Close on the heels of AWS announcing its Network Firewall in November, 2020 came Azure, with its Premium Firewall offering, now in Public preview starting February, 2021. In a previous post, I had written about the IaaS firewalls and how they stand up against Next-Gen Firewalls from other traditional security vendors. Now that the two biggest IaaS providers have made their foray into the NGFWaaS space, let’s take a look at how they compare against each other.
All firewalls deployed in the public cloud will address the following scenarios:
- East-West protection: Securing the workloads deployed in different VPCs/ vNets from traffic originating within the organization is one of the most common use cases. When the architecture/ deployment is across different clouds, private and public, the traffic can originate from on-prem or in the cloud. Both the Azure and AWS Firewalls address these different scenarios.
- North-South protection: Protection of workloads from traffic originating from the Internet and likewise, prevention of access to the Internet from applications residing in VPCs or vNets are a broad set of use cases that these firewalls address.
The AWS and Azure firewalls integrate with native services offered by these providers, such as Transit Gateway, NAT Gateways in the case of AWS and WAF, Application gateways, in the case of Azure. AWS, in keeping with its tradition of good documentation, has a detailed blog on the different deployment models and use cases. Azure has relied on small enhancements to its Architecture content to include the Premium Firewall use cases where applicable.
Azure announced support for TLS inspection, IDPS, URL Filtering and the ability to filter based on web categories with the Premium firewalls. The AWS network firewall, on the other hand, offers Web-filtering, Intrusion Detection and Prevention and application identification based services. The key differentiation that I found for the Azure firewall was support for TLS inspection and NAT. AWS relies on service-chaining the NAT functionality using the NAT Gateway service, whenever applicable or needed as per the use case. However, these are still early days for both services and it is reasonable to expect enhancements to both in the future.
Ease of Deployment
Personally, I have found that deploying infrastructure in AWS requires careful planning of the subnets, resources and the entire topology. Often, it works out best to use a Cloud Formation template or a Terraform script to deploy resources in AWS when compared to going down the route of using the GUI. Of course, a first attempt is always made on the GUI (at least for me) and that has lead to multiple clicks on different screens to deploy a Proof of Concept. The AWS firewall promises to be more of the same. There is a need to configure and deploy endpoints that users of the Gateway Load Balancer would be familiar with. AWS documentation does come to the rescue and is much needed.
Once the mind has made the transition to Azure, the deployment of the Firewall is more intuitive and easier to follow from the documentation. I have found that transitioning between the nomenclature of different clouds is never easy and once made, the Azure networking is slightly easier to follow. More on deployment of the Azure firewalls can be found here.
Azure has priced its standard firewall at $1.25 per hour and the premium firewall at an introductory price of $0.875 per hour, which will increase to $1.75 at the time of General Availability. Further, Azure charges $0.016 per GB processed.
AWS prices the Firewall based on the endpoints in use. Each firewall endpoint is priced at $0.395/hr and you also pay $0.065 for every GB of data processed by the firewall.
It stands to reason that what you pay for on AWS, completely depends on the use case and the deployment scenario. It will need your AWS solution architect to design a solution tailored for that particular cloud service whereas with Azure, I’d say that a Network architect could design the solution for you to gain a first-level understanding of the prices involved.
AWS has announced a list of partners for various capabilities including threat intelligence feeds, SOAR, SIEM and Managed Detection and Response (MDR) capabilities with the Network Firewall.
Azure has relied on existing Microsoft services for all of the above. For SIEM and SOAR like capabilities, there is Azure Sentinel and for Threat intelligence, they rely on the in-house Microsoft Security Threat labs for up-to-date threat feeds. To add to this, the Azure firewall is also HIPAA certified and is a ICSA certified Network firewall.
To summarise, here is a table that compares many of these capabilities:
East-West and North-South protection
High Availability, Automated Scaling, Stateful Firewall, IDPS, Threat Intelligence
$0.395/hr per Endpoint pricing and $0.065/ GB of data processed
Azure Premium Firewall
East-West and North-South protection
High Availability, Scaling, IDPS, TLS Inspection, Threat Intelligence
$0.875/hr per firewall during public preview and $0.016/ GB of data processed
So there you have it. The two big men in the IaaS space now offer Firewalls as services to their customers. In terms of features, AWS does have some catching up to do with Azure, but that is only a question of time, one would feel. Which one will be the first to announce Secure Access Service Edge (SASE)? What do you think?