As introduced some time ago, Azure Firewall Manager (AFM) is the central configuration and management point for Azure Firewall.
Well, AFM has been updated and is now able to integrate with your virtual network.
The integration consists on ‘converting’ your Azure Virtual Network to a hub virtual network.
This is handy if your network architecture is based on virtual networks only – meaning you have no VPN, SDWAN or third party security service integration.
When to choose a hub virtual network vs a secured virtual hub is summarized in the below table:
| Hub virtual network | Secured virtual hub | |
| Underlying resource | Virtual network | Virtual WAN hub |
| Hub-and-Spoke | Using virtual network peering | Automated using hub virtual network connection |
| On-premises connectivity | VPN Gateway up to 10 Gbps and 30 S2S connections; ExpressRoute | More scalable VPN Gateway up to 20 Gbps and 1000 S2S connections; ExpressRoute |
| Automated branch connectivity using SDWAN | Not supported | Supported |
| Hubs per region | Multiple VNet per region | Single hub per region |
| Azure Firewall – multiple public IP addresses | You provided it |
Not yet available; planned for GA Auto-generated |
| Azure Firewall Availability Zones | Supported | Not yet available; planned for GA |
| Advanced internet security with 3rd party Security as a service partners | VPN connectivity enabled and managed by you | Automated using a Trusted Security Partner |
| Centralized route management to attract traffic to the hub |
Customer managed UDR Planned for later: UDR default route automation |
BGP |
| Web Application Firewall on Application Gateway | Supported |
Not available Planned for later |
| Network Virtual Appliance | Supported |
Not available Planned for later |
To start using it, logon to your Azure portal (https://portal.azure.com/) and search for Firewall Manager
![image_thumb[1]](https://www.cubesys.com.au/wp-content/uploads/2020/02/image_thumb1-101.png "image_thumb[1]")
From there, just click on View hub virtual network from the Getting Started blade or directly reach the Hub virtual networks blade
![image_thumb[2]](https://www.cubesys.com.au/wp-content/uploads/2020/02/image_thumb2-78.png "image_thumb[2]")
From this blade you can create a new hub virtual network or convert an existing virtual network
![image_thumb[3]](https://www.cubesys.com.au/wp-content/uploads/2020/02/image_thumb3-64.png "image_thumb[3]")
When you create a new hub virtual network, you have to define the resource group., location and IP ranges (as for any virtual networks) but then you will define your Azure Firewall policies
![image_thumb[4]](https://www.cubesys.com.au/wp-content/uploads/2020/02/image_thumb4-51.png "image_thumb[4]")
![image_thumb[5]](https://www.cubesys.com.au/wp-content/uploads/2020/02/image_thumb5-32.png "image_thumb[5]")
If you want to convert an existing virtual network to a hub virtual network, you just have to select the VNet to be converted and then define the Azure Firewall policies
![image_thumb[6]](https://www.cubesys.com.au/wp-content/uploads/2020/02/image_thumb6-30.png "image_thumb[6]")
