Blog Layout

Routing, Firewall Policies, and Security Profiles

Download Sample M365 Risk Assessment
Akins IT • November 22, 2019

SECURING YOUR AZURE VIRTUAL NETWORK WITH A NEXT GENERATION FIREWALL


PART 4: ROUTING, FIREWALL POLICIES, AND SECURITY PROFILES


User Defined Routes (UDR)


By default, Azure networks automatically generate system routes for connectivity between subnets within a VNET. A default route of 0.0.0.0/0 also exists to forward traffic out to the internet for VM’s residing in that VNET. With that said, introducing an NGFW virtual appliance to the environment will require that these routes be updated to utilize the NGFW as its next hop. If not, Azure traffic will continue to route through the transparent system routes and will never touch the NGFW virtual appliance.


System routes can be overridden using User Defined Routes (UDR). The UDR can be deployed via the Azure Marketplace (known as Route Table). Within the Route Table object, new routes can be specified to route subnet and internet bound traffic through the NGFW. The Route Table object will also need to be associated to each subnet that require the use of UDR’s. If different subnets require different UDR’s, multiple Route Tables can be implemented to achieve this.


Firewall Policies and NGFW UTM Features


Once Azure traffic is routed through the NGFW virtual appliance, firewall policies must be in place to allow both subnet to subnet and inside to outside communication. The benefit now is that these policies can be built out and managed using a familiar NGFW GUI, and traffic can be inspected using UTM (Unified Threat Management) features such as Antivirus (AV), Intrusion Prevention System (IPS), Web and Application content filtering.


The FortiGate virtual appliance, for example, provides Botnet C&C blocking to known malicious IP’s and domains. Sandbox cloud AV detection can be enabled to provide protection against zero-day virus’, and advanced logging and traffic analytics will be available to assist with both traffic monitoring and troubleshooting.


Full SSL inspection (deep packet inspection) should also be implemented since it provides the highest accuracy when it comes to content filtering, IPS and AV. Considering that roughly 97% of all traffic is now encrypted, full SSL inspection is a must to ensure that your environment is secure. With full SSL inspection, the NGFW acts as a MITM (man in the middle) to decrypt encrypted traffic, inspect it, then re-encrypt it for transmission to its destination.


INTERESTED IN VIEWING THE WEBINAR VIDEO ON THIS TOPIC? FILL OUT THE FORM.


CONTACT US TO LEARN MORE ABOUT THIS TOPIC OR TO SCHEDULE A CALL

Improve Productivity with Copilot and Akins IT

By Shawn Akins December 13, 2024
Unleashing Productivity: Maximizing Potential with Copilot for Microsoft 365 and Akins IT

Collaborate Securely with Akins IT

By Shawn Akins November 25, 2024
Security Insights

Navigating the End of the Microsoft Enterprise Agreement: What It Means for Our Customers

By Shawn Akins November 13, 2024
One of the most impactful changes is the upcoming end of the Microsoft Enterprise Agreement (EA) framework, set to take effect on January 1, 2025.
More Posts
Share by: