
Core capabilities
Use cases and capabilities that make Azure Firewall suitable for enterprise edge and hub deployments:
For official guidance, see the Azure Firewall documentation: Azure Firewall overview.
Azure Firewall rule types
Azure Firewall supports several rule types that determine how traffic is evaluated and enforced. Each rule type targets different protocols and enforcement layers.
Example: creating a DNAT rule (Azure CLI)
This example maps incoming traffic on the firewall public IP port 443 to an internal server at 10.0.2.4:443:TLS inspection and other advanced controls (IDPS, URL filtering) are provided by the Azure Firewall Premium SKU. Enabling TLS inspection requires certificate management (for example, storing CA certificates in Azure Key Vault). Assess compliance and privacy implications before enabling decryption.
Logging, diagnostics, and monitoring
Configure diagnostic settings to send Azure Firewall logs and metrics to one or more of the following targets:
Use Azure Monitor workbooks and Log Analytics queries to analyze traffic patterns, investigate anomalies, and generate alerts. Common logs to collect include
AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallNatRule, and AzureFirewallThreatIntel.
Placement & design considerations
- Hub-and-spoke is the recommended pattern for centralizing security: route spoke traffic through a dedicated hub VNet with Azure Firewall.
- Replace NVAs when you need a managed, autoscaling, and highly available firewall service integrated with Azure management and monitoring.
- For hybrid scenarios, route on-premises traffic over VPN/ExpressRoute into the hub so the firewall can inspect hybrid flows.
- Plan for IP addressing, forced tunneling, and routing (UDRs) to ensure expected traffic passes through Azure Firewall.