Azure Firewall Reviews

We use Azure Firewall for designing infrastructure for big data integration applications or for applications on Kubernetes. The firewall is only on the edge of our architecture.

The problem we were trying to solve was mostly around configuration. Azure Firewall is a PaaS offering, so it's not about the technical aspects. We need, of course, to know what threats need to be protected against, who should have access to the firewall, and which applications do have access. We also have to look at how it fits with centralized management. We also must be able to state if the solution we provide as a firewall is compliant with the standards of the organization and for auditing.

We use it in a mission-critical environment. It's highly secured.

It has made our solution safer, more scalable, and less costly because we don't have to take care of the technical maintenance.

One of the best features is that it natively integrates with Azure Services and tools. When you have a third-party offering, that is not the case. But Azure Firewall provides a comprehensive and seamless security solution for your Azure resources. The flawless integration is really nice with the Azure AD, Azure Monitor, and Azure Bastion. Everything fits together. If you use Sentinel, it's also good for that.

You can use Azure Firewall in every technical area. It's not branch specific, rather it's more architecture specific. Palo Alto also has firewalls that protect cloud infrastructure, but Palo Alto firewalls are fully managed by Palo Alto, giving you room to configure it more like you want to configure it. That gives you more options for manual deployment. Sometimes this works great when it comes to scaling or performance and can be an advantage. It depends on the use case. The option for doing a more manual deployment with Azure Firewall should be improved.

It doesn't always fit our requirements and we have to configure it further.

Also, Azure has new versions including a premium firewall. But I would like to see them not put the premium features on Azure Firewall Premium alone because it is quite expensive. For example, we use intrusion detection and prevention systems but only mTLS (Mutual TLS) inspection, which is not in the standard Azure Firewall, but it is in the premium version.

High availability can also be an issue, so there are several reasons to go for the premium version, but the standard firewall is too modest. It's more for an SMB. If you want to scale you should go for Azure Firewall Premium.

I have been using Azure Firewall for about eight years.

It's a very stable solution.

It's very scalable because it's a PaaS solution. If you have only one event or a lot of events, it scales.

When we have a really in-depth question when we are working in production or other environments, we use Microsoft standard support. Sometimes it's very good, and sometimes it could be better.

There is also go-live support.

Positive

We used Palo Alto. We switched because we needed to do the configuration manually. Another issue was the pricing. Azure Firewall pricing is based on a pay-as-you-go model, while the Palo Alto pricing includes the cost of the VM-Series license. It's a different usage model. 

The best choice depends on your specific needs and the level of security features you require. If you need more security features, then Palo Alto would be the better one, but if you want simple management and a cost-effective solution, Azure Firewall is enough.

I also used Fortinet FortiGate. It is very popular for the same reasons that Palo Alto is. I have also used Check Point CloudGuard and some of my colleagues use Barracuda and Cisco. Nowadays it's mostly between Azure, Palo Alto, and Fortinet.

It's a PaaS offering, always on the cloud. It's tightly connected to Azure. It's quite simple when it comes to creating it, but the configuration, the fine-grain specific needs, is more difficult. If you have a standard way of working, it would work very well. But when you have different applications and integrations, Fortinet might be a better choice.

Our implementation strategy is based on designing the architecture for the application. Then we look at cost estimation so that it fits into the budget. Then we implement it and maintain it and evaluate it yearly.

There is functional maintenance involved but not technical maintenance because that is done by Azure. Things like upgrading the OS are handled by the Capgemini and Accenture technicians.

We made use of Accenture and Capgemini. The Accenture team had about eight people and Capgemini brought about four. My team was four architects.

It's worth the money, it's not expensive, but it depends on the requirements of the organization. When you are in a smaller organization with smaller applications, Azure Firewall will do the job. But when you are in a big organization with different needs, you should go for Fortinet or Palo Alto.

The pricing of Azure Firewall is pay-as-you-go. Fortinet also has a pay-as-you-go model, but Azure's pricing is higher and, with FortiGate, you also have the license.

It's not that the price is always better with Azure, but if you want a simple solution, one you don't have to think about too much, go for Azure Firewall. 

There are different pricing models and it also depends on how much data transfer you have. If you have a lot of data transfer, I would go for other firewalls. Azure Firewall is not the best firewall, but it's the easiest firewall.

My advice is to start by trying the Azure Firewall, and if it's not working out, then go for Azure Firewall Premium or for Palo Alto or Fortinet.

I use Azure Firewall as an edge and data center firewall. It is primarily used for data center and edge firewall purposes.

The features of Azure Firewall that I find most valuable include DNS inspection, forward proxy, and security, particularly on the edge.

I would like the premium and standard features to be available on the basic package. Additionally, it lacks some functionalities when compared to competitors like Check Point and Fortinet, such as WAF or load balancing.

I have been working with Azure Firewall for five years.

I would rate the stability of Azure Firewall around a six out of ten, which indicates that there is some room for improvement.

I would rate the scalability of Azure Firewall also around a six out of ten.

I would rate Microsoft's technical support for Azure around a five.

Neutral

Initially, the setup for Azure Firewall was simple, but it was costly.

I would rate the pricing of Azure Firewall around a seven, with one being high and ten being low.

Solutions like Fortinet and Check Point were mentioned as competitors.

I would rate the overall solution around six out of ten. Functionality-wise, I prefer Fortinet, as Azure Firewall lacks some functionalities from other vendors.

One of the notable advantages of Azure Firewall is its user-friendly interface, which closely resembles or shares similarities with other Azure components. The abundance of well-documented resources, extensive help features, and a wealth of examples further enhance the usability of Azure Firewall.

It could potentially be more cost-effective. There is room for further integration of AI into the system.

I have been working with it for approximately two years.

It ensures reliable availability.

At my previous workplace, we extensively deployed Azure Firewall with four units, effectively serving the security needs of a sizable user base exceeding a thousand individuals.

Previously, we utilized Fortinet, but we made the transition to Azure because  Microsoft introduced advanced features and Next Generation functionalities into Azure Firewall, and we anticipate a seamless shift to Microsoft Azure, leveraging the convenience of managing multiple products effortlessly through it.

Overall, I would rate it eight out of ten.

I've been using Azure Firewall for one or two customers in the UAE to protect against security threats. It protects the Azure infrastructure and PaaS, applications, network, and ports. It's the same as the things we configure with other firewalls.

With Azure firewall, I can extend the security posture from 67 percent to between 75 and 80 percent.

The security of Azure Firewall is okay for smaller and medium-sized organizations. It has been integrated with the virtual WAN, which is a good way to protect multi branches for connection either through ExpressRoute or VPN.

The dashboard is fine because it's simple and easy to use. For junior admins who are joining an organization and want to learn something, Azure Firewall is the best way to go, as it gives them all the flexibility. It's not so customized. Whereas with Palo Alto, for example, you have to understand firewalls, and the security aspects, in a more in-depth way. Azure Firewall is easy.

It is easy for me to protect specific ports or even the IP addresses, as well as do whitelisting, blacklisting, and the FQDN when we want virtual machines connected and to protect certain websites. There are many features which are good enough.

Also, the documentation is awesome, no doubt about it. 

For large organizations, a third-party firewall would be an added advantage, because it would have more advanced features, things that are not in Azure Firewall.

I have been using Azure Firewall for almost three years.

It's absolutely stable because it's Azure. It has the redundancy and the resilience of the Azure Infrastructure Services. I don't think there is downtime with this kind of service. It probably has 99.95 percent uptime.

It should be scalable. That has to do with the backend and Azure takes care of all of that. We have 300 to 400 users.

We have an Enterprise Agreement and that means Microsoft support would answer any calls within half an hour's time, max. They get in touch with us if there is anything that is crucial. It is based on the severity when we create the request.

A Microsoft Enterprise Agreement is the best. I worked on many problems and issues when I was working for a government organization that had an Enterprise Agreement, and I used to get calls immediately. The issues would be resolved within half a day or, at the maximum, one day.

Positive

I haven't worked with other firewalls.

The initial setup is straightforward. There is nothing complex about it. Within 20 minutes, you have the firewall up and running.

Two or three people are sufficient for deployment and maintenance in a small organization. One should be at least a SOC analyst who understands security, and one could be an Azure admin with good knowledge of the Azure infrastructure, PaaS, and security aspects.

Azure Firewall comes with Azure native services. We did not buy any kind of license for it. Whether you have a free subscription or a pay-as-you-go model, you can deploy the Azure Firewall service. For any type of third-party service, like Palo Alto, or Fortinet, or Check Point, we would need to buy a subscription or licenses based on the users, but here it comes with the tenant when you purchase it. You are not going to spend extra money on it. The amount that you use will determine how much you pay.

The pricing of Azure, compared to third-party vendors, is good because it's Azure-native. It's affordable.

It's a common firewall. I haven't faced any issues or problems with it. In Azure services itself, there are other security implementations provided, to do with DDoS protection on the networks. There are certain firewall rules as well and things that we can deploy at the subnet level and on the NIC level. Along with Azure Firewall, other security services have been implemented. It's okay for small and medium-sized organizations that cannot afford to buy a third-party vendor or security appliances to protect their perimeter. Azure Firewall should suffice for them.

Also, as cloud administrators or architects, we are the ones who take care of the protection. As long the end-user is connected with the application, they're fine. To them, it doesn't matter whether we're using Azure Firewall or a third-party appliance. They don't know what is going on at the infrastructure level. They just want the application and the performance to be good.

For small and medium-sized organizations that are not ready to invest in a third-party firewall, and clients who are not so concerned about data security, Azure Firewall is the best solution. If a company needs more protection of, say, their email service, they could go with Proofpoint, an IaaS, or PaaS. For one of our large organizations, where they have financial services and a retail business, they went for a third-party solution along with Azure Firewall.

Overall, I would rate Azure firewall at eight out of 10. There are many advanced features in the other firewalls that are not available in Azure.

I have hands-on experience with Azure Firewall. My company is developing a product called Mondo with Azure Firewall. The tools that we are developing use all sorts of products inside Azure or AWS. For example, we are checking for vulnerabilities inside the cloud and whether the customer configures the firewall properly or not. Indirectly, we are using the Azure Firewalls, but mainly it is for scanning and to check the misconfigurations of the cloud.

The solution's most valuable feature is its ranking of some web categories. The tool also does URL filtering and uses SSL and TLS inspection.

Maybe one of the things in the tool where improvements are needed as there are some shortcomings consists of Azure Firewall Manager. Azure Firewall Manager is one of the best things that can be made more capable of managing all sorts of different areas within Azure. The other thing is the traffic inspection part where improvements are needed, specifically by working on improving the engine and database.

I have been using Azure Firewall for a year.

I have had minimal use of the tool and the solution's technical support. Microsoft offers a tool named Copilot. You can ask your questions associated with Azure Firewall to Copilot by phone. If you have any problems with the tool, you can just chat with AI, which is included inside Azure, and it answers almost everything. We don't need to call the support team anymore.

My company works with Qualys indirectly since Azure has integrated it into its cloud platform. You can do vulnerability scanning with the integrated scanner part from Qualys, but I think it is currently deprecated, and Azure took it out. More than a year ago, I used the scanner part from Qualys directly, which was very strong at that time. I work with tools like AWS, Google, Kubernetes, and everything related to the cloud.

Fortinet was a tool I was working with in the past and it is mostly for the firewall. I know that Fortinet recently bought a company and are moving to the cloud area.

It is very easy to deploy the product. It does not take more than 30 minutes to deploy the solution. The implementation was easy. The setup process requires one to have a deep knowledge of the product, but the phase is overall easy to manage.

If in the setup process, one is difficult and ten is easy, I rate the setup phase a seven or eight out of ten.

The product's value to my company stems from its ability to secure my organization.

In Azure, I use everything in its ecosystem, ranging from Azure Key Vault to Azure Storage.

The threat intelligence system is mainly a tool for analyzing traffic inside or outside of a mainstream company. Based on the pattern that the tool gets, which is mostly signature-based, the solution detects the attacks. The tool works mainly with signature-based detection areas. Recently, with the AI tools integrated with Azure, the tool has also analyzed areas based on the massive amount of data that is being passed through the network. The tool can analyze and provide an alarm for the attack, making it like the IDS or IPS system.

We cannot compare point to point as to what challenges the tool helps its users overcome because many customers use Azure since they don't have any other solution other than Azure Firewall. I can use other platforms, like Fortinet Cloud, but integrating Fortinet to Azure is a massive job and involves a lot of work, and I don't think it is worth doing it. If somebody wants to move to the cloud, like Azure, they are most probably using all the features inside Azure, like Azure Firewall, Azure Storage, and everything that is included in Azure. They don't use any other products outside of Azure's ecosystem since it won't make any sense. It is also the same for AWS. If you are using AWS, probably the best thing is to use AWS Firewall.

The scalability of Azure Firewall in handling our growing network traffic is very effective. The tool does a perfect job of handling growing network traffic. We get full control of your network. You can change all sorts of IPs and ports and control almost all of the traffic.

I rate the tool a nine out of ten.

One use case for the product is providing a secure channel for data storage solutions. For example, I have used it to establish channel-based security, restricting IP or MAC address access to ensure data security.

The primary benefit of the platform is enhanced security. It offers continuous updates and protection against threats, which would otherwise require manual patching and maintenance if managed on-premises.

The most valuable feature of the solution is its VPN capability, which allows for secure communication.

The product pricing could be more competitive.

I have been using Azure Firewall for approximately two to three years.

I would rate the product stability as a seven or eight. It depends on how well it is configured and implemented within the organization's environment.

About 150 users have access to Azure Firewall in our organization. It is a scalable product. 

The setup was straightforward.

The return on investment is positive. The cost of cloud-based solutions can be significantly lower, offering a 50% reduction in costs.

I rate the product pricing a five out of ten. 

Azure Firewall integrates well with multiple platforms. For instance, I have successfully integrated it with AWS Firewall to facilitate secure data migration between Azure and AWS environments.

I recommend implementing it to secure your data. Despite the misconception that cloud environments are inherently secure, it is crucial to configure and manage your firewall properly. 

I rate it a ten out of ten. 

I used it for two of my clients. One of the clients used it for Azure Virtual Desktop implementation and for blocking the internet for the other applications in the IaaS. The use case for the other clients was also similar. It was put in there for holding up traffic and filtering traffic.

It provided ease of maintenance. If a new firewall was needed, we only had to run the pipelines for this. So, the maintenance was very easy.

It reduced work by 30%. It saved maintenance and operational costs by 15%.

The HTTPS Inspection feature was useful where HTTPS traffic is scanned before it goes over the line.

Its interface is okay, and it is very adjustable. I like IP groups and other things that you can do with it.

Rules management could be better. You have all kinds of rules, and they can put something better in place there.

There should be better monitoring and logging. Currently, it is put in Sentinel. It should be more seamless and from the interface.

It has been about two years.

Its stability is very good.

It is scalable. It was used across multiple regions. One of them had about 3,000 users, and the other one had about 5,000 users.

Their technical support is good. I would rate them an eight out of ten.

Positive

We used a different solution. We had on-prem Palo Alto. 

I was involved in its setup. I deployed it with Bicep pipelines. The maintenance was also via pipelines. Its setup was straightforward, especially with Terraform and Bicep. It was done in 10 minutes to 15 minutes.

It is a one-man job, but that is not our advice. It is better to have three or four people who have knowledge of the firewall system. If you have only one person and that person is sick, then you have a problem. You block the internet, and sometimes, you have to open it. So, it is better to do it with a small team. If there are a lot of changes, two to three people should be fine.

In terms of maintenance, there is only the maintenance of new ports or IP addresses, but that's operational management. That's not firewall management as such.

Our clients have seen about 25% return on investment.

It is expensive, especially with the premium functions.

For one of the clients, it was very expensive. You have to use it more at an enterprise level, and there, it was not at an enterprise level. So, it was very costly, but security-wise, it was a very wise decision to use it that way. 

The solution of Palo Alto and the other one, whose name I don't remember, were IaaS-based, but we wanted a platform as a service, and Azure Firewall is that.

If you have an ecosystem based on, for instance, Palo Alto, it would be better to use a Palo Alto firewall because they have one way of working and one interface, but if you have a greenfield deployment or your on-prem is old or legacy, then I would advise going for Azure Firewall.

Its basic features were enough for us. The single sign-on experience was also okay. We had no problem with that. If required, we can use Privileged Identity Management or MFA. All these features are there within Azure.

I would rate it an eight out of ten.

We use it to do the network traffic filtering between our private network and a public network. So, it is a boundary. Because of our IDS and IPS needs, the advanced features are enabled in Azure Firewall.

There are two types of versions. In China, there is only the standard tier, but in the rest of the regions, there is the premium tier.

We have a centralized filtering capability because of Azure Firewall. So, our application teams don't need to take too much care of network filtering and network protection. It has helped a lot in reducing the management overhead for our application teams.

It has helped us a lot with compliance. Because of our local cybersecurity law needs, we need to have firewall filtering capability. Before Azure Firewall, we didn't have too many choices. For example, we only had ACL, but Azure Firewall is a real firewall. It can protect us from a lot of traffic. So, it is improving our security and bringing satisfaction to the security team.

From the viewpoint of our internal organization, it simplifies the work for our application teams. Because the Infra team has built a centralized shared firewall service, our application teams can have this kind of managed service from the Infra team. That's one of the benefits. It doesn't directly impact our customers or end-users outside our organizations, but it protects their personal data and information. It also improves their security level. So, overall, the end-users are getting served better.

Network filtering is valuable. The scalability capability from the cloud-native service helps us a lot because it simplifies our day-to-day maintenance activity.

It is a cloud service, but the lending speed for each region is not always the same. For example, in China, the speed is slow. They need to think about how to make sure that the service pace or speed is always the same in all regions. It would be a great improvement if they can provide the same pace worldwide. 

It is still not at par with traditional next-generation firewalls. It is still behind other network and firewall vendors such as Palo Alto. There are other advanced and leading products in the market, and Azure Firewall is still a follower. So, they can consider investing more in this product and make it a market leader like Azure.

I have been using it for more or less two years.

We had a few critical incidents, and we did the investigation together with Microsoft. It seems there were some bugs in Azure Firewall shared cluster. So, at the very beginning, we had a few outages or critical incidents because of the product bugs, but since then, especially in the past few months, it seems very good.

Scalability is a reason why we choose a cloud service like Azure Firewall. It can scale depending on the increase in your real traffic. In our case, we never reached the 20-gigabyte throughput limit, but we can have more instances in case the application or the network traffic grows. So, it can be scaled, and we don't need to take too much care of Azure capacity planning. 

The Infra team is a direct user of this firewall. They take care of its day-to-day management. There are, at the most, 10 people on this team. They build the pipeline, monitor its performance, and based on the service requests, add and modify the JSON templates. In terms of applications, there are maybe hundreds of applications that rely on the service from Azure Firewall. We are implementing Azure Firewall worldwide. So, our footprint is extending.

I would rate them a seven out of 10.

We didn't have any cloud solution previously. We deployed it from scratch.

Its initial setup was pretty straightforward. With its native portal and User Guide, you can very quickly do the implementation. Its UI is very user-friendly. 

We made it an enterprise shared service for our use case. We studied and designed the cloud-native Azure Firewall service from scratch and packaged it as a standard service in our environment. We wanted to maintain the Azure service like the DNAT network rule and application rule. We wanted it to be always manageable in its lifecycle. So, we chose the infrastructure mode to manage our service. We have a delivery pipeline, and we also use the DevOps mode to maintain the Azure Firewall configuration in its lifecycle. For this part, the API is good, and the native Terraform and Ansible have relevant predefined modules. It is working fine. So, for this part, it is very good. It doesn't matter whether you are a junior technical guy or an advanced technical guy. You can always find a comfortable way to deploy, manage, and maintain it.

Its deployment is very quick. It takes a few minutes. In order to make it the deployer pipeline, you need to spend some time because you need to think about the integration, such as how to integrate with GitLab CI, and how to make Azure Workbook so that it can monitor the usage and user performance. We wanted it as a managed service. So, the duration also depends on your use case.

We did it ourselves. For its deployment and maintenance, we have less than five people. They just monitor and respond to all instances. They also accept a service request to implement a new rule or modify the older version of a rule. We don't have to do any upgrades.

We pay based on the usage. So, it makes sense that at the very beginning, we know very well how are they charging. We use and pay for it. So, it is not a CapEx expense. It is an OPEX expense, so it is not the same logic as ROI.

It is pay-as-you-go. So, you pay based on the usage. If I remember it well, there is a basic fee, and there is a traffic fee. It is not per month. It is per hour or something like that. It is not so expensive.

We evaluated Palo Alto. If you want to have a Palo Alto firewall in the cloud, you need to deploy it as a virtual appliance. This part is not that easy because it requires two types of tech stack. You need an Azure computing license for the Palo Alto virtual appliance. In addition, scalability is your responsibility. It is not the responsibility of your core service provider. So, for maintenance, you need to spend more time and effort.

Azure provides a unified API or interface, whereas if you want to have a traditional firewall appliance implemented in the cloud, you need to take care of the API or interface so that it can be managed in an automated way.

You should have a clear understanding of Azure Firewall. You should understand how Microsoft packages it as a service. If you don't understand how is it composed and how it works, it will bring some unexpected issues during your day-to-day operation. This is a major service from Microsoft, so the quality of Microsoft's product will directly impact the service you want to offer to your customer or users. If you understand it well and test it well, it will give you fewer surprises in the future.

I would rate Azure Firewall a seven out of 10.