On the 15th March, 2023 Microsoft announced the general availability of Azure firewall basic.
Azure firewall is a cloud native network security service that provides threat protection for cloud workloads running in Azure. It is a stateful service offering both east/west and north/south protection along with high availability and scalability. Azure firewall is available in 3 SKU’s; Standard, Premium and now Basic. All 3 versions provide the following features:
Built-in high availability
Availability Zones
Application FQDN filtering rules
Network traffic filtering rules
FQDN tags
Service tags
Threat intelligence
Outbound SNAT support
Inbound DNAT support
Multiple public IP addresses
Azure Monitor logging
Certifications
And while premium has additional features such as TLS inspection and IDPS, the Basic SKU has the following limitations:
Supports Threat Intel alert mode only.
Fixed scale unit to run the service on two virtual machine backend instances.
Recommended for environments with an estimated maximum throughput of 250 Mbps.
Where Azure Firewall Basic comes into its own is in cost to run. The Basic pricing model is designed to provide essential protection to SMB customers at an affordable price point for low volume workloads.
Approximate Costs
At the time of writing this article, the approximate retail costs for running Azure Firewall are:
SKU
Cost
Basic
$0.592 (AU) per deployment hour or $432.16 (AU) per month
Standard
$1.871 (AU) per deployment hour or $1,365.83 (AU) per month
Premium
$2.619 (AU) per deployment hour or $1,911.87 (AU) per month
Recommended retail costs for running Azure Firewall
As you can see, Azure Firewall Basic is considerably cheaper than the Standard or Premium SKU’s just to turn on. But as mentioned previously, it is only for small workloads. The processing costs for data through Azure firewall basic are roughly 4 times more expensive.
If we look at processing 100GB in an hour the running costs would look like:
SKU
Cost per GB
Processing cost
Total cost (inc run cost)
Basic
$0.098 (AU)
$9.80 (AU)
$10.39 (AU)
Standard
$0.024 (AU)
$2.40 (AU)
$4.27 (AU)
Premium
$0.024 (AU)
$2.40 (AU)
$5.02 (AU)
Recommended retail data processing costs
Clearly, sustained high workloads are much more expensive through the Basic SKU as opposed to the Standard or Premium SKU’s. The basic SKU is cost cheaper only when customers are processing less than 9,520GB per month, or 13GB per hour.
Recommendation
The new pricing model provides a much cheaper option for SMB customers to secure essential workloads at an affordable price where data volumes are low.
On the 1st March, 2023, Microsoft announced “New enhanced connection troubleshoot” for Azure Network watcher has gone GA. Previously Azure Network Watcher provided specialised stand alone tools for use with network troubleshooting but these have now been consolidated into one place with additional tests and actionable insights to assist with troubleshooting.
Network Troubleshooting can be difficult and time consuming.
With customers migrating advanced, high-performance workloads to Azure, it’s essential to have better oversight and management of the intricate networks that support these workloads. A lack of visibility can make it challenging to diagnose issues, leaving customers with limited control and feeling trapped in a “black box.” To enhance your network troubleshooting experience, Azure Network Watcher combines these tools with the following features:
Unified solution for troubleshooting all NSG, user defined routes, and blocked ports
Actionable insights with step-by-step guide to resolve issues
Inability to open a socket at the specified source port
No servers listening on designated destination ports
Misconfigured or missing routes
These new features are not available via the portal at the moment:
Connection Troubleshooting via the portal
The portal will display that there are connectivity issues, but will not provide the enhanced information. This is accessible via PowerShell, Azure CLI and the Rest API. I will now show the real reason this is not working.
Accessing “enhanced connection troubleshoot” output via PowerShell
I am using the following PowerShell to test the connection between the two machines:
As you can see, the issues discovered are explained in more detail, in this case, the local firewall is affecting the communication. If we check the local Defender firewall, we can see there is a specific rule blocking this traffic:
Blocked outbound protocols
If we remove the local firewall rule, connectivity is restored:
The enhanced connection troubleshoot can detect 6 fault types:
Source high CPU utilisation
Source high memory utilisation
Source Guest firewall
DNS resolution
Network security rule configuration
User defined route configuration
The first four faults are returned by the Network Watcher Agent extension for Windows as demonstrated above. The remaining two faults are from the Azure fabric. As you can see below, when a Network Security Group is misconfigured on the source or destination, our issue returns, but the output displays clearly where and which network security group is at fault:
In addition to the fault detection, IP Flow is also a part of the enhanced connection troubleshoot, providing a list of hops to a service. An excerpt of a trace to a public storage account is below:
Centralising the troubleshooting tools under one command is obviously a great enhancement, but by also providing increased visibility into configurations or system performance make this a great update for your troubleshooting toolbox.
