Understanding Firewall Options In Microsoft Azure

As an IT engineer and a shade-tree mechanic, I know that using the right tool for the job is critical to my success.  While coming up with my own solutions to removing a stripped bolt is fun, it’s usually better if I had used the right-sized socket wrench in the first place.  This breakdown of firewall options in Azure should help you pick the right tool for your infrastructure, and protect yourself from the IT equivalent of –

fry_bolt

Operating System Firewalls

Most modern operating systems come pre-packaged with a firewall product.  These include offerings like Windows Firewall for Advanced Security in both desktop versions of Windows (Windows 7, Windows 8) as well as server versions (Server 2008, Server 2012).  Nearly every flavor of Linux supported by Azure, including Ubuntu, Debian, and SUSE Linux all come with (either preinstalled, or readily available via a repository) an open-source firewall offering known as iptables.

An operating system firewall should be considered a “second-layer” of protection for your Azure Virtual Machines.  In the event that a malicious third-party were to bypass an Azure Endpoint or Network Security Group (discussed later in this article), they would not have the ability to access services that are not explicitly allowed by the operating system firewall.

As far as interaction between an Azure Virtual Machine (VM) and the Guest Operating System, Microsoft’s Security Best Practices for Windows Azure Solutions notes that –

Enforcement of all IP policies is performed by a network filter running in the Host OS. The objective of these policies is to protect our infrastructure from potentially malicious customers, and isolate one customer from another. This means that nothing done on the VM can override Windows Azure’s configuration to make the firewall less restrictive. It is possible, however, to enable additional, more restrictive rules in the VM using Windows Firewall or a Linux equivalent.

Security Best Practices for Windows Azure Solutions

One final consideration as well – if you do use an operating system firewall along with other Azure firewall options, be sure to validate that you’ve opened the port on the operating system firewall as well.  I will (sheepishly) admit to making this mistake more than once.

Endpoints

Endpoints are a key feature of Azure VMs deployed using the Azure Portal, similar in functionality to Network Address Translation (NAT).  While network traffic within an Azure virtual network (VNet) is allowed, inbound access to an Azure VM is limited by the endpoints defined on the virtual machine.  An endpoint is configured with a public port (TCP or UDP) and a private port (TCP or UDP); the public port is the port open to the internet, while the private port is the port open on the Azure VM for a configured application or service.  Endpoints can be further secured by the use of an Access Control List (ACL), which restricts access to an endpoint based on a series of permit/deny rules.

Endpoints are a useful mechanism for securing Azure VMs, but their limited functionality (protecting inbound access only, limited ACL configuration) make them less attractive compared to Azure Network Security Groups, which we’ll review in the next section.

Network Security Groups

As the Azure platform and Azure virtual machines continue to develop, endpoints will be deprecated by the Network Security Groups (NSG).  NSGs secure both inbound and outbound access to both Azure VMs and Azure VNets, in the same vein that a traditional firewall would function.  NSG rules are defined with a standard five-tuple definition (source network, source port, destination network, destination port, protocol) as well as name, type, priority, protocol and access (allow or deny).   An NSG can be configured in three different ways –

  1. At the Azure VM level, protecting the VM with the defined NSG rules
  2. At the Azure VNet level, protecting all VMs on the VNet
  3. At both the Azure VM level and the Azure VNet level, providing two layers of protection.  This scenario can allow for one to use a restrictive firewall on the VM and use broader rules for the VNet.

The table below outlines the differences between Azure Endpoints and Azure NSGs.  Note that Endpoint ACLs and NSGs should never be mixed – if you have Endpoint ACLs defined, you will need to remove them to switch to NSGs.

Table 1 – Comparison of Endpoints and Network Security Groups
Endpoints Network Security Groups
Configured Level Azure Virtual Machine Azure Virtual Machine, Azure Virtual Network, Azure Virtual Machine and Azure Virtual Network
Access Secured Inbound only Inbound and Outbound
Protocols Supported TCP, UDP TCP, UDP
Ports 1 port per endpoint Multiple ports per rule; support for port ranges
Subscription Limits 50 ACLs per endpoint 100 Network Security Groups per subscription (per region), 100 Network Security Group rules per Network Security Group

Third-Party Firewall Options

One of the more popular third-party firewall options in Azure is the Barracuda NG Firewall.  Barracuda is offered in four different sizes, as indicated on the table below, and can be deployed from the Azure Marketplace as an Azure VM.  The product is a full-fledged firewall, with additional functionality for VPN, Intrusion Prevention System (IPS)/ Intrusion Detection System (IDS), and Wide-Area Network (WAN) optimization included.  This firewall can be licensed in a Bring-Your-Own-License (BYOL) or in a Pay-As-You-Go (PAYG) manner.  For large enterprise deployments of Azure VMs and for those that need a full-fledged firewall in place of Endpoints or NSGs, the Barracuda firewall is a serviceable option.  If you have existing Barracuda products on-premises, it also makes the transition to Azure significantly easier for your network admins.

Table 2 – Barracuda NG Firewall Size Options

image

Next Steps/Additional Documentation

This short article detailed the firewall options you have within Azure (Operating System, Endpoints, Network Security Groups, and the Barracuda NG Firewall).  The links below provide additional information around the firewalls reviewed in this article.

Microsoft Windows Server Documentation – Windows Firewall with Advanced Security Getting Started Guide [HTTP]
iptables Documentation [HTTP]
Security Best Practices for Windows Azure Solutions [DOCX]
Microsoft Azure Documentation – How to Set Up Endpoints to a Virtual Machine [HTTP]
Microsoft Azure Documentation – What is a Network Security Group (NSG)? [HTTP]
Barracuda NG Firewall 6.1 Documentation [HTTP]
Barracuda NG Firewall Azure Datasheet [PDF]
How to Deploy the Barracuda NG Firewall Azure on Microsoft Azure [HTTP]

Leave a Reply