You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/firewall-best-practices.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: conceptual
8
-
ms.date: 11/16/2023
8
+
ms.date: 11/17/2023
9
9
ms.author: victorh
10
10
---
11
11
@@ -17,7 +17,7 @@ To maximize the [performance](firewall-performance.md) of your Azure Firewall an
17
17
18
18
-**Exceeding rule limitations**
19
19
20
-
If you exceed limitations, such as using over 20,000 unique source/destination combinations in rules, can affect firewall traffic processing and cause latency. Even though this is a soft limit, if you surpass this value it can affect overall firewall performance. For more information, see the [documented limits](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).
20
+
If you exceed limitations, such as using over 20,000 unique source/destination combinations in rules, it can affect firewall traffic processing and cause latency. Even though this is a soft limit, if you surpass this value it can affect overall firewall performance. For more information, see the [documented limits](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).
21
21
22
22
-**High traffic throughput**
23
23
@@ -39,16 +39,16 @@ To maximize the [performance](firewall-performance.md) of your Azure Firewall an
39
39
- Use [IP Groups](ip-groups.md) or IP prefixes to reduce the number of IP table rules.
40
40
- Prioritize rules with the highest number of hits.
41
41
- Ensure that you are within the following [rule limitations](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).
42
-
-**Use or migrate to Azure Firewall Premium version**
43
-
-The Azure Firewall Premium version uses advanced hardware and offers a higher-performing underlying engine.
42
+
-**Use or migrate to Azure Firewall Premium**
43
+
- Azure Firewall Premium uses advanced hardware and offers a higher-performing underlying engine.
44
44
- Best for heavier workloads and higher traffic volumes.
45
45
- It also includes built-in accelerated networking software, which can achieve throughput of up to 100 Gbps, unlike the Standard version.
46
46
-**Add multiple public IP addresses to the firewall to prevent SNAT port exhaustion**
47
47
- To prevent SNAT port exhaustion, consider adding multiple public IP addresses (PIPs) to your firewall. Azure Firewall provides [2,496 SNAT ports per each additional PIP](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).
48
48
- If you prefer not to add more PIPs, you can add an Azure NAT Gateway to scale SNAT port usage. This provides advanced SNAT port allocation capabilities.
49
49
-**Start with IDPS Alert mode before you enable Alert + Deny mode**
50
-
- While the Alert + Deny mode offers enhanced security by blocking suspicious traffic, it can also introduce more processing overhead. If you disable this mode, you might observe performance improvement, especially in scenarios where the firewall is primarily used for routing and not deep packet inspection.
51
-
- It's essential to remember that traffic through the firewall is denied by default until you explicitly configure *allow* rules. Therefore, even when IDPS Alert + Deny mode is disabled, your network remains protected, and only explicitly permitted traffic is allowed to pass through the firewall. It can be a strategic choice to disable this mode to optimize performance without compromising the core security features provided by the Azure Firewall.
50
+
- While the *Alert + Deny* mode offers enhanced security by blocking suspicious traffic, it can also introduce more processing overhead. If you disable this mode, you might observe performance improvement, especially in scenarios where the firewall is primarily used for routing and not deep packet inspection.
51
+
- It's essential to remember that traffic through the firewall is denied by default until you explicitly configure *allow* rules. Therefore, even when IDPS *Alert + Deny* mode is disabled, your network remains protected, and only explicitly permitted traffic is allowed to pass through the firewall. It can be a strategic choice to disable this mode to optimize performance without compromising the core security features provided by the Azure Firewall.
52
52
53
53
## Testing and monitoring
54
54
@@ -65,9 +65,9 @@ Use the following best practices for testing and monitoring:
65
65
-**Measure data processed**
66
66
- Keep track of the *data processed* metric to assess the volume of data processed by the firewall.
67
67
-**Identify rule hits and performance spikes**
68
-
- Look for spikes in network performance or latency. Correlate rule hit timestamps, such as application rules hit count and network rules hit count, to determine if rule processing is a significant factor contributing to performance or latency issues. By analyzing these patterns, you can identify specific rules or configurations that might need optimization.
68
+
- Look for spikes in network performance or latency. Correlate rule hit timestamps, such as application rules hit count and network rules hit count, to determine if rule processing is a significant factor contributing to performance or latency issues. By analyzing these patterns, you can identify specific rules or configurations that you might need to optimize.
69
69
-**Add alerts to key metrics**
70
-
- In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](logs-and-metrics.md#alert-on-azure-firewall-metrics) for detailed instructions on setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
70
+
- In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](logs-and-metrics.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
0 commit comments