for outbound traffic, which simplifies allow-listing on the destination side.
Threat Intelligence, FQDN Filtering, and SKUs
Two capabilities show up in exam wording. Threat intelligence-based filtering uses Microsoft's global threat feed to alert on or alert and deny traffic to and from known malicious IP addresses and domains. FQDN (fully qualified domain name) filtering — via application rules and FQDN tags — lets you allow or block outbound access by domain name (for example, allow *.windowsupdate.com) instead of chasing dynamic IP addresses. Azure Firewall organizes its logic into network rules (IP/port/protocol), application rules (FQDN-based), and NAT rules (inbound DNAT).
Azure Firewall comes in three SKUs:
| SKU | Positioned for | Notable capabilities |
|---|---|---|
| Basic | Small/SMB or branch environments, lighter throughput (~250 Mbps) | L3-L4 filtering + threat intelligence (alert mode) |
| Standard | Most production workloads, autoscale to ~30 Gbps | L3-L7 filtering, threat intelligence (alert/deny), DNS proxy, custom DNS, web categories |
| Premium | Highly sensitive workloads (e.g., payment processing) | Everything in Standard plus TLS inspection, IDPS (intrusion detection and prevention), and URL filtering |
For SC-900 you do not memorize throughput numbers, but you should recognize that Premium adds TLS inspection and IDPS for deep, decrypted inspection, while Basic is the entry tier and Standard is the common middle. TLS inspection (Premium) terminates and decrypts outbound HTTPS, inspects it, then re-encrypts it — that is how Premium sees inside encrypted traffic; IDPS (Premium) detects and can block known attack signatures.
Firewall vs WAF vs NSG, and Firewall Manager
Do not confuse Azure Firewall with Web Application Firewall. Azure Firewall is broad network and application connectivity enforcement; it is not primarily a web-exploit inspection service. WAF is the service that protects web applications from threats such as SQL injection and cross-site scripting at layer 7.
Do not confuse Azure Firewall with a network security group either. NSGs filter traffic with simple 5-tuple rules bound to subnets or network interfaces. Azure Firewall is a managed firewall service usually placed centrally in a hub. In real architectures the two are used together: NSGs apply local subnet/NIC filtering, while Azure Firewall handles centralized inspection, FQDN/application rules, threat intelligence, and logging.
| Need in the prompt | Why Azure Firewall fits |
|---|---|
| Centralized application and network connectivity policy | Firewall policy is created and enforced centrally |
| Stateful firewall behavior | Tracks connection state instead of per-packet evaluation |
| Allow/deny outbound access by domain name | FQDN filtering via application rules and FQDN tags |
| Block traffic to known-malicious IPs/domains | Threat intelligence-based filtering |
| Consistent outbound source IP | A static public IP for virtual-network resources |
| Deep, decrypted inspection / signatures | Premium SKU adds TLS inspection and IDPS |
Azure Firewall Manager appears in broader scenarios: it is a security-management service for central security policy and route management across cloud perimeters. It can deploy and govern multiple Azure Firewall instances, associate DDoS protection plans, and manage WAF policies. The relationship to remember: Azure Firewall enforces policy; Firewall Manager manages policy at scale.
- Choose Azure Firewall for central, managed, stateful firewall enforcement.
- Choose WAF for web application exploit protection.
- Choose NSGs for subnet or network-interface traffic filtering.
- Use Firewall Manager wording as a scale-and-management clue.
Rule Types, DNAT, and a Worked Scenario
Azure Firewall processes traffic through three rule collections, and the order is exam-relevant because it is deterministic. DNAT rules are evaluated first (they translate and forward inbound internet traffic to internal resources). Network rules are next (filter by IP, port, and protocol — the layer 3/4 logic). Application rules are last (filter outbound HTTP/HTTPS and FQDN-based access). If a network rule allows a flow, application rules are not also processed for it; the engine applies the highest-priority match.
| Rule collection | Filters on | Typical use |
|---|---|---|
| DNAT | Inbound destination IP/port translation | Publish an internal service to a specific external port |
| Network | Source/destination IP, port, protocol | Allow/deny L3-L4 traffic between networks |
| Application | FQDN, FQDN tags, web categories | Restrict outbound web access by domain |
Work a representative scenario. A spoke VNet of VMs needs to reach only Windows Update and an approved SaaS API, must never reach arbitrary internet sites, and all egress must flow through a central inspection point with logging. 0/0` traffic to the firewall. An NSG cannot do FQDN-based filtering and is not centralized, so it is the wrong tool here. Add threat intelligence-based filtering in alert-and-deny mode and the firewall will also block any flow to a known-malicious IP or domain regardless of the allow rules.
This is the shape of many SC-900 firewall questions: the presence of FQDN/domain filtering, centralized egress, threat intelligence, or hub-and-spoke wording is what tips the answer from NSG to Azure Firewall.
A company wants a managed, stateful firewall service that can centrally enforce network and application connectivity policies for Azure workloads. What should it use?
Which Azure Firewall capability lets you allow or deny outbound access by domain name instead of tracking dynamic IP addresses?
An organization needs Azure Firewall with TLS inspection and an intrusion detection and prevention system (IDPS) for a highly sensitive payment workload. Which SKU is required?
Which service is most directly associated with centrally managing Azure Firewall instances, DDoS protection plans, and WAF policies across a broader Azure environment?