5.3 Azure Firewall for Centralized Network Policy
Key Takeaways
- Azure Firewall is a managed, cloud-native, stateful firewall service for Azure cloud workloads.
- It can inspect east-west traffic inside an environment and north-south traffic entering or leaving it.
- Azure Firewall is a better fit than NSGs when a scenario calls for centralized policy, inspection, and logging.
- Firewall Manager can help manage firewall, DDoS, and WAF policies across broader Azure environments.
Centralize Firewall Enforcement in Azure
Azure Firewall is the SC-900 answer when the scenario asks for a managed network firewall service in Azure. Microsoft describes it as a cloud-native, intelligent, fully stateful firewall service for Azure cloud workloads. It has built-in high availability and cloud scalability, and it inspects both east-west and north-south traffic. Those phrases help separate it from simpler filtering tools.
East-west traffic means traffic moving across workloads inside a cloud environment, such as between subnets, virtual networks, or application tiers. North-south traffic means traffic entering or leaving the environment, such as internet egress or ingress. If a question asks for central control over these paths, Azure Firewall is usually stronger than picking an NSG alone.
| Need in the prompt | Why Azure Firewall fits |
|---|---|
| Centralized application and network connectivity policy | Firewall policy can be created and enforced centrally |
| Stateful firewall behavior | The service tracks connection state rather than treating each packet in isolation |
| Logging of allowed and denied connectivity | Firewall logs support monitoring and investigation |
| Hub network or shared perimeter design | A central firewall can serve multiple spokes or workloads |
| Public source IP consistency for outbound traffic | Azure Firewall uses a static public IP address for virtual network resources |
Do not confuse Azure Firewall with Web Application Firewall. Azure Firewall is not primarily a web exploit inspection service. WAF is the service that protects web applications from threats such as SQL injection and cross-site scripting. Azure Firewall is broader network and application connectivity enforcement for Azure workloads.
Do not confuse Azure Firewall with a network security group either. NSGs filter traffic by rules associated with subnets or network interfaces. Azure Firewall is a managed firewall service that is often placed centrally in a hub or perimeter pattern. In a real architecture, NSGs and Azure Firewall are commonly used together: NSGs apply local filtering, while Azure Firewall handles centralized inspection and policy.
Firewall Manager may appear in broader scenarios. It is a security management service for central security policy and routing management across cloud-based perimeters. It can help deploy multiple Azure Firewall instances, implement DDoS protection plans, and manage WAF policies. For SC-900, know the relationship: Azure Firewall enforces firewall policy; Firewall Manager helps manage security policy at scale.
The exam may use wording such as central firewall, stateful inspection, application and network rules, hub-spoke routing, outbound traffic control, or log connectivity decisions. Those clues point to Azure Firewall. If the prompt instead says filter traffic to a single subnet using allow or deny rules, NSG may be the simpler fit.
- Choose Azure Firewall for central, managed firewall enforcement.
- Choose WAF for web application exploit protection.
- Choose NSGs for subnet or network-interface traffic filtering.
- Use Firewall Manager wording as a scale and management clue.
A company wants a managed, stateful firewall service that can centrally enforce network and application connectivity policies for Azure workloads. What should it use?
Which phrase is the strongest clue that Azure Firewall is the best answer rather than a network security group?
Which service is most directly associated with managing firewall, DDoS, and WAF policies across a broader Azure network security environment?