Microsoft tries a deeper dive into Azure Firewall traffic
If the flow slows, you need to know why
Microsoft is updating Azure Firewall to give admins a better idea what is happening when traffic in the cloud slows or shows atypical behavior.
The latest features – Latency Probe metric, Flow Trace logs, and Top Flows logs – have been released in preview and are aimed at improving the Azure firewall-as-a-service's ability to let admins know why the level of performance in the cloud is fluctuating, according to Shabaz Shaik, product manager II for cloud security engineering and Azure network security at Microsoft.
Azure Firewall sits between the application server and end user, keeping an eye on application traffic and ensuring security policies for the traffic are enforced, Shaik wrote. Given that Microsoft is the world's second-largest cloud service provider behind Amazon Web Services, there is a lot of traffic that runs through Azure's firewalls.
"In case of any latency or disconnection to the application, the firewall acts as a great point to look at this traffic and troubleshoot the root cause," he wrote. "Azure Firewall now offers new logging and metric enhancements designed to increase visibility and provide more insights into the traffic processed by the firewall."
A key health indicator of network health is how fast the traffic is moving so monitoring the latency is key to sussing out problems in the service, he said. The Latency Probe metric is based on Pingmesh technology, which measures and analyzes network interactions in large datacenters.
Using Pingmesh, the Latency Probe metric measures the average latency of the firewall itself – which Shaik wrote is on average about 1m/s, though it varies based on the deployment size and environment – and not the end-to-end latency of individual packets.
"If Azure Firewall is experiencing latency, it could be due to various reasons such as high CPU utilization, traffic throughput, or networking issues," Shaik wrote.
Azure Firewall also logs the various traffic types, including network, application, and threat intelligence. However, right now the logs show only the first try of a TCP connection – the SYN packet – but not the whole process. They don't see every data slug that runs through the firewall or if there are issues like packets being dropped or traffic running through asymmetric routes.
That's where Flow Trace logs come in, Shaik wrote. Asymmetric routes can be caused by errors like adding a wrong command in the firewall path. Admins can look at network logs for the first SYN packet and then enable Flow Trace to see more flags for verification, such as SYN-ACK, FIN, RST, and INVALID.
"By adding these additional flags in Flow Trace logs, IT administrators can now see the return packet if there was a failed connection or an unrecognized packet," he wrote.
- Azure extends DDoS attack protection down to small business users, for a fee
- Microsoft fixes cross-account vulns in Azure Database for PostgreSQL service
- Cloud customers are wasting money by overprovisioning resources
- Microsoft reveals revamped Azure CDN – in two editions
The Top Flows feature comes at this from a slightly different angle. Azure Firewall Standard can process up to 30Gb/s and Azure Firewall Premium up to 100Gb/s of network traffic. That said, the traffic flows can be bulky based on size or duration of the packets, which can have a domino effect on other traffic flows and the processing by the firewall.
The Top Flows – which also are known as Fat Flows – log can show IT admins what is driving the highest bandwidth through the firewall. The logs will identify the top traffic flows passing through the firewall and traffic-related anomalies and furnish admins with the necessary information to decide whether the traffic should be allowed or denied.
Shaik cautioned that running Top Flows can eat up a lot of CPU power, recommending that organizations use the feature for specific issues and for no longer than a week at a time.
The new Azure Firewall features come as Microsoft looks to give admins running other tools more metrics for identifying and addressing security and other problems. They follow a few days after Redmond unveiled a new dashboard to simplify accessing and analyzing threat intelligence data, giving security admins the data to make more informed security decisions. ®