Azure Firewall & Network Security — WAF, DDoS & Zero Trust

“Welcome back. NSGs protect individual subnets and VMs. But enterprise-grade network security requires more — a centralized firewall that inspects all traffic, a web application firewall that understands HTTP and blocks OWASP attacks, and DDoS protection that absorbs volumetric attacks before they reach your workloads. Today we cover Azure's network security services and how they work together in a Zero Trust network architecture.”

“Azure Firewall is a managed, cloud-native firewall that provides centralized network security for all your Azure VNets. Unlike NSGs which operate at the NIC and subnet level, Azure Firewall sits in its own subnet in a hub VNet and inspects all traffic flowing through. Application rules control outbound access by fully qualified domain name — allow *.windowsupdate.com for patching but block everything else. Network rules control by IP address and port. Threat Intelligence automatically blocks traffic to and from known malicious IPs and domains using Microsoft's global threat feed. The Premium SKU adds TLS inspection — decrypting HTTPS traffic to inspect the payload — and IDPS for intrusion detection.”

“Application Gateway is Azure's layer 7 load balancer for web workloads. It understands HTTP and HTTPS, enabling path-based routing, SSL termination, and session affinity. The WAF add-on transforms it into a web application firewall that protects against the OWASP Top 10 attack categories. Every web application exposed to the internet should sit behind an Application Gateway WAF. Start in Detection mode — you see what would be blocked without actually blocking anything. Review the logs, tune any false positives with custom exclusions, then switch to Prevention mode to actively block attacks. A single SQL injection attempt that reaches your application could compromise your database — WAF stops it at the perimeter.”

“DDoS attacks attempt to overwhelm your services with traffic until they become unavailable. Azure DDoS Basic protection is included free and protects Azure infrastructure. DDoS Network Protection, the paid tier at ~$2,944/month per VNet, provides advanced protection for your specific public IP addresses. It adaptively learns your normal traffic patterns over 30 days and automatically flags deviations. During a DDoS attack, Azure absorbs the malicious traffic before it reaches your VMs — your application continues serving legitimate users while terabits of attack traffic are dropped upstream. The DDoS Rapid Response team provides expert assistance during active attacks.”

“NSGs and Azure Firewall complement each other — they're not alternatives. NSGs are lightweight, free, and should be on every subnet to restrict traffic to what's explicitly needed. Azure Firewall provides centralized policy management, FQDN-based rules, TLS inspection, and full logging in a single place. The pattern is: NSGs on every spoke subnet restrict traffic to only the firewall's IP. Azure Firewall in the hub then applies the actual application and network rules. This means even if an attacker compromises one VM, NSGs prevent them from moving laterally to other subnets, and all traffic attempting to leave must pass through the firewall.”

“Zero Trust networking assumes breach — design your network as if attackers are already inside. Micro-segmentation means your web tier cannot directly reach the database tier — traffic must flow through an application tier and be explicitly permitted by NSGs at each hop. Private Endpoints move Azure PaaS services (Storage, SQL, Key Vault) off the public internet and onto private IPs in your VNet — no public endpoint exposure at all. Azure Bastion provides browser-based SSH and RDP to VMs through the Azure portal, eliminating the need for public IP addresses on management ports. Just-in-time VM access in Defender for Cloud opens management ports only for specific IP addresses for a limited time window.”

“Azure Firewall Policy is a separate resource from the Firewall itself — allowing you to separate policy management from deployment. A security team manages the Firewall Policy with the allowed/blocked rules, while an infrastructure team deploys the Firewall instances. Policy supports parent-child relationships: a parent policy defines global enterprise rules inherited by all child policies. Regional security teams then add their environment-specific rules in child policies. Azure Firewall Manager is the central console for managing all Firewall policies and instances across all regions and subscriptions from a single pane of glass.”

“Let me show network security in action. I'll deploy Azure Firewall in a hub VNet, create application rules allowing only specific FQDNs, and configure a route table to force all internet-bound traffic through the firewall. Then deploy Application Gateway with WAF in Prevention mode and send a test SQL injection request — watch it get blocked in real time. Finally, enable just-in-time VM access and show how requesting access opens a specific port for a specific IP for a limited time.”

“Network security is tested extensively in AZ-104 and is fundamental to every Azure architecture. Key exam points: Azure Firewall requires its own AzureFirewallSubnet — specifically named, minimum /26. Application Gateway WAF operates in Detection or Prevention mode — questions often test which is appropriate when. DDoS Basic is free and automatic; DDoS Network Protection requires explicit enablement per VNet. Azure Bastion allows SSH/RDP via browser without public IP or VPN — a very common exam scenario answer. NSGs do not log by default; NSG Flow Logs must be explicitly enabled for traffic analysis.”