Just wanted to share that this video is from 2 years ago, but it's still very relevant and useful, especially since I'm deploying the same solution at a customer's site.
Amazing training. Very detailed and well thought. I love the logical connection when you move from a session to the other, and then you explain it by examples. This is a big update in the teaching methodology. Thank you, John!
BEST VIDEO OF AZ-FIREWALL, u r just amazing, your taught so many things that are not even documented may be, well done john, you are doing great work, well taught and explained
Much thanks for all you have done John. these training is veeeeery useful. I have recommended your channel to pepole aroud me working on Azure in China. thanks again!
I have read a couple of your books, and finding this video was like finding gold. Well done fantastic deep dive. Also, congrats on your Kona finish, well done(and all your other finishes....nice!). I too am an IT nerd by day and Ironman all other times. I plan to do Texas one of these years, hope to see you there and if you ever get to Arizona, look me up it would be a pleasure to meet you. We have a great fast course out here, windy but always fun. Be Fast, Be Safe, Stay Healthy
This was amazing, our clients do not really use this resource due to the price and most of them use a Linux firewall instead but its great to learn more about this topic! Thanks a lot!
When premium was due to go GA I was literally waiting for your deap dive on the firewall haha, many thanks, legend. Hope your channel is/becomes profitable!! It must be a hell of a lot of work to put these together.
Thanks. I don’t make any money from this channel. I have zero adverts. This is just about me wanting to help others learn and give back to the community. Knowing it helps is the key thing.
@@NTFAQGuy Legend! Your videos are top notch & I've recommended them to people at work. I'll just add that if you ever did start monetizing, as a viewer I'd have no problem with that - I think you deserve to be rewarded more for the hardwork. I'm also sure there'd be ways to monetise the channel that are somewhat win-win or minimally intrusive for the audience (i.e. occasionally promoting a genuinely useful product or service for the audience, or hell even seeing if Microsoft would want to sponsor you in some way). Thanks again.
Hi John, thank you for doing this video i really appreciate you! With out you as my main source for knowledge for Azure my job would be so much harder, I would have to spend a lot of time reading documentation. Thank you for all the work you have been doing!
This was amazing. Thank you Sir John! I am using the Standard Azure Firewall in a current project, so lot of this was good solid refresher for me. I loved the section on how you explained how TLS inspection works and how it enables the url filtering part. Pretty cool to see the SNAT Port utilization. I had to quickly check whats ours haha... Thanks again John, your video with a morning cuppa is just the perfect mix. Brain cells++
You absolutely nailed it. I can see you have almost all topics for upcoming AZ-700 covered in your channel. However, if you create a video focusing on Azure Network Engineer AZ-700 technical concepts overview, that would be awsome , thank you so much
I pay for courses that aren't a patch on yours. I've worked in IT for too long, never needed to fully understand 'rowting' or fw's, always someone else's job. I'd never touched azure either. In the last week and a half I've gone from 'dark art' to having the confidence to set up a lab, replicate bits in my work place, secure the subnets, test out the product (secure az140 deep dive? #fingerscrossed) that I'm trying to architect and look really clever at work... You've had me covered at pretty much every base, you absolute lege!! Dunno how much you make out of this side-hussle, but good karma is definitely on the way! P.S. Hearing what I think is a southern UK accent saying the word 'route' like an American is weird, but it must be contagious as you've even got me bloody doing it :D
I don't make anything out of this :-) I have no advertising of any kind. This is just me giving back and trying to help people learn. It's just my hobby :-) Yes, some words I've altered how I say or people just look at me funny.
I have my AZ-500 upcoming. I am terrible at remembering everything through reading the microsoft docs, and most of the videos I have found out there are slightly outdated, so THANK YOU for this video! I've watched a good few of your videos in the past and I remember how clear they were, saw the date on this one and knew I was onto a winner. Question: Why is the billing model $100 per Firewall per policy group after the first associated firewall? I do not quite understand the benefit of the that over deploying a 'second' policy group that's got the same policies anyways. I understand its an effort towards scalability but maybe I'm missing something here.
A good educational video, John, keep up the good work. Question: Will the Azure Firewall Premium be able to hive off a copy of un-encrypted data to another security device at any stage - I am assuming that the IDPS is a local service running on the firewall instance.
Outstanding and timely content as always John, Thank you! One quick question related to TLS inspection is in regard to private PaaS (say vNet integration). Is this even possible and would you just need to issue the cert from a public CA since PaaS services wouldn't trust in internal enterprise PKI CA?
@@NTFAQGuy Correct. The thought was around an outbound call from say an App Service. If it would be even possible to perform TLS inspection there. Thanks!
I guess you might need a registered domain name, an Azure DNS and an alias to that domain name and a TLS cert (a wild card cert) that's from a public CA which will open up for outbound calls.
Thanks John, for the awesome video with great explanation. One question though - for the route tables, I notice that you have multiple route tables created to cater the different subnets. Is that because the subnets are in different regions? If they weren't, could you have just used a single route table for all the routing to the firewall?
Does Azure Firewall also have to do SNAT for traffic coming from an external network? In your video about NVAs you talked about the fact that horizontally scalable NVAs have to perform SNAT in this case. Thanks for the great videos!
Hi John, why Application FQDN filtering rules don't require TLS inspection? FQDN filtering limit both outbound HTTP and HTTPS traffic. Which features run on top of TLS inspection?
You mentioned that the DNS Proxy can also be used to allow external clients to resolve internal Names? How is this done? Do the clients have to use the firewalls PIP then and what is the use-case for this?
Thanks for the great deep dive, I currently use Standard but am now considering upgrading, is it still worth doing if you don't want to go through the hassle of setting up TLS inspection or is that one of the main benefits of upgrading to premium?
I think the decision would be based on the features of Premium that may be useful which is what I went over in the video in a lot of detail :-) The TLS inspection is huge value. Only you know if they are worth it to you.
As always marvelous explanation. Thanks John. Just queries to know if for some reason I need to bypass the firewall for one of the spoke vnet. what would be the approch.
I would try and focus as much as possible through the firewall but it’s possible maybe some traffic you don’t route via firewall and still want controls it layer 4
great stuff . thank you! some follow-up - if I may: have you come across any 3rd party lab testing for its application signature and its accuracy ? Does the intelligence also work for multi-region deployments ?
Thanks John for another great video. Trying to get a mental picture on how this all fits together with regards its networking. The private address that we see on the AzureFirewallSubnet is an internal standard load balancer which fronts a VM scale set - the VMs as part of this scale set have an interface on this subnet which we don't see. The Azure firewall Public Ip is another load balancer for both inbound and outbound, which explains why we cannot have a static NAT for outbound. Is this picture accurate?
Pretty much. The internals could change and pg don’t document so I’m reserved how much to say beyond what I said in the video (where I did cover this). Ultimately it’s an appliance so has zero impact on how you use anyway :)
You need the ability to create certs that will be trusted by the clients so it can sit in the middle. You could deploy a cert to clients etc t trust if needed.
Thank you for the great video. As far as I understood I must check TLS inspection if I want to use https URL filtering in an application rule. What does it happen if I don't check TLS inspection? Thank you in advance.
Unless things have changed with the new SKU, you can have the excessively high count of outside IPs.. yes.. but you cannot lock a data path to any one of the outside IPs. The firewall will randomly use one of them for outbound comms. Not a big deal unless you are trying to white list that IP on the other end. Removing one of the outside IPs is also a big deal. You can ( last year) only do it via CLI and not from the RM. I discovered both of these the hard way last year with our Citrix client pool on the standard SKU. Just FYI
The only con using Azure firewall is there is no static NAT available for Outbound traffic , it randomly SNATs to any one of the Public IPs associated with the FW for outgoing traffic.
John's videos are the only ones which do not get thumbs down somehow. There is always 1% who will down vote a video for random reasons, but not here. 👍
watching this was way better than reading the white paper, would recommend to anyone to watch this first before reading the Azure Documentation
Thanks!
Just wanted to share that this video is from 2 years ago, but it's still very relevant and useful, especially since I'm deploying the same solution at a customer's site.
Amazing training. Very detailed and well thought. I love the logical connection when you move from a session to the other, and then you explain it by examples. This is a big update in the teaching methodology. Thank you, John!
Glad you enjoyed it!
BEST VIDEO OF AZ-FIREWALL, u r just amazing, your taught so many things that are not even documented may be, well done john, you are doing great work, well taught and explained
Wow, thanks!
@@NTFAQGuy pls make detailed video on standard version also.
Always a joy to watch your videos - A prime resource for anyone wanting to learn Microsoft Azure!
Always love to watch your videos. We learn lot of things from your videos. Thank you John for this noble work. Please keep doing it
Thanks, will do!
Much thanks for all you have done John. these training is veeeeery useful. I have recommended your channel to pepole aroud me working on Azure in China. thanks again!
John , You Are my Hero. I watch hours and hours of ur movies. I learned so much from u. 😁
I have read a couple of your books, and finding this video was like finding gold. Well done fantastic deep dive.
Also, congrats on your Kona finish, well done(and all your other finishes....nice!). I too am an IT nerd by day and Ironman all other times. I plan to do Texas one of these years, hope to see you there and if you ever get to Arizona, look me up it would be a pleasure to meet you. We have a great fast course out here, windy but always fun.
Be Fast, Be Safe, Stay Healthy
no words to say how awesome your way of teaching :), I just love it, Thanks a lot John
Thanks!
John Cracking in depth walk through of AZ Firewall, just what I needed.
Thanks for this presentation of Azure Firewall, and especially for the explanation of TLS inspection using trusted CA!
This was amazing, our clients do not really use this resource due to the price and most of them use a Linux firewall instead but its great to learn more about this topic!
Thanks a lot!
Welcome
the best video about azure firewall I ever seen! :)
Thanks!
I doubt anyone else on this planet who can explain the topic and content with so much ease as you do. Superb, awesome.
That is very kind, thank you. I'm glad its useful.
Thanks a lot, John. You are the best IT teacher ever.
Oh men you’re so awesome!!
Wow, thanks!
Just shows you what you can do if you are disciplined and determined!
When premium was due to go GA I was literally waiting for your deap dive on the firewall haha, many thanks, legend. Hope your channel is/becomes profitable!! It must be a hell of a lot of work to put these together.
Thanks. I don’t make any money from this channel. I have zero adverts. This is just about me wanting to help others learn and give back to the community. Knowing it helps is the key thing.
@@NTFAQGuy ❤
@@NTFAQGuy Legend! Your videos are top notch & I've recommended them to people at work. I'll just add that if you ever did start monetizing, as a viewer I'd have no problem with that - I think you deserve to be rewarded more for the hardwork. I'm also sure there'd be ways to monetise the channel that are somewhat win-win or minimally intrusive for the audience (i.e. occasionally promoting a genuinely useful product or service for the audience, or hell even seeing if Microsoft would want to sponsor you in some way). Thanks again.
@@mrpoate thank you but still no plans to monetize :) I really just want it to be something about helping and not a business for me. Take care
Hi John, thank you for doing this video i really appreciate you! With out you as my main source for knowledge for Azure my job would be so much harder, I would have to spend a lot of time reading documentation. Thank you for all the work you have been doing!
Glad it was helpful!
I agree with @Edmond. Amazing resource! Very comprehensive exploration of such an important Azure service. Thank you John!
This was amazing. Thank you Sir John! I am using the Standard Azure Firewall in a current project, so lot of this was good solid refresher for me. I loved the section on how you explained how TLS inspection works and how it enables the url filtering part. Pretty cool to see the SNAT Port utilization. I had to quickly check whats ours haha...
Thanks again John, your video with a morning cuppa is just the perfect mix.
Brain cells++
Glad it was helpful!
Useful video for anyone is preparing the AZ-700 😊
You absolutely nailed it. I can see you have almost all topics for upcoming AZ-700 covered in your channel. However, if you create a video focusing on Azure Network Engineer AZ-700 technical concepts overview, that would be awsome , thank you so much
Who knows what playlist and video I may be creating this Sunday lol
@@NTFAQGuy I can't wait to see it as I have booked for beta and plan to sit mid August, awesome, thanks a lot :-)
The Content and Presentation is awesome --> great learning ! Thanks John !
Thanks John, great deep dive as always. I feel comfortable to deploy FW now. Loved the background of Uluru.
Awesome!
Another Great in-depth module. Thanks John for doing this.
Very welcome
I pay for courses that aren't a patch on yours.
I've worked in IT for too long, never needed to fully understand 'rowting' or fw's, always someone else's job. I'd never touched azure either. In the last week and a half I've gone from 'dark art' to having the confidence to set up a lab, replicate bits in my work place, secure the subnets, test out the product (secure az140 deep dive? #fingerscrossed) that I'm trying to architect and look really clever at work... You've had me covered at pretty much every base, you absolute lege!! Dunno how much you make out of this side-hussle, but good karma is definitely on the way!
P.S. Hearing what I think is a southern UK accent saying the word 'route' like an American is weird, but it must be contagious as you've even got me bloody doing it :D
I don't make anything out of this :-) I have no advertising of any kind. This is just me giving back and trying to help people learn. It's just my hobby :-) Yes, some words I've altered how I say or people just look at me funny.
@@NTFAQGuy haha, yeah makes sense!! Keep up the good work man, you've really helped me. I'm off to watch some more of your AZ-500 stuff!
Super explained, it is obvious that John knows it, thanks for sharing.
Very welcome
Thank you John - that was a great deep dive. PS Congratulations on the Coeur D’Alene Iron man.
Thank you!
Many Thanks John. As always very nicely explained.
Very welcome
Great azure firewall deep dive. Thanks John!
Glad you liked it!
I have my AZ-500 upcoming. I am terrible at remembering everything through reading the microsoft docs, and most of the videos I have found out there are slightly outdated, so THANK YOU for this video! I've watched a good few of your videos in the past and I remember how clear they were, saw the date on this one and knew I was onto a winner.
Question: Why is the billing model $100 per Firewall per policy group after the first associated firewall? I do not quite understand the benefit of the that over deploying a 'second' policy group that's got the same policies anyways. I understand its an effort towards scalability but maybe I'm missing something here.
Glad you like the video. I can’t speak to pricing but you are trading your effort and management for simplicity.
Fantastic walkthrough as usual John. Thanks for sharing
Amazing content as always
Glad you enjoyed it
thx again John for this amazing explanation!
My pleasure!
You are A Great teacher. !!
Thanks a bunch! Helpful as always 🙂
Hi John, thank you very much for all the great content you produce and share. I sincerely appreciate it!
My pleasure, thanks for watching
A good educational video, John, keep up the good work.
Question: Will the Azure Firewall Premium be able to hive off a copy of un-encrypted data to another security device at any stage - I am assuming that the IDPS is a local service running on the firewall instance.
Glad you like the video. I can’t speak to future plans I’m afraid. Yes the idps is local to az fw
New Tatoo, John? Thanks for the great content!
Yes, got it in LA nearly 2 weeks ago.
great stuff..!! you made it really simple and easy to understand. Thanks John !!
Outstanding and timely content as always John, Thank you! One quick question related to TLS inspection is in regard to private PaaS (say vNet integration). Is this even possible and would you just need to issue the cert from a public CA since PaaS services wouldn't trust in internal enterprise PKI CA?
I think would vary by PaaS service assuming you are talking about the outbound from PaaS to configuration around certs etc.
@@NTFAQGuy Correct. The thought was around an outbound call from say an App Service. If it would be even possible to perform TLS inspection there. Thanks!
I guess you might need a registered domain name, an Azure DNS and an alias to that domain name and a TLS cert (a wild card cert) that's from a public CA which will open up for outbound calls.
Excellent video. Do you have a video for Azure FW vs 3rd Parties such as Palo Alto?
No
Awesome
Thanks for the video
We were just talking about using it and compare it with nsg for our solution.
Legend 👏
Thanks!
Thanks John, for the awesome video with great explanation. One question though - for the route tables, I notice that you have multiple route tables created to cater the different subnets. Is that because the subnets are in different regions? If they weren't, could you have just used a single route table for all the routing to the firewall?
Need to be same region as the vnet
Great walkthrough. Thanks
Excellent. Thank you!
This is good brief even me started adopting Azure understand.
Great to hear, thanks
enjoying this video for today learning, thanks a lot!
You are welcome!
Awesome awesome !!! Thank you so much John ! :)
My pleasure!
Great video. Thanks for that😊
You’re welcome 😊
Does Azure Firewall also have to do SNAT for traffic coming from an external network? In your video about NVAs you talked about the fact that horizontally scalable NVAs have to perform SNAT in this case. Thanks for the great videos!
You can configure networks to not SNAT for private networks.
@@NTFAQGuy That is possible for traffic incoming from the Internet?
SNAT is for outbound
Hi John, why Application FQDN filtering rules don't require TLS inspection?
FQDN filtering limit both outbound HTTP and HTTPS traffic.
Which features run on top of TLS inspection?
As I said in the video, SNI. In terms of what features use tls I showed that in the video as well.
You mentioned that the DNS Proxy can also be used to allow external clients to resolve internal Names? How is this done? Do the clients have to use the firewalls PIP then and what is the use-case for this?
It’s the target of forwarder from your dns. Docs have details
very well explained !
Amazing training
Wow, it's just awesome the way you explain these things. Thank you John for all the hard work on preparing the contents!
Thank you
Thanks for the great deep dive, I currently use Standard but am now considering upgrading, is it still worth doing if you don't want to go through the hassle of setting up TLS inspection or is that one of the main benefits of upgrading to premium?
I think the decision would be based on the features of Premium that may be useful which is what I went over in the video in a lot of detail :-) The TLS inspection is huge value. Only you know if they are worth it to you.
Fantastic Video, you are amazing
Thank you so much!
As always marvelous explanation. Thanks John.
Just queries to know if for some reason I need to bypass the firewall for one of the spoke vnet. what would be the approch.
UDR
Amazing style and content John, you're giving a great high level overview incl. billing implications. Very educational, thank you very much!
Thanks John, another excellent tutorial! Love the TLS inspection and the way you broke it down.
Hi John, would you use NSGs on top of Azure Firewall? Isn't it an admin nightmare?
I would try and focus as much as possible through the firewall but it’s possible maybe some traffic you don’t route via firewall and still want controls it layer 4
great stuff . thank you!
some follow-up - if I may:
have you come across any 3rd party lab testing for its application signature and its accuracy ?
Does the intelligence also work for multi-region deployments ?
Don't know about 3rd party testing. Region does not matter.
Awesome man, keep it up
You bet!
Thanks John for another great video.
Trying to get a mental picture on how this all fits together with regards its networking.
The private address that we see on the AzureFirewallSubnet is an internal standard load balancer
which fronts a VM scale set - the VMs as part of this scale set have an interface on this subnet which we don't see.
The Azure firewall Public Ip is another load balancer for both inbound and outbound, which explains why we cannot have a static NAT for outbound.
Is this picture accurate?
Pretty much. The internals could change and pg don’t document so I’m reserved how much to say beyond what I said in the video (where I did cover this). Ultimately it’s an appliance so has zero impact on how you use anyway :)
@@NTFAQGuy Thanks John for taking time to reply - much appreciated.
Thank you John.!
You bet!
Like you biceps 💪 and your knowledge
Hehe thanks
Is the PKI infra mandatory for TLS inspection? What if the organization doesn’t have PKI?
You need the ability to create certs that will be trusted by the clients so it can sit in the middle. You could deploy a cert to clients etc t trust if needed.
Makes perfect sense. Thanks for sharing your knowledge and awesome tattoo btw 😃
Thank you for the great video. As far as I understood I must check TLS inspection if I want to use https URL filtering in an application rule. What does it happen if I don't check TLS inspection? Thank you in advance.
Yes to look at path for https you need tls inspection as I explain in the video. If not it can’t see paths.
Hi John one question, why would you use UDRs and not peer the two spoke networks?
Maybe you have 50 spokes. That would be a lot of peerings to mesh and/or maybe you want the traffic inspection anyway
Unless things have changed with the new SKU, you can have the excessively high count of outside IPs.. yes.. but you cannot lock a data path to any one of the outside IPs. The firewall will randomly use one of them for outbound comms. Not a big deal unless you are trying to white list that IP on the other end. Removing one of the outside IPs is also a big deal. You can ( last year) only do it via CLI and not from the RM. I discovered both of these the hard way last year with our Citrix client pool on the standard SKU. Just FYI
^^^^ this! this specific issue is making me replace my Azure Firewall with a 3rd party FW :( I was shocked that this is not possible.
Wonderful session about Azure firewall, it will help me to work on landing zone security configurations.
Thank you John, great work!
what is 13389 and 13390??
and what are the public ips in homebase? your vm's public ip or your actual router's pulibc ip?
They are ports. Homebase are public ips of where I’ll connect from
awesome john!
Thanks!
hey John, any plan to do deep dive on Firewall Manager ?
I never discuss future content plans
Awesome ❤🎉
Awesome video!!
Amazing work John! As always, very infomative and super helpful!
Thanks John for the great deep drive about Azure Firewall and the latest premium features. This is really demystified the azure firewall.
Glad you enjoyed it
nice video John
Thank you 🤙
I've been waiting
Great Video!!!! Thanks!!
You're welcome!
Great video!
Thanks!
Thank you!
This is a great deep dive, great work! This must also be an excellent way for you to gain a deeper understanding on your topics..
Thank you
Dude - this is so legit. Love the simple explanation. Brilliant!
Much appreciated!
Wonderful session John!! you made Azure firewall looks easy :)
Thanks John. Legendary session there as usual !
Glad you enjoyed it
Good stuff!
Does IP group work with NSG?
No it’s a firewall feature
@@NTFAQGuy Anything equivalent for NSG for grouping IPs for repeat rule configuration use?
Amazing!!!
Can we have paloalto instead of azure FW
Of course you can use an NVA instead. I'm simply focusing here on the native solution in Azure.
The only con using Azure firewall is there is no static NAT available for Outbound traffic , it randomly SNATs to any one of the Public IPs associated with the FW for outgoing traffic.
Anyways great session @John !!!
Thanks.
agreed! we are replacing the Azure Firewall because of this one issue. We cant use a single IP outbound. Really odd :(
John's videos are the only ones which do not get thumbs down somehow. There is always 1% who will down vote a video for random reasons, but not here. 👍
haha, no no, I often get than 1 or 2 thumb down as well :-D
Fantastic content, super useful extremely well structured and presented. Awesome!
Glad you liked it!
Awesome!
Thanks!
you rock, simple as dat
Thank you
amazing and very informative video as always, can't go over it without saying thank you!
Much appreciated!
Thanks John for amazing training. Really helped to broaden mindset on all perspective. Respect ++