Microsoft Azure is introducing a new “beta” version of a Firewall facility designed to protect cloud based applications.  In it’s 1st iteration it is mainly designed to protect OUTBOUND traffic initially, as described below:

What is Azure Firewall?

https://docs.microsoft.com/en-gb/azure/firewall/overview

In this post, I will explain what the new Azure Firewall, recently launched in preview, can do and what it cannot at this time.  There is no shortage of firewall options in Azure for network security at the transport (Layer-4) and application (Layer-7) layers of the network stack.  The features today are:

***  High availability (HA): You do not need to deploy multiple instances for high availability as you do with NVAs. The appliance has built-in HA.
***  Cloud scalability: Another reason for scaling out the number of NVAs and load balancing them is to increase the scale of throughput. The Azure Firewall will scale to handle your throughput and bandwidth requirements.
***  FQDN filtering: You define a whitelist of fully qualified domain names (you can use wildcards) of external URLs that can be reached from your network. This approach will limit data leakage and prevent remote control by malware. This is the set of “where to rules”.
***  Network filtering rules: Rules based on source, destination, protocol, and port will limit what kinds of traffic can leave your virtual network. This is the set of “what rules”.
***  Outbound SNAT support: The Azure firewall is deployed with a standard-tier public IP address. All traffic leaving the virtual network is identified to the Internet using this address.
***  Azure Monitor: All events can be traced in the Azure Monitor, and archived to a storage account, event hub (external systems), or Log Analytics (OMS).

What Azure Firewall Cannot Do — What I first heard of Azure Firewall I thought it would replace NVAs. As it turns out, based on what the Azure Firewall is today in its preview release, it won’t. But the current preview release is a very early one, and I think Microsoft is slowly developing Azure Firewall to get it right, instead of rashly rolling out a bunch of unready features. So, I kind of understand what they are doing.  Today the Azure Firewall is not a solution for protecting a network against inbound threats. You cannot set up NAT rules for inbound traffic. It does not have rules or filters for publishing internal applications either. Today, Azure Firewall only cares about outbound traffic.