Azure Firewall Deep Dive
Рет қаралды 108,596
Күн бұрынAn in-depth look at both the Standard and Premium features of Azure Firewall.
Whiteboard at - github.com/johnthebrit/Random...
Stop/Start - docs.microsoft.com/en-us/azur...
Pricing - azure.microsoft.com/en-us/pri...
Features - docs.microsoft.com/en-us/azur...
00:00 Introduction
02:05 SKUs
02:45 Stop/Start Az FW and Pricing
04:50 My lab environment
07:38 Peer setting
09:25 Az FW deployment
14:32 Diagnostic settings
15:28 Route tables and UDR
21:32 Basic routing between spokes and networks
24:15 IP groups
25:53 Firewall policy
34:28 Rules and types
36:20 Threat intelligence
37:45 DNAT rule
40:48 SNAT
43:35 Network rules
47:50 Application rules
55:25 DNS features
57:10 Firewall Manager
59:06 Firewall Premium key features
1:00:10 TLS inspection
1:03:58 PKI requirements
1:06:25 TLS inspection in action
1:12:40 IDPS
1:14:42 URL filtering
1:18:58 Web categories
1:21:00 Working with logs and metrics
1:22:40 Summary
@rushadanklesaria8673 3 ай бұрын
Just wanted to share that this video is from 2 years ago, but it's still very relevant and useful, especially since I'm deploying the same solution at a customer's site.
@rafaelk1631 Жыл бұрын
Fantastic walkthrough as usual John. Thanks for sharing
@miketucker2658 Жыл бұрын
I have read a couple of your books, and finding this video was like finding gold. Well done fantastic deep dive. Also, congrats on your Kona finish, well done(and all your other finishes....nice!). I too am an IT nerd by day and Ironman all other times. I plan to do Texas one of these years, hope to see you there and if you ever get to Arizona, look me up it would be a pleasure to meet you. We have a great fast course out here, windy but always fun. Be Fast, Be Safe, Stay Healthy
@jcvirtcloudconsultancy7552 2 жыл бұрын
watching this was way better than reading the white paper, would recommend to anyone to watch this first before reading the Azure Documentation
@NTFAQGuy 2 жыл бұрын
Thanks!
@MartinFletcherCoding Жыл бұрын
Always a joy to watch your videos - A prime resource for anyone wanting to learn Microsoft Azure!
@pradeepkanojia4924 2 жыл бұрын
Always love to watch your videos. We learn lot of things from your videos. Thank you John for this noble work. Please keep doing it
@NTFAQGuy 2 жыл бұрын
Thanks, will do!
@sivakumarvadivel7822 2 жыл бұрын
The Content and Presentation is awesome --> great learning ! Thanks John !
@robinsnelson7316 Жыл бұрын
John Cracking in depth walk through of AZ Firewall, just what I needed.
@user-px7up1vb9j 2 жыл бұрын
Much thanks for all you have done John. these training is veeeeery useful. I have recommended your channel to pepole aroud me working on Azure in China. thanks again!
@sanjumec1 2 жыл бұрын
great stuff..!! you made it really simple and easy to understand. Thanks John !!
@paddyland74 2 жыл бұрын
Another Great in-depth module. Thanks John for doing this.
@NTFAQGuy 2 жыл бұрын
Very welcome
@bertusviljoen4201 2 жыл бұрын
Thanks John, great deep dive as always. I feel comfortable to deploy FW now. Loved the background of Uluru.
@NTFAQGuy 2 жыл бұрын
Awesome!
@henriquealexandreh Жыл бұрын
I agree with @Edmond. Amazing resource! Very comprehensive exploration of such an important Azure service. Thank you John!
@ngophuthanh Жыл бұрын
Thanks a lot, John. You are the best IT teacher ever.
@edmondkorbi823 2 жыл бұрын
Amazing training. Very detailed and well thought. I love the logical connection when you move from a session to the other, and then you explain it by examples. This is a big update in the teaching methodology. Thank you, John!
@NTFAQGuy 2 жыл бұрын
Glad you enjoyed it!
@Tech-ub8dd Жыл бұрын
Hi John, thank you for doing this video i really appreciate you! With out you as my main source for knowledge for Azure my job would be so much harder, I would have to spend a lot of time reading documentation. Thank you for all the work you have been doing!
@NTFAQGuy Жыл бұрын
Glad it was helpful!
@sanderaerts1178 Жыл бұрын
John , You Are my Hero. I watch hours and hours of ur movies. I learned so much from u. 😁
@jlou65535 2 жыл бұрын
Useful video for anyone is preparing the AZ-700 😊
@siliconview 2 жыл бұрын
Many Thanks John. As always very nicely explained.
@NTFAQGuy 2 жыл бұрын
Very welcome
@shalinivishwakarma9965 2 жыл бұрын
BEST VIDEO OF AZ-FIREWALL, u r just amazing, your taught so many things that are not even documented may be, well done john, you are doing great work, well taught and explained
@NTFAQGuy 2 жыл бұрын
Wow, thanks!
@shalinivishwakarma9965 2 жыл бұрын
@@NTFAQGuy pls make detailed video on standard version also.
@Roel90 2 жыл бұрын
This was amazing, our clients do not really use this resource due to the price and most of them use a Linux firewall instead but its great to learn more about this topic! Thanks a lot!
@NTFAQGuy 2 жыл бұрын
Welcome
@ramkumarthangaraja5345 2 жыл бұрын
no words to say how awesome your way of teaching :), I just love it, Thanks a lot John
@NTFAQGuy 2 жыл бұрын
Thanks!
@christianibiri 2 жыл бұрын
the best video about azure firewall I ever seen! :)
@NTFAQGuy 2 жыл бұрын
Thanks!
@northshorepx 2 жыл бұрын
Thank you John - that was a great deep dive. PS Congratulations on the Coeur D’Alene Iron man.
@NTFAQGuy 2 жыл бұрын
Thank you!
@gultekinbutun7910 2 жыл бұрын
Super explained, it is obvious that John knows it, thanks for sharing.
@NTFAQGuy 2 жыл бұрын
Very welcome
@RonaldoCostaBR 8 ай бұрын
Great azure firewall deep dive. Thanks John!
@NTFAQGuy 8 ай бұрын
Glad you liked it!
@varunkh2605 Жыл бұрын
Great walkthrough. Thanks
@oana50 Жыл бұрын
thx again John for this amazing explanation!
@NTFAQGuy Жыл бұрын
My pleasure!
@iamdedlok 2 жыл бұрын
This was amazing. Thank you Sir John! I am using the Standard Azure Firewall in a current project, so lot of this was good solid refresher for me. I loved the section on how you explained how TLS inspection works and how it enables the url filtering part. Pretty cool to see the SNAT Port utilization. I had to quickly check whats ours haha... Thanks again John, your video with a morning cuppa is just the perfect mix. Brain cells++
@NTFAQGuy 2 жыл бұрын
Glad it was helpful!
@StigBoyeAndersen 11 ай бұрын
Thanks a bunch! Helpful as always 🙂
@tabaniz 2 жыл бұрын
Awesome Thanks for the video We were just talking about using it and compare it with nsg for our solution. Legend 👏
@NTFAQGuy 2 жыл бұрын
Thanks!
@Stateoftheheart 2 жыл бұрын
Thanks John, another excellent tutorial! Love the TLS inspection and the way you broke it down.
@juanpabloguerra9512 2 жыл бұрын
Amazing content as always
@NTFAQGuy 2 жыл бұрын
Glad you enjoyed it
@yulaw3289 Ай бұрын
enjoying this video for today learning, thanks a lot!
@NTFAQGuy Ай бұрын
You are welcome!
@Depstha Жыл бұрын
You are A Great teacher. !!
@thanapongift5329 2 жыл бұрын
This is good brief even me started adopting Azure understand.
@NTFAQGuy 2 жыл бұрын
Great to hear, thanks
@vladovladimir5283 Жыл бұрын
Amazing style and content John, you're giving a great high level overview incl. billing implications. Very educational, thank you very much!
@jasonzzwqi Жыл бұрын
Amazing work John! As always, very infomative and super helpful!
@cybersamurai99 11 ай бұрын
Awesome awesome !!! Thank you so much John ! :)
@NTFAQGuy 11 ай бұрын
My pleasure!
@TariqASheikh 2 жыл бұрын
You absolutely nailed it. I can see you have almost all topics for upcoming AZ-700 covered in your channel. However, if you create a video focusing on Azure Network Engineer AZ-700 technical concepts overview, that would be awsome , thank you so much
@NTFAQGuy 2 жыл бұрын
Who knows what playlist and video I may be creating this Sunday lol
@TariqASheikh 2 жыл бұрын
@@NTFAQGuy I can't wait to see it as I have booked for beta and plan to sit mid August, awesome, thanks a lot :-)
@bolbmm86 2 жыл бұрын
Wonderful session about Azure firewall, it will help me to work on landing zone security configurations. Thank you John, great work!
@abhay626 2 жыл бұрын
Wow, it's just awesome the way you explain these things. Thank you John for all the hard work on preparing the contents!
@NTFAQGuy 2 жыл бұрын
Thank you
@ekam319 Жыл бұрын
very well explained !
@rolloengland591 2 жыл бұрын
When premium was due to go GA I was literally waiting for your deap dive on the firewall haha, many thanks, legend. Hope your channel is/becomes profitable!! It must be a hell of a lot of work to put these together.
@NTFAQGuy 2 жыл бұрын
Thanks. I don’t make any money from this channel. I have zero adverts. This is just about me wanting to help others learn and give back to the community. Knowing it helps is the key thing.
@ruckyA 2 жыл бұрын
@@NTFAQGuy ❤
@mrpoate 2 жыл бұрын
@@NTFAQGuy Legend! Your videos are top notch & I've recommended them to people at work. I'll just add that if you ever did start monetizing, as a viewer I'd have no problem with that - I think you deserve to be rewarded more for the hardwork. I'm also sure there'd be ways to monetise the channel that are somewhat win-win or minimally intrusive for the audience (i.e. occasionally promoting a genuinely useful product or service for the audience, or hell even seeing if Microsoft would want to sponsor you in some way). Thanks again.
@NTFAQGuy 2 жыл бұрын
@@mrpoate thank you but still no plans to monetize :) I really just want it to be something about helping and not a business for me. Take care
@0308920133 2 жыл бұрын
thanks, very well explained
@ZapDog43 2 жыл бұрын
Excellent. Thank you!
@HiddenChin 2 жыл бұрын
Thank you for the video.
@espenkl 10 ай бұрын
Great video. Thanks for that😊
@NTFAQGuy 10 ай бұрын
You’re welcome 😊
@ilyasontube 2 жыл бұрын
New Tatoo, John? Thanks for the great content!
@NTFAQGuy 2 жыл бұрын
Yes, got it in LA nearly 2 weeks ago.
@donstamps 2 жыл бұрын
Hi John, thank you very much for all the great content you produce and share. I sincerely appreciate it!
@NTFAQGuy 2 жыл бұрын
My pleasure, thanks for watching
@hardikdesai24 2 жыл бұрын
I doubt anyone else on this planet who can explain the topic and content with so much ease as you do. Superb, awesome.
@NTFAQGuy 2 жыл бұрын
That is very kind, thank you. I'm glad its useful.
@nehatiwari2361 Жыл бұрын
Amazing training
@MrKevSm1th Жыл бұрын
Thanks John!
@tamimthaher2405 2 жыл бұрын
Wonderful session John!! you made Azure firewall looks easy :)
@mikamishra9418 2 жыл бұрын
Awesome video!!
@GeminiLearning 2 жыл бұрын
Oh men you’re so awesome!!
@NTFAQGuy 2 жыл бұрын
Wow, thanks!
@LifeisbetterwithaMalinois 2 жыл бұрын
Just shows you what you can do if you are disciplined and determined!
@diegolagosmorales2536 8 ай бұрын
Fantastic Video, you are amazing
@NTFAQGuy 8 ай бұрын
Thank you so much!
@arisawidi8649 2 жыл бұрын
awesome john!
@NTFAQGuy 2 жыл бұрын
Thanks!
@harirajan4463 2 жыл бұрын
Thanks John for the great deep drive about Azure Firewall and the latest premium features. This is really demystified the azure firewall.
@NTFAQGuy 2 жыл бұрын
Glad you enjoyed it
@usj2211 2 жыл бұрын
Like you biceps 💪 and your knowledge
@NTFAQGuy 2 жыл бұрын
Hehe thanks
@HarishKumar-rr1eb 2 жыл бұрын
Awesome man, keep it up
@NTFAQGuy 2 жыл бұрын
You bet!
@satya2943 2 жыл бұрын
Thank you John.!
@NTFAQGuy 2 жыл бұрын
You bet!
@DavidWahby 2 жыл бұрын
Great Video!!!! Thanks!!
@NTFAQGuy 2 жыл бұрын
You're welcome!
@MrJourfixe 2 жыл бұрын
Fantastic content, super useful extremely well structured and presented. Awesome!
@NTFAQGuy 2 жыл бұрын
Glad you liked it!
@resistance9660 3 ай бұрын
Great video!
@NTFAQGuy 3 ай бұрын
Thanks!
@ryanbettsazure 2 жыл бұрын
nice video John
@NTFAQGuy 2 жыл бұрын
Thank you 🤙
@RoahsoDaPresident 2 жыл бұрын
Good stuff!
@TheHoradricTube 2 жыл бұрын
I pay for courses that aren't a patch on yours. I've worked in IT for too long, never needed to fully understand 'rowting' or fw's, always someone else's job. I'd never touched azure either. In the last week and a half I've gone from 'dark art' to having the confidence to set up a lab, replicate bits in my work place, secure the subnets, test out the product (secure az140 deep dive? #fingerscrossed) that I'm trying to architect and look really clever at work... You've had me covered at pretty much every base, you absolute lege!! Dunno how much you make out of this side-hussle, but good karma is definitely on the way! P.S. Hearing what I think is a southern UK accent saying the word 'route' like an American is weird, but it must be contagious as you've even got me bloody doing it :D
@NTFAQGuy 2 жыл бұрын
I don't make anything out of this :-) I have no advertising of any kind. This is just me giving back and trying to help people learn. It's just my hobby :-) Yes, some words I've altered how I say or people just look at me funny.
@TheHoradricTube 2 жыл бұрын
@@NTFAQGuy haha, yeah makes sense!! Keep up the good work man, you've really helped me. I'm off to watch some more of your AZ-500 stuff!
@kenrq63 2 жыл бұрын
A good educational video, John, keep up the good work. Question: Will the Azure Firewall Premium be able to hive off a copy of un-encrypted data to another security device at any stage - I am assuming that the IDPS is a local service running on the firewall instance.
@NTFAQGuy 2 жыл бұрын
Glad you like the video. I can’t speak to future plans I’m afraid. Yes the idps is local to az fw
@RabbitJnr Жыл бұрын
Thank you!
@MammadovAdil 2 жыл бұрын
amazing and very informative video as always, can't go over it without saying thank you!
@NTFAQGuy 2 жыл бұрын
Much appreciated!
@markymarkymarky1974 2 жыл бұрын
This is a great deep dive, great work! This must also be an excellent way for you to gain a deeper understanding on your topics..
@NTFAQGuy 2 жыл бұрын
Thank you
@mailman2097 Жыл бұрын
Awesome ❤🎉
@hsmssouza 2 жыл бұрын
Amazing!!!
@gugukunene7444 2 жыл бұрын
I've been waiting
@jpb2085 2 жыл бұрын
Super insightful and so clearly explained, thank you!
@NTFAQGuy 2 жыл бұрын
Very welcome
@miteshc1 2 жыл бұрын
Thanks John. Legendary session there as usual !
@NTFAQGuy 2 жыл бұрын
Glad you enjoyed it
@deveshchattani1204 Жыл бұрын
Thanks John for amazing training. Really helped to broaden mindset on all perspective. Respect ++
@deepuvijayannair 2 жыл бұрын
Thanks John, for the awesome video with great explanation. One question though - for the route tables, I notice that you have multiple route tables created to cater the different subnets. Is that because the subnets are in different regions? If they weren't, could you have just used a single route table for all the routing to the firewall?
@NTFAQGuy 2 жыл бұрын
Need to be same region as the vnet
@timkatsapas 2 жыл бұрын
Dude - this is so legit. Love the simple explanation. Brilliant!
@NTFAQGuy 2 жыл бұрын
Much appreciated!
@byron_glover 2 жыл бұрын
Thanks for the great deep dive, I currently use Standard but am now considering upgrading, is it still worth doing if you don't want to go through the hassle of setting up TLS inspection or is that one of the main benefits of upgrading to premium?
@NTFAQGuy 2 жыл бұрын
I think the decision would be based on the features of Premium that may be useful which is what I went over in the video in a lot of detail :-) The TLS inspection is huge value. Only you know if they are worth it to you.
@zzzzz-jx2qi 2 жыл бұрын
Awesome!
@NTFAQGuy 2 жыл бұрын
Thanks!
@steveng.42 2 жыл бұрын
Outstanding and timely content as always John, Thank you! One quick question related to TLS inspection is in regard to private PaaS (say vNet integration). Is this even possible and would you just need to issue the cert from a public CA since PaaS services wouldn't trust in internal enterprise PKI CA?
@NTFAQGuy 2 жыл бұрын
I think would vary by PaaS service assuming you are talking about the outbound from PaaS to configuration around certs etc.
@steveng.42 2 жыл бұрын
@@NTFAQGuy Correct. The thought was around an outbound call from say an App Service. If it would be even possible to perform TLS inspection there. Thanks!
@deepuvijayannair 2 жыл бұрын
I guess you might need a registered domain name, an Azure DNS and an alias to that domain name and a TLS cert (a wild card cert) that's from a public CA which will open up for outbound calls.
@thomasrichards3535 2 жыл бұрын
I have my AZ-500 upcoming. I am terrible at remembering everything through reading the microsoft docs, and most of the videos I have found out there are slightly outdated, so THANK YOU for this video! I've watched a good few of your videos in the past and I remember how clear they were, saw the date on this one and knew I was onto a winner. Question: Why is the billing model $100 per Firewall per policy group after the first associated firewall? I do not quite understand the benefit of the that over deploying a 'second' policy group that's got the same policies anyways. I understand its an effort towards scalability but maybe I'm missing something here.
@NTFAQGuy 2 жыл бұрын
Glad you like the video. I can’t speak to pricing but you are trading your effort and management for simplicity.
@bradsherwin8149 2 жыл бұрын
Excellent video. Do you have a video for Azure FW vs 3rd Parties such as Palo Alto?
@NTFAQGuy 2 жыл бұрын
No
@deychand11 2 жыл бұрын
As always marvelous explanation. Thanks John. Just queries to know if for some reason I need to bypass the firewall for one of the spoke vnet. what would be the approch.
@NTFAQGuy 2 жыл бұрын
UDR
@nullinfinite2844 2 жыл бұрын
you rock, simple as dat
@NTFAQGuy 2 жыл бұрын
Thank you
@greywind6951 2 жыл бұрын
great stuff . thank you! some follow-up - if I may: have you come across any 3rd party lab testing for its application signature and its accuracy ? Does the intelligence also work for multi-region deployments ?
@NTFAQGuy 2 жыл бұрын
Don't know about 3rd party testing. Region does not matter.
@sidzhang 2 жыл бұрын
Hi John, why Application FQDN filtering rules don't require TLS inspection? FQDN filtering limit both outbound HTTP and HTTPS traffic. Which features run on top of TLS inspection?
@NTFAQGuy 2 жыл бұрын
As I said in the video, SNI. In terms of what features use tls I showed that in the video as well.
@artisticcheese 2 жыл бұрын
John's videos are the only ones which do not get thumbs down somehow. There is always 1% who will down vote a video for random reasons, but not here. 👍
@NTFAQGuy 2 жыл бұрын
haha, no no, I often get than 1 or 2 thumb down as well :-D
@ukaszpolczyk4122 Жыл бұрын
If I want to know something tricky about azure, It's always one way, Lets watch JonhSavill's video :D
@richardwilliams9167 2 жыл бұрын
Thanks John for another great video. Trying to get a mental picture on how this all fits together with regards its networking. The private address that we see on the AzureFirewallSubnet is an internal standard load balancer which fronts a VM scale set - the VMs as part of this scale set have an interface on this subnet which we don't see. The Azure firewall Public Ip is another load balancer for both inbound and outbound, which explains why we cannot have a static NAT for outbound. Is this picture accurate?
@NTFAQGuy 2 жыл бұрын
Pretty much. The internals could change and pg don’t document so I’m reserved how much to say beyond what I said in the video (where I did cover this). Ultimately it’s an appliance so has zero impact on how you use anyway :)
@richardwilliams9167 2 жыл бұрын
@@NTFAQGuy Thanks John for taking time to reply - much appreciated.
@cma9br 2 жыл бұрын
Thank you for the great video. As far as I understood I must check TLS inspection if I want to use https URL filtering in an application rule. What does it happen if I don't check TLS inspection? Thank you in advance.
@NTFAQGuy 2 жыл бұрын
Yes to look at path for https you need tls inspection as I explain in the video. If not it can’t see paths.
@fs6446 2 жыл бұрын
Does Azure Firewall also have to do SNAT for traffic coming from an external network? In your video about NVAs you talked about the fact that horizontally scalable NVAs have to perform SNAT in this case. Thanks for the great videos!
@NTFAQGuy 2 жыл бұрын
You can configure networks to not SNAT for private networks.
@fs6446 2 жыл бұрын
@@NTFAQGuy That is possible for traffic incoming from the Internet?
@NTFAQGuy 2 жыл бұрын
SNAT is for outbound
@ruckyA 2 жыл бұрын
Hi John one question, why would you use UDRs and not peer the two spoke networks?
@NTFAQGuy 2 жыл бұрын
Maybe you have 50 spokes. That would be a lot of peerings to mesh and/or maybe you want the traffic inspection anyway
@MikeSweeneyMedia 2 жыл бұрын
Unless things have changed with the new SKU, you can have the excessively high count of outside IPs.. yes.. but you cannot lock a data path to any one of the outside IPs. The firewall will randomly use one of them for outbound comms. Not a big deal unless you are trying to white list that IP on the other end. Removing one of the outside IPs is also a big deal. You can ( last year) only do it via CLI and not from the RM. I discovered both of these the hard way last year with our Citrix client pool on the standard SKU. Just FYI
@NeilNatic 2 жыл бұрын
^^^^ this! this specific issue is making me replace my Azure Firewall with a 3rd party FW :( I was shocked that this is not possible.
@markymarkymarky1974 2 жыл бұрын
Hi John, would you use NSGs on top of Azure Firewall? Isn't it an admin nightmare?
@NTFAQGuy 2 жыл бұрын
I would try and focus as much as possible through the firewall but it’s possible maybe some traffic you don’t route via firewall and still want controls it layer 4
@Marcelk86 2 жыл бұрын
You mentioned that the DNS Proxy can also be used to allow external clients to resolve internal Names? How is this done? Do the clients have to use the firewalls PIP then and what is the use-case for this?
@NTFAQGuy 2 жыл бұрын
It’s the target of forwarder from your dns. Docs have details
@tolugantipradeep 2 жыл бұрын
hey John, any plan to do deep dive on Firewall Manager ?
@NTFAQGuy 2 жыл бұрын
I never discuss future content plans
@longb1913 2 жыл бұрын
what is 13389 and 13390?? and what are the public ips in homebase? your vm's public ip or your actual router's pulibc ip?
@NTFAQGuy 2 жыл бұрын
They are ports. Homebase are public ips of where I’ll connect from
Radha media
Рет қаралды 1,6 М.
Scott Duffy @ GetCloudSkills
Рет қаралды 15 М.
spline
Рет қаралды 531 М.
Kasim Tech
Рет қаралды 11 МЛН