Understanding Azure Firewall Limitations and Constraints

Azure Firewall has a maximum of 10 Network Rules, which can be overwhelming to manage. This can lead to configuration errors and decreased security effectiveness.

Each Network Rule has a maximum of 10 actions, which can limit the complexity of your security rules.

Azure Firewall also has a maximum of 10 Threat Intelligence feeds, which can limit the types of threats you can detect and prevent.

This can be a problem for large networks with complex security requirements.

Recommended read: Azure Firewall Rules

Azure Firewall has several limits that you should be aware of to ensure smooth operation. The maximum data throughput for Premium, Standard, and Basic (preview) SKUs is 100 Gbps, 30 Gbps, and 250 Mbps respectively.

You can track the Firewall Policy network rule count in the policy analytics under the Insights tab. This can help you monitor your rule limits and avoid hitting the 20,000 unique source/destination limit in network rules.

Here are some key Azure Firewall limits to keep in mind:

Azure has limits on various services, including Azure Firewall. You can request a quota increase with support for vCPUs, but you must specify the amount and region you need.

Azure Firewall has limits on data throughput, with Premium SKU allowing up to 100 Gbps, Standard SKU up to 30 Gbps, and Basic (preview) SKU up to 250 Mbps.

You can track the Firewall Policy network rule count in the policy analytics under the Insights tab. The total size of rules within a single Rule Collection Group is 1 MB for Firewall policies created before July 2022, and 2 MB for policies created after July 2022.

Azure Firewall also has limits on the number of Rule Collection Groups in a firewall policy, with 50 supported for policies created before July 2022, and 90 supported for policies created after July 2022.

Network security perimeters have scale limitations, with supported up to 100 as a recommended limit per subscription. Profiles per network security perimeters are also supported up to 200 as a recommended limit.

Related reading: Azure Subscription Limits

Here are some key Azure Firewall limits to keep in mind:

If you're planning to use Azure Firewall, it's essential to know its limitations. One of the key limitations is that you can't move a network security perimeter across resource groups or subscriptions if there are multiple perimeters present.

You'll also need to remove all associations before deleting a network security perimeter. This is because the forced delete option is currently unavailable.

Resource names for network security perimeters are limited to 44 characters to support the Azure portal's resource association format.

Service endpoint traffic is not supported, so you'll need to use private endpoints for IaaS to PaaS communication.

Here's a summary of the other limitations you should be aware of:

Azure Firewall's performance capabilities are quite impressive, but there are some limitations to consider. The Basic tier is the most limited, with a maximum TCP/UDP bandwidth of 0.25 Gbps and HTTP/S bandwidth of 0.25 Gbps.

Azure Firewall's performance capabilities are quite impressive, but there are some limitations to consider. Azure Firewall Premium, on the other hand, can handle much higher traffic volumes, with a maximum TCP/UDP bandwidth of 100 Gbps and HTTP/S bandwidth of 100 Gbps.

Azure Firewall Premium also has a feature called Accelerated Networking, which is enabled by default and can provide a significant performance boost. However, this feature is not available on the Basic tier.

Here's a quick summary of the performance capabilities of different Azure Firewall tiers:

Network security perimeters are the first line of defense against cyber threats. They're essentially a digital fence that surrounds a network and controls what data and traffic can enter or leave.

A well-designed perimeter should include a firewall, intrusion detection and prevention systems, and secure access controls to prevent unauthorized access.

In today's digital landscape, perimeters are no longer just physical or logical, but also cloud-based and virtual. This means that security teams must stay vigilant and adapt to new threats and technologies.

Explore further: Azure Webapp Capture Requests Blocked by Network Rules

According to the article, a typical perimeter might include a network address translation (NAT) system to hide internal IP addresses and a virtual private network (VPN) to encrypt and secure remote access.

Perimeters are not a one-time setup, but rather an ongoing process that requires constant monitoring and maintenance to ensure they remain effective against evolving threats.

Performance testing is a crucial step before deploying Azure Firewall. You should test its performance on a test network, not in a production environment, to ensure it meets your expectations.

The test network should replicate the production environment as closely as possible, taking into account the network topology and the characteristics of the expected traffic. This will give you a realistic picture of how the firewall will perform in real-world scenarios.

You should also consider the potential traffic growth and ensure that the firewall can handle it. Azure Firewall Basic doesn't autoscale, so you'll need to plan for that.

Curious to learn more? Check out: Azure App Service Environment Variables Key Vault

Here are the maximum Azure Firewall throughput values for different use cases:

The performance boost feature is enabled on all Azure Firewall Premium deployments by default, which includes Accelerated Networking on the underlying firewall virtual machines.

The Azure Firewall has some limitations when it comes to its configuration and features.

One key limitation is that it doesn't support policy-based routing, which can make it difficult to manage complex network traffic.

Another limitation is that it only supports static IP addresses, which can be a problem for applications that require dynamic IP addresses.

Azure Firewall's feature set is also limited in terms of its ability to handle large amounts of traffic, with a maximum throughput of 50 Gbps.

FQDN filtering rules allow you to limit outbound HTTP/S traffic to a specified list of fully qualified domain names, including wild cards.

This feature is particularly useful for organizations with specific security requirements or for isolating traffic to certain domains.

You can include wild cards in your FQDN filtering rules, giving you more flexibility in defining allowed domains.

This feature does not require SSL termination, making it a convenient option for many use cases.

Readers also liked: Azure Devops Agent Firewall Rules

Outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP through Source Network Address Translation.

This feature allows you to identify and allow traffic originating from your virtual network to remote Internet destinations.

All outbound virtual network traffic is translated, ensuring consistency in network traffic management.

This enables you to have better control over your network traffic and make informed decisions about security and routing.

You can use this feature to allow traffic to remote Internet destinations, which is essential for many applications and services.

A fresh viewpoint: Azure Virtual Desktop Sso

Web categories allow administrators to permit or block user access to website categories such as gambling sites and social media platforms.

Azure Firewall Premium provides more finely tuned web categories compared to Azure Firewall Standard.

In Azure Firewall Premium, web categories are matched based on the entire URL for both HTTP and HTTPS traffic.

This means that a URL like www.google.com/news would be categorized as News, whereas Azure Firewall Standard would only consider the FQDN part and categorize it as a Search Engine.

For your interest: Azure Linux Webapp Security

Azure Firewall Premium's web categories can only be configured in firewall policies.

It's essential to ensure that your policy's SKU matches the SKU of your firewall instance.

For instance, if you have a Firewall Premium instance, you must use a Firewall Premium policy.

Web category logging allows you to observe traffic filtered by Web categories in the Application logs.

The Web categories field is visible only if it has been specifically set up in the application rules of your firewall policy.

If you lack a rule that explicitly prohibits Search Engines and a user tries to visit www.bing.com, you will only see a default deny message instead of a Web categories message.

Expand your knowledge: Azure Security Policy

Azure Firewall offers a unique pricing structure with fixed and variable fees, making it easy to set up and manage your network security.

Billing for Azure Firewall is straightforward, with costs clearly outlined to help you plan and budget for your cloud security needs.

With Azure Firewall, you can enjoy unlimited cloud scalability, meaning you can grow your network security as your needs evolve without worrying about infrastructure limitations.

Azure Firewall has several limits to be aware of. The maximum data throughput is 100 Gbps for Premium, 30 Gbps for Standard, and 250 Mbps for Basic (preview) SKU.

Azure Firewall Premium has some known issues, including ESNI support for FQDN resolution in HTTPS, which isn't supported due to a limitation in the underlying platform.

The maximum number of unique source/destinations in network rules is 20,000. This is calculated by multiplying the number of source addresses, source IP groups, destination addresses, destination FQDN count, destination IP groups, IP protocols count, and destination ports.

Azure Firewall policies have a limit of 1 MB for Firewall policies created before July 2022, and 2 MB for Firewall policies created after July 2022, for the total size of rules within a single Rule Collection Group.

The minimum AzureFirewallSubnet size is /26. You can configure 1-65535 ports in network and application rules.

Here are some key limits to keep in mind when using Azure Firewall:

Azure Firewall Premium also has some known issues, including client certification authentication, which isn't supported, and QUIC/HTTP3, which isn't supported due to a limitation in the underlying platform.

The TLS inspection timeout is 120 seconds. You should not exceed more than 1000 FQDNs across all network rules per firewall for good performance.

Azure SKUs offer flexibility in pricing, and Azure Firewall is no exception. It's offered in two SKUs: Standard and Premium.

The Standard SKU is a great starting point for many users, providing a solid foundation for their security needs. The Premium SKU, on the other hand, offers more advanced features and capabilities.

Azure Firewall is a key component of Azure's security offerings, and understanding the SKUs can help you make informed decisions about your cloud infrastructure.

A unique perspective: Azure Information Protection Plan 1

Azure Firewall offers a pricing model with both fixed and variable fees, making it easy to set up and manage.

Azure Firewall provides fully stateful necessary firewall capabilities for Virtual Network resources, ensuring your online presence is secure.

Microsoft guarantees a high level of availability, with the Firewall available at least 99.95% of the time when deployed inside a single Availability Zone.

This level of availability increases to at least 99.99% when the Firewall is spread across two or more Availability Zones in the corresponding Azure region.

If this caught your attention, see: Azure Function Authorization Level

Azure Firewall requires performance testing before deployment to ensure it meets your expectations, especially considering potential traffic growth. This testing should be done on a test network, not in a production environment.

The testing should attempt to replicate the production environment as closely as possible, accounting for the network topology and emulating the actual characteristics of the expected traffic. You should also account for the time it takes for the firewall to scale out, which can take up to seven minutes.

To give you a better idea of what to expect, here are some key performance numbers for initial firewall deployments:

Azure Firewall Basic doesn't autoscale, whereas Standard and Premium deployments do, scaling out when the average throughput and CPU consumption reach 60% or the number of connections usage reaches 80%.

Azure Firewall's performance capabilities are impressive, and it's essential to understand the data to make informed decisions. The throughput numbers for Azure Firewall are as follows:

Azure Firewall Basic doesn't autoscale, which means it can only handle 0.25 Gbps of TCP/UDP bandwidth and 0.25 Gbps of HTTP/S bandwidth.

The Standard version can handle up to 30 Gbps of TCP/UDP bandwidth and 30 Gbps of HTTP/S bandwidth.

The Premium version, without TLS or IDPS, can handle a whopping 100 Gbps of TCP/UDP bandwidth and 100 Gbps of HTTP/S bandwidth.

Here's a summary of the throughput numbers for Azure Firewall:

It's worth noting that the Premium version with TLS and IPS has a lower throughput of 10 Gbps for both TCP/UDP and HTTP/S bandwidth.

Single Connection Throughput is a critical factor to consider when evaluating the performance of your firewall. The throughput for single connections varies depending on the firewall use case.

In the Basic use case, you can expect a maximum throughput of up to 250 Mbps. This is a good starting point for small-scale applications.

The Standard use case offers a significant boost in throughput, with a maximum bandwidth of up to 1.5 Gbps for a single TCP connection. This is suitable for most medium-scale applications.

Discover more: Pentesting Azure Applications Pdf

For Premium use cases, the throughput is even higher, with a maximum bandwidth of up to 9 Gbps for a single TCP connection. This is ideal for large-scale applications that require high-speed connectivity.

However, it's worth noting that even with the Premium use case, throughput can be limited to 300 Mbps when IDPS is enabled on Alert and Deny mode. This is something to keep in mind when planning your deployment.

Expand your knowledge: Azure Firewall Premium