Illumio for Microsoft Azure Firewall Brings Benefits of Zero Trust Segmentation to Azure Firewall
Illumio collaborated with Microsoft to add microsegmentation support for Microsoft Azure Firewall which is now in Public Preview. You can sign up for the Public Preview by emailing [email protected] or via the Azure Marketplace listing.
Illumio for Azure Firewall helps Azure customers enforce Zero Trust Segmentation and go beyond network and application filtering. It helps the firewall operations teams understand rules with rich context of the resources they are protecting. With rich context, administrators can easily determine which resource is secured by the rule, who owns it, and perform rule lifecycle management more confidently.
With Illumio for Azure Firewall, you can:
- Use Azure resource tags to define firewall rules: Policy is easier to define, easier to understand, and security remains consistent even as resources come and go
- Improve your understanding of how resources are communicating: Enriching Azure Firewall flow logs with resource tags to build a dependency map provides a clear picture of how resources interact
- Safely test Azure Firewall rules before deploying: The wrong policy can leave you over-exposed or break a critical application, so the ability to validate the effect of new rules prior to deployment reduces these risks
Simplifying Zero Trust Segmentation using Illumio for Azure Firewall
Illumio for Azure Firewall uses the Azure cloud platform to secure connectivity between resources across your Azure virtual networks and at your Azure perimeter.
"Illumio for Azure Firewall is a modern and efficient approach to traditional firewall management. It brings native public cloud metadata into rule management. Traffic visualization now informs traffic management, and this might change the way we operate so that we open only required and more specific ports for designated traffic."
– Markus Lintuala and Mika Vilpo, Elisa
Reference resources without depending on the underlying infrastructure
While IP addresses and hostnames are important properties of a network’s infrastructure, and are utilized to apply Firewall policy, they have limited relevance in the cloud – especially because the ephemeral and dynamic nature of many cloud resources cause them to change constantly.
Illumio for Azure Firewall integrates with the Azure Resource Manager to ingest Azure resources and their tags. Resources are mapped to workloads in Illumio for Azure Firewall, and their tags are mapped to respective labels associated with each workload. This ensures that there is a one-to-one mapping between the representation of a resource and its metadata in Azure and its associated workload and labels in Illumio.
Using this context-based approach, customers can leverage the insights they now have to build the most appropriate, least-privilege security policy to protect their Azure resources. Illumio for Azure Firewall allows the security rules on the Azure Firewall to be constructed using the same context that informs and enriches the flow data.
Representing firewall rules in the context of the resources they are protecting makes it much easier to understand rules. By doing so, customers will significantly improve the policy life cycle management process. This, in turn, simplifies conversations around ownership, relevance, and validity.
To be truly useful, the security policy itself must also adapt to ensure that at any point in time access is granted to only those resources that match the context specified in the rule. This requirement for adaptive policy is one that Illumio has solved for customers with its data center and endpoint products for years and now brings to Azure Firewall – the context-based policy is dynamic in nature, just like your Azure deployment, constantly adapting to accommodate the changes in your resources and their context.
Simulate security policy – don’t break applications
With context-based visibility and security policy, two of the key pillars of achieving a Zero Trust posture are in place. But often organizations struggle to apply least-privilege policy because they are concerned about breaking critical applications.
Illumio for Azure Firewall has this covered.
Through its draft policy mode, security teams can validate the outcome of their security policies before moving them to full enforcement. Simulation mode enables users to evaluate actual traffic flowing through the firewall that would have been blocked if enforcement and traffic were allowed based on policy.
This simulation mode analysis lets customers achieve a safe, predictable way to constantly improve their security posture by:
- Highlighting previously unknown or forgotten connections
- Identifying potentially missed policy
- Enabling a review of policy to confirm that an application will not break with policy enforcement
And once you’re confident in the policy, you can deploy it to your Azure Firewalls directly from the Illumio for Azure Firewall console and feel confident that you have taken another step on your Zero Trust journey.
Easily enforce Zero Trust security on any Azure Firewall
By bringing capabilities to Azure Firewall, Illumio:
- Simplifies visibility of any communication across your Azure Firewall environment
- Eases authoring of security rules that automatically adapt with your Azure deployment
- Ensures safe and simple policy simulation to expose the effect of rules before they’re enforced
- Enables achievement and maintenance of least-privilege access on the Azure Firewall
“We are excited to see Illumio for Azure Firewall reach Public Preview. The product provides a huge productivity boost and enables us to achieve Zero Trust firewall policy quickly, easily, and at scale.”
— Robert Smit, Azure MVP
Learn more about Illumio for Azure Firewall Public Preview.
Watch this video about how Illumio's partnership with Microsoft is innovating Azure network security.
Or contact Illumio at [email protected].