Do I Need a Virtual Firewall Appliance in Azure?
December 13, 2017
As organizations are moving servers to the cloud, one of the most common questions is whether a firewall is required in Azure. In an on-premises environment, a firewall is one of the most essential security components but many of the benefits of a firewall are built in natively in Azure. When considering whether to add a virtual firewall appliance into Azure, here are some of the questions you should ask:
- Do I need advanced security features such as IPS/IDS or Web Traffic Filtering?
This is the most common reason that organizations move towards a virtual firewall appliance. While Azure has a number of security features built into their firewall by default - Denial of Service protection, access control lists (Azure calls them NSGs), basic traffic monitoring – any advanced features such as Intrusion Prevention (IPS / IDS) or advanced traffic monitoring and filtering still require a dedicated firewall device.
- What level of uptime is required?
When implementing a firewall appliance in Azure, all networking goes through that appliance. This can lead to a single point of failure if the firewall appliance ever fails. Azure recommends that all systems be redundant to avoid these types of outages but only some of the virtual appliances support high availability. If uptime is a key requirement, then it is important to pick a vendor that supports redundancy otherwise using the native Azure networking may be a better fit.
- How many public IPs do I need?
One benefit of the base Azure networking design is that every virtual machine can have one or more dedicated IPs. This makes scaling the number of public IPs in the environment very easy and as new systems are added they can each have their own IP. When using a firewall appliance, however, the number of IPs in the environment is limited to the number of IPs the appliance can support. Azure is now making it easier to add on dozens of IPs to a single network interface so that, even with a firewall appliance, there is a higher threshold for IPs. However, if you need a lot of addresses, you may notice some limitations with a virtual firewall.
- Do your users need to VPN into Azure?
Azure does provide a native client VPN solution, however many organizations have gotten very used to their existing VPN client. If your users want to continue to maintain the same experience, then adding a virtual firewall appliance into Azure will allow for a more seamless transition.
- How much are the above features worth?
All of the firewall appliances in Azure have a monthly cost for the VM consumption and also require licensing from the vendor. The combined cost from both of these requirements can add up over time. While there are many benefits from adding in these devices, the benefits need to be weighed against the cost over time to ensure they are worth it as compared to using the free native functionality.
If you decide to move forward with a virtual appliance, the next question is which brand to use. The good news is that all of the major vendors have virtual appliances in Azure (Fortinet, Cisco, Barracuda, Palo Alto, and more). Many organizations use the same vendor as their on-premises device for consistent management and monitoring but, depending on your requirements identified above, different vendors may be a better fit.
If you would like to determine if a firewall virtual appliance is right for you, and if so which device best suits your needs, contact us to discuss your specific business needs and requirements.