Blog Covering Network Security Insights and Solutions Provided by Microsoft's Azure Team
Azure Firewall, a robust security solution, has introduced a new Draft and Deploy feature for its policy management. This feature streamlines the administration of firewall policies, allowing for careful review and testing of configurations before enforcement.
To create a draft, users can navigate to the Firewall policy resource via the Azure portal, select "Draft + Deployment" under "Policy management", and click "Create draft". However, draft creation may fail if an existing draft is already present.
In the Draft phase, users can clone the active policy, make and review changes, collaborate with peers, and iterate until the draft meets requirements. Drafts are snapshots of the applied policy at the time of draft creation; changes to the live policy afterward are not auto-reflected. Only one draft per policy is allowed at a time.
The Draft and Deploy feature decouples editing from deployment, with a two-phase model: Draft phase and Deploy phase. In the Deploy phase, users validate the draft and deploy the changes in a single, atomic operation that replaces the active policy. If deployment succeeds but no visible changes are made, the draft may be missing the latest edits.
This feature enhances enterprise security by enabling controlled, staged updates to firewall rules and policies, minimizing the risk of accidental disruptions or security gaps during policy changes. Because Azure Firewall Policies are global resources that can be linked to multiple firewalls, the draft and deploy mechanism supports consistent policy application, simplifies managing multiple firewalls, and improves rollback capability if needed.
Azure Firewall offers robust security capabilities, including stateful packet inspection, advanced threat prevention, autoscaling, and centralized policy enforcement. The feature supports Standard and Premium SKUs, but policies with classic rules are not supported.
However, users should be aware of potential issues. An error "RGCA creation failed" can occur due to an outdated or misconfigured CLI extension. Commit validation errors can occur due to unsupported or invalid rule types, such as nested RCGs or invalid protocols. Creating new Rule Collection Groups within a draft is not supported; add RCGs directly to the live policy first. PowerShell/REST API draft creation can fail due to invalid API parameters.
The CLI commands for updating the policy draft include creating, listing, updating, deploying, and deleting drafts. Azure Firewall Draft and Deploy is currently in preview and is designed exclusively for Azure Firewall policies.
In summary, Azure Firewall's Draft and Deploy capability simplifies administration by supporting safe, centralized policy editing and controlled rollout across firewalls, thereby improving security posture through consistency, validation, and reduced configuration errors.
Technology and data-and-cloud-computing play a significant role in enhancing Azure Firewall's security with the introduction of the Draft and Deploy feature for firewall policy management. The feature leverages both technology in the Azure platform and cloud computing to offer a safe, centralized editing experience, ensuring consistent policy application and reducing configuration errors.
