Azure Firewall for Small Businesses in Berlin
A network perimeter without firewall enforcement is an open door. For businesses running workloads in Microsoft Azure — whether virtual machines, app services, or containerized applications — Azure Firewall provides cloud-native, stateful network security with built-in high availability and unlimited cloud scalability. Unlike traditional hardware firewalls, Azure Firewall requires no infrastructure management, scales automatically, and integrates natively with Azure networking and Microsoft threat intelligence.
For small businesses in Berlin using Azure IaaS, hybrid connectivity, or running line-of-business applications in the cloud, Azure Firewall closes the network security gap that NSGs (Network Security Groups) alone cannot address.
What Is Azure Firewall?
Azure Firewall is a managed, cloud-native network security service that protects Azure Virtual Network resources. It’s a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. You deploy it in a hub virtual network and route traffic through it from spoke networks — the classic hub-and-spoke architecture.
Key differentiation from NSGs: NSGs operate at the network interface or subnet level with simple allow/deny rules. Azure Firewall adds application-layer inspection, FQDN filtering, threat intelligence-based filtering, TLS inspection (Premium), and centralized policy management across multiple virtual networks.
Azure Firewall SKU Comparison
| Feature | Basic | Standard | Premium |
|---|---|---|---|
| FQDN filtering | Yes | Yes | Yes |
| Network/App rules | Yes | Yes | Yes |
| Threat Intelligence | Alert only | Alert & Deny | Alert & Deny |
| TLS Inspection | No | No | Yes |
| IDPS (Intrusion Detection) | No | No | Yes |
| URL Filtering | No | No | Yes |
| Web Categories | No | Yes | Yes |
| Target | SMB | General | High security |
For most Berlin SMBs, Azure Firewall Standard is the appropriate tier — full threat intelligence integration, application and network rules, web category filtering, and FQDN-based controls without the complexity of Premium’s TLS inspection requirements.
Core Capabilities
Application Rules (FQDN Filtering)
Control outbound access based on fully qualified domain names rather than IP addresses. Allow *.microsoft.com, *.azure.com while blocking all other outbound HTTPS. This is the critical capability for enforcing zero-trust outbound policy — workloads should only reach known, approved destinations. IP-based rules are insufficient because cloud services use dynamic IPs and CDNs.
Network Rules
Layer-4 rules controlling traffic based on IP address, port, and protocol. Used for non-HTTP/S traffic — database connections, custom protocols, east-west traffic between subnets. Network rules complement application rules to provide complete traffic control.
Threat Intelligence Integration
Azure Firewall integrates with Microsoft’s threat intelligence feed — a continuously updated list of known malicious IPs and domains. In Alert & Deny mode (Standard/Premium), traffic to or from these indicators is automatically blocked and logged. No manual feed management required.
Azure Firewall Policy
Firewall policies are the management layer above individual firewall instances. A policy contains rule collections, threat intelligence settings, DNS configuration, and other settings. Policies can be hierarchical — parent policies define baseline rules that child policies (for individual environments or subscriptions) inherit and extend. This is the governance model for multi-environment deployments.
DNS Proxy
Azure Firewall can act as a DNS proxy, routing all DNS queries from virtual network resources through the firewall. This enables FQDN-based network rules (which require DNS resolution to work reliably) and provides a centralized DNS logging point for visibility into name resolution activity.
Hub-and-Spoke Deployment Architecture
The recommended deployment pattern for Azure Firewall is hub-and-spoke:
- Hub VNet: Contains Azure Firewall, VPN/ExpressRoute gateways, shared services
- Spoke VNets: Application workloads, peered to the hub
- User-Defined Routes (UDRs): Force all traffic from spoke subnets through the Azure Firewall in the hub
All inbound and outbound traffic — including spoke-to-spoke — traverses the firewall. This provides complete east-west traffic visibility and control, a critical requirement for zero-trust network segmentation. Azure Virtual WAN (vWAN) with Secured Virtual Hub is the managed alternative for organizations preferring a fully managed hub deployment.
Integration with Microsoft Defender for Cloud
Microsoft Defender for Cloud assesses Azure Firewall configuration against CIS Benchmarks and Microsoft security baselines. Recommendations surface when threat intelligence is in Alert-only mode, when logging is not configured, or when firewall policies have overly permissive rules. Azure Firewall logs integrate with Log Analytics workspaces and can be forwarded to Microsoft Sentinel for SIEM correlation.
Logging and Monitoring
Azure Firewall generates structured logs for application rules, network rules, threat intelligence hits, DNS queries, and IDPS events (Premium). Configure diagnostic settings to route logs to a Log Analytics workspace. Key queries for operational monitoring:
- Top denied destinations — identify blocked outbound attempts
- Threat intelligence hits — track malicious IP/domain contacts
- Application rule hits — validate that FQDN allow-lists are correctly scoped
- DNAT events — track inbound traffic hitting DNAT rules
Cost Considerations
Azure Firewall pricing has two components: a fixed hourly deployment cost and a data processing charge per GB. For small deployments processing modest traffic volumes, the fixed deployment cost dominates. Azure Firewall Basic is significantly cheaper than Standard — appropriate for dev/test or low-risk workloads. For production environments with compliance requirements, Standard’s threat intelligence integration justifies the additional cost.
Cost optimization: Stop (deallocate) Azure Firewall during non-business hours for non-production environments — the firewall retains its configuration and restarts in minutes when needed.
Conclusion: Cloud-Native Network Security Without Appliance Overhead
Azure Firewall eliminates the operational burden of managing physical or virtual firewall appliances while delivering enterprise-grade network security for Azure workloads. For Berlin SMBs running business-critical workloads in Azure, it’s the correct network security control — scalable, integrated with Microsoft threat intelligence, and manageable through Azure Policy and Firewall Policy without per-device configuration.
IT Experts Berlin designs and implements Azure Firewall deployments for small and medium businesses, including hub-and-spoke architecture, policy design, and Sentinel integration. Reach out to discuss your Azure network security requirements.
Related Articles
- Microsoft Defender for Cloud: Azure Firewall pairs with Defender for Cloud for complete Azure workload protection — Defender surfaces misconfigured firewall policies while Azure Firewall enforces network-layer controls
- Microsoft Sentinel: Forward Azure Firewall logs to Sentinel via Log Analytics — correlate threat intelligence hits and denied traffic patterns with identity and endpoint events for complete incident timelines
- Azure Virtual Desktop: Route AVD session traffic through Azure Firewall — enforce FQDN allow-lists for permitted destinations and inspect outbound connections from session hosts for DLP and compliance