![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 76%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
703 questions
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well
The answer to your question depends on your set up.
Consider 2 scenarios,
1 . All Internet traffic is dropped at Azure Firewall and only OnPrem private traffic is routed via ExR
- In this case, Azure Firewall threat intelligence-based filtering is not required
- Since every traffic is destined to OnPrem endPoints/servers/applications only, there is no need to enable this.
- i.e., when the destination is a private IP hosted in your OnPrem locally, no need to check for known malicious IP addresses, FQDNs, and URLs.
2 . Internet traffic is not dropped, but routed to OnPrem via ExR
- Assume all internet traffic is going via ExR to an OnPrem Firewall or NAT Device.
- In this case, if your OnPrem Firewall or NAT Device lacks the capability to check for malicious IP addresses, FQDNs, and URLs - then you can leverage Azure Firewall threat intelligence feature.
- i.e., when the flow is
Azure VM ---> Azure Firewall ---> ExR ---> OnPrem firewall/NAT Device ---> Internet
You can you can alert or deny traffic at the second hop(Azure Firewall) itself.
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.