|
1 | 1 | --- |
2 | | -title: Long running TCP sessions with Azure Firewall |
3 | | -description: There are few scenarios where Azure Firewall can potentially drop long running TCP sessions. |
| 2 | +title: TCP Idle Timeout Behavior and Long-Running TCP Sessions in Azure Firewall |
| 3 | +description: TCP Idle Timeout Behavior and there are few scenarios where Azure Firewall can potentially drop long running TCP sessions. |
4 | 4 | services: firewall |
5 | | -author: vhorne |
| 5 | +author: sujamiya |
6 | 6 | ms.service: azure-firewall |
7 | 7 | ms.topic: concept-article |
8 | | -ms.date: 01/04/2023 |
9 | | -ms.author: victorh |
| 8 | +ms.date: 02/14/2025 |
| 9 | +ms.author: duau |
10 | 10 | --- |
11 | 11 |
|
12 | | -# Long running TCP sessions with Azure Firewall |
| 12 | +# TCP idle timeout behavior and long-running TCP sessions in Azure Firewall |
13 | 13 |
|
14 | | -Azure Firewall is designed to be available and redundant. Every effort is made to avoid service disruptions. However, there are few scenarios where Azure Firewall can potentially drop long running TCP sessions. |
| 14 | +This document outlines the TCP idle timeout settings and the behavior of long-running sessions in Azure Firewall. Understanding these concepts is crucial for maintaining network security, optimizing firewall resources, and ensuring uninterrupted connectivity for critical applications. |
15 | 15 |
|
16 | | -## Scenarios that affect long running TCP sessions |
| 16 | +## TCP Idle Timeout |
| 17 | + |
| 18 | +### What is TCP Idle Timeout? |
| 19 | + |
| 20 | +TCP (Transmission Control Protocol) idle timeout determines how long a connection can remain inactive before the firewall terminates it. This setting helps ensure firewall resources aren't wasted on inactive connections and maintains overall network performance. |
| 21 | + |
| 22 | +### Why is TCP Idle Timeout Important? |
| 23 | + |
| 24 | +Proper idle timeout configuration can: |
| 25 | + |
| 26 | +- **Optimize Azure Firewall usage**: Frees memory and CPU by closing inactive connections. |
| 27 | +- **Mitigate DDoS risks**: Reduces vulnerability to attacks exploiting persistent idle connections. |
| 28 | +- **Enhance network performance**: Reduces latency and improves throughput by managing idle connections effectively. |
| 29 | + |
| 30 | +### TCP Idle Timeout Settings in Azure Firewall |
| 31 | + |
| 32 | +**Default Behavior**: |
| 33 | + |
| 34 | +- **North-South Traffic (Internet-bound traffic)**: The default TCP idle timeout is **4 minutes** designed to balance resource efficiency and the need to maintain active connections. |
| 35 | +- **East-West Traffic (Internal traffic such as spoke-to-spoke or on-premise connections)**: No idle timeout is enforced. |
| 36 | + |
| 37 | +**Customizing Idle Timeout**: |
| 38 | + |
| 39 | +- **For North-South traffic**, the TCP idle timeout can be configured between 4 and 15 minutes. |
| 40 | +- **For East-West traffic**, the TCP idle timeout can't be customized. However, customization options for the East-West traffic idle timeout are planned in a future release. |
| 41 | + |
| 42 | +To customize the TCP idle timeout, customers must submit a support request via Azure Support, since direct configuration through the Azure portal isn't available. |
| 43 | + |
| 44 | +## Long-Running TCP Sessions in Azure Firewall |
| 45 | + |
| 46 | +### What are Long-Running TCP Sessions? |
| 47 | + |
| 48 | +Long-running sessions refer to TCP connections that persist over an extended period, often used in applications like SSH, RDP, VPN tunnels, or database connections. These sessions need specific configurations to prevent premature disconnection. |
| 49 | + |
| 50 | +Azure Firewall is designed to be available and redundant. Every effort is made to avoid service disruptions. However, there are few scenarios where Azure Firewall can potentially drop long running TCP sessions. |
| 51 | + |
| 52 | +### Scenarios that affect long running TCP sessions |
17 | 53 |
|
18 | 54 | The following scenarios can potentially drop long running TCP sessions: |
| 55 | + |
19 | 56 | - Scale in |
20 | 57 | - Firewall maintenance |
21 | 58 | - Idle timeout |
22 | | -- Auto-recovery |
| 59 | +- Autorecovery |
23 | 60 |
|
24 | | -### Scale in |
| 61 | +### Scale-in |
25 | 62 |
|
26 | | -Azure Firewall scales in/out based on throughput and CPU usage. Scale in is performed by putting the VM instance in drain mode for 90 seconds before recycling the VM instance. Any long running connections remaining on the VM instance after 90 seconds are disconnected. |
| 63 | +Azure Firewall scales in/out based on throughput and CPU usage. Scale-in is performed by putting the underlying Azure Firewall instance in drain mode for 90 seconds before recycling the instance. Any long running connections remaining on the instance after 90 seconds are disconnected. |
27 | 64 |
|
28 | 65 | ### Firewall maintenance |
29 | 66 |
|
30 | | -The Azure Firewall engineering team updates the firewall on an as-needed basis (usually every month), generally during night time hours in the local time-zone for that region. Updates include security patches, bug fixes, and new feature roll outs that are applied by configuring the firewall in a [rolling update mode](https://blog.itaysk.com/2017/11/20/deployment-strategies-defined#rolling-upgrade). The firewall instances are put in a drain mode before reimaging them to give short-lived sessions time to drain. Long running sessions remaining on an instance after the drain period are dropped during the restart. |
| 67 | +The Azure Firewall engineering team updates the firewall on an as-needed basis (usually every month), generally during night time hours in the local time-zone for that region. Updates include security patches, bug fixes, and new feature roll outs that are applied by configuring the firewall in a [rolling update mode](https://blog.itaysk.com/2017/11/20/deployment-strategies-defined#rolling-upgrade). The firewall instances are put in a drain mode before reimaging them to give short-lived sessions time to drain. Long running sessions remaining on an instance after the drain period are dropped during the restart. |
31 | 68 |
|
32 | 69 | ### Idle timeout |
33 | 70 |
|
34 | | -An idle timer is in place to recycle idle sessions. The default value is four minutes for east-west connections and can't be changed. Applications that maintain keepalives don't idle out. |
| 71 | +An idle timer is in place to recycle idle sessions. As shared in the Customizing TCP Idle Timeout section, you can configure the TCP idle timeout for North-South traffic via a support request. Ensuring proper keep-alive mechanisms are in place can help maintain long-running connections. |
| 72 | + |
| 73 | +### Autorecovery |
| 74 | + |
| 75 | +Azure Firewall constantly monitors the underlying instances and recovers them automatically in case any instance goes unresponsive. In general, there's a one in 100 chance for a firewall instance to be autorecovered over a 30 day period. |
| 76 | + |
| 77 | +## Applications sensitive to TCP session reset |
35 | 78 |
|
36 | | -For north-south connections that need more than 4 minutes (typical of IOT devices), you can contact support to extend the connection timeout up to 15 minutes in the backend. |
| 79 | +Session disconnection isn’t an issue for resilient applications that can handle session reset gracefully. However, there are a few applications (like traditional SAP GUI and SAP RFC(Remote Function Call) based apps) which are sensitive to sessions resets. Secure sensitive applications with Network Security Groups (NSGs). |
37 | 80 |
|
38 | | -### Auto-recovery |
| 81 | +### Network security groups |
39 | 82 |
|
40 | | -Azure Firewall constantly monitors VM instances and recovers them automatically in case any instance goes unresponsive. In general, there's a 1 in 100 chance for a firewall instance to be auto-recovered over a 30 day period. |
| 83 | +You can deploy [network security groups (NSGs)](../virtual-network/virtual-network-vnet-plan-design-arm.md#security) to protect against unsolicited traffic into Azure subnets. |
41 | 84 |
|
42 | | -## Applications sensitive to TCP session resets |
| 85 | +Network security groups are simple, stateful packet inspection devices that use the five-tuple approach to create allow/deny rules for network traffic. |
43 | 86 |
|
44 | | -Session disconnection isn’t an issue for resilient applications that can handle session reset gracefully. However, there are a few applications (like traditional SAP GUI and SAP RFC based apps) which are sensitive to sessions resets. Secure sensitive applications with Network Security Groups (NSGs). |
| 87 | +You can: |
45 | 88 |
|
46 | | -## Network security groups |
| 89 | +- Allow or deny traffic to and from a single IP address, multiple IP addresses, or entire subnets. |
| 90 | +- Use NSG flow logs to audit IP traffic flowing through an NSG. |
47 | 91 |
|
48 | | -You can deploy [network security groups (NSGs)](../virtual-network/virtual-network-vnet-plan-design-arm.md#security) to protect against unsolicited traffic into Azure subnets. Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets. NSG flow logs help with auditing by logging information about IP traffic flowing through an NSG. To learn more about NSG flow logging, see [Introduction to flow logging for network security groups](../network-watcher/network-watcher-nsg-flow-logging-overview.md). |
| 92 | +To learn more about NSG flow logging, see [Introduction to flow logging for network security groups](../network-watcher/network-watcher-nsg-flow-logging-overview.md). |
49 | 93 |
|
50 | 94 | ## Next steps |
51 | 95 |
|
|
0 commit comments