Skip to main content
Azure Firewall is a fully managed, native firewall-as-a-service from Microsoft Azure. This article explains where Azure Firewall fits within a typical network architecture, highlights its core capabilities, and reviews the rule types and diagnostic options used to enforce and monitor security in hub-spoke and hybrid designs. Azure Firewall is commonly deployed at the network edge in a hub-and-spoke topology. Multiple spoke VNets route traffic through a centralized hub where Azure Firewall inspects and enforces policies for Internet-bound and hybrid traffic. Many organizations replace third-party NVAs with Azure Firewall to take advantage of a native, managed service with integrated logging, scaling, and centralized policy management.
The image depicts an overview of Azure Firewall as a stateful firewall service, illustrating its role in managing inbound and outbound network traffic with various features like threat intelligence and traffic filtering. It shows connections between Spoke VNets, Azure Firewall, and on-premises systems.

Core capabilities

Use cases and capabilities that make Azure Firewall suitable for enterprise edge and hub deployments: For official guidance, see the Azure Firewall documentation: Azure Firewall overview.

Azure Firewall rule types

Azure Firewall supports several rule types that determine how traffic is evaluated and enforced. Each rule type targets different protocols and enforcement layers.
The image is a diagram illustrating Azure Firewall's hybrid connectivity support, showing its protection for hybrid environments with user configuration, threat intelligence, and traffic filtering between spoke VNets and on-premises systems.

Example: creating a DNAT rule (Azure CLI)

This example maps incoming traffic on the firewall public IP port 443 to an internal server at 10.0.2.4:443:
Note: SNAT behavior for outbound traffic typically uses the firewall’s public IPs and can be influenced by configured public IPs and SNAT rules.
TLS inspection and other advanced controls (IDPS, URL filtering) are provided by the Azure Firewall Premium SKU. Enabling TLS inspection requires certificate management (for example, storing CA certificates in Azure Key Vault). Assess compliance and privacy implications before enabling decryption.

Logging, diagnostics, and monitoring

Configure diagnostic settings to send Azure Firewall logs and metrics to one or more of the following targets: Use Azure Monitor workbooks and Log Analytics queries to analyze traffic patterns, investigate anomalies, and generate alerts. Common logs to collect include AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallNatRule, and AzureFirewallThreatIntel.

Placement & design considerations

  • Hub-and-spoke is the recommended pattern for centralizing security: route spoke traffic through a dedicated hub VNet with Azure Firewall.
  • Replace NVAs when you need a managed, autoscaling, and highly available firewall service integrated with Azure management and monitoring.
  • For hybrid scenarios, route on-premises traffic over VPN/ExpressRoute into the hub so the firewall can inspect hybrid flows.
  • Plan for IP addressing, forced tunneling, and routing (UDRs) to ensure expected traffic passes through Azure Firewall.
This overview covers Azure Firewall’s role in a hub-spoke and hybrid architecture, its core capabilities, supported rule types, and logging/diagnostic options. For deployment patterns, configuration examples, and up-to-date SKU features, consult the official docs:

Watch Video