azure-firewall

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Azure Firewall Skill

This skill provides expert guidance for Azure Firewall. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.

本Skill为Azure Firewall提供专业指导，涵盖故障排除、最佳实践、决策制定、架构与设计模式、限制与配额、安全、配置、集成与编码模式以及部署。它结合了本地快速参考内容与远程文档获取能力。

How to Use This Skill

如何使用本Skill

IMPORTANT for Agent: Use the Category Index below to locate relevant sections. For categories with line ranges (e.g.,
L35-L120
), use
read_file
with the specified lines. For categories with file links (e.g.,
[security.md](security.md)
), use
read_file
on the linked reference file

IMPORTANT for Agent: If
metadata.generated_at
is more than 3 months old, suggest the user pull the latest version from the repository. If
mcp_microsoftdocs
tools are not available, suggest the user install it: Installation Guide

This skill requires network access to fetch documentation content:

Preferred: Use

mcp_microsoftdocs:microsoft_docs_fetch

with query string

from=learn-agent-skill

. Returns Markdown.

Fallback: Use

fetch_webpage

with query string

from=learn-agent-skill&accept=text/markdown

. Returns Markdown.

对Agent的重要提示：使用下方的分类索引定位相关章节。对于带有行范围的分类（如
L35-L120
），使用
read_file
工具读取指定行内容；对于带有文件链接的分类（如
[security.md](security.md)
），使用
read_file
工具读取链接的参考文件。

对Agent的重要提示：如果
metadata.generated_at
的时间超过3个月，请建议用户从仓库拉取最新版本。如果
mcp_microsoftdocs
工具不可用，请建议用户安装：安装指南

本Skill需要网络访问权限来获取文档内容：

推荐方式：使用
```
mcp_microsoftdocs:microsoft_docs_fetch
```
工具，附加查询字符串
```
from=learn-agent-skill
```
，返回Markdown格式内容。
备选方式：使用
```
fetch_webpage
```
工具，附加查询字符串
```
from=learn-agent-skill&accept=text/markdown
```
，返回Markdown格式内容。

Category Index

分类索引

Category	Lines	Description
Troubleshooting	L37-L42	Diagnosing Azure Firewall issues and limitations, and using packet capture to investigate, analyze, and troubleshoot network traffic and connectivity problems.
Best Practices	L43-L48	Guidance on tuning Azure Firewall rules and SKUs for performance, plus security best practices for policies, rule design, logging, and threat protection configuration.
Decision Making	L49-L57	Guidance on choosing Azure Firewall Basic/Standard/Premium SKUs, comparing features and performance, and selecting or changing the right SKU for your workload and SMB scenarios.
Architecture & Design Patterns	L58-L69	Architectural patterns and topologies for Azure Firewall: hub-and-spoke routing, forced tunneling, SLB integration, hybrid connectivity, DNAT with overlapping IPs, DDoS protection, and traffic separation.
Limits & Quotas	L70-L78	Azure Firewall capacity, IP and SNAT port limits, prescaling ranges, TCP idle timeouts, and behavioral FAQs for scaling and quota-related configuration.
Security	L79-L97	Securing Azure Firewall: policies, roles, TLS inspection, threat intel, hybrid/AKS/AVD/M365 protection, Sentinel integration, DNAT, and compliance configuration.
Configuration	L98-L121	Configuring Azure Firewall rules, DNS/proxy, IP groups, SNAT/DNAT, Premium features, logging/monitoring, and bulk or policy-based rule management and change tracking.
Integrations & Coding Patterns	L122-L126	Configuring Azure Firewall to securely access Azure Storage via SFTP, including required rules, network paths, and integration patterns for SFTP traffic.
Deployment	L127-L133	How to deploy Azure Firewall (including Premium) and IP Groups using ARM templates, Bicep, or Terraform, with example templates and infrastructure-as-code guidance.

分类	行范围	描述
故障排除	L37-L42	诊断Azure Firewall的已知问题与限制，使用数据包捕获来调查、分析和排查网络流量与连接问题。
最佳实践	L43-L48	有关调优Azure Firewall规则与SKU以提升性能的指导，以及策略、规则设计、日志记录和威胁防护配置的安全最佳实践。
决策制定	L49-L57	有关选择Azure Firewall Basic/Standard/Premium SKU、对比功能与性能、为工作负载和SMB场景选择或更换合适SKU的指导。
架构与设计模式	L58-L69	Azure Firewall的架构模式与拓扑：中心辐射型路由、强制隧道、SLB集成、混合连接、重叠IP的DNAT、DDoS防护以及流量隔离。
限制与配额	L70-L78	Azure Firewall的容量、IP与SNAT端口限制、预缩放范围、TCP空闲超时，以及与缩放和配额相关配置的行为常见问题。
安全	L79-L97	保护Azure Firewall：策略、角色、TLS检查、威胁情报、混合/AKS/AVD/M365防护、Sentinel集成、DNAT以及合规配置。
配置	L98-L121	配置Azure Firewall规则、DNS/代理、IP组、SNAT/DNAT、Premium功能、日志记录/监控，以及基于批量或策略的规则管理与变更追踪。
集成与编码模式	L122-L126	配置Azure Firewall以通过SFTP安全访问Azure Storage，包括SFTP流量所需的规则、网络路径和集成模式。
部署	L127-L133	如何使用ARM模板、Bicep或Terraform部署Azure Firewall（包括Premium版）和IP组，附带示例模板与基础设施即代码指导。

Troubleshooting

故障排除

Topic	URL
Diagnose Azure Firewall known issues and limitations	https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues
Troubleshoot Azure Firewall using packet capture	https://learn.microsoft.com/en-us/azure/firewall/packet-capture

主题	链接
诊断Azure Firewall的已知问题与限制	https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues
使用数据包捕获排查Azure Firewall问题	https://learn.microsoft.com/en-us/azure/firewall/packet-capture

Best Practices

最佳实践

Topic	URL
Optimize Azure Firewall configuration for performance	https://learn.microsoft.com/en-us/azure/firewall/firewall-best-practices
Apply security best practices to Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/secure-firewall

主题	链接
优化Azure Firewall配置以提升性能	https://learn.microsoft.com/en-us/azure/firewall/firewall-best-practices
为Azure Firewall应用安全最佳实践	https://learn.microsoft.com/en-us/azure/firewall/secure-firewall

Decision Making

决策制定

Topic	URL
Choose and change Azure Firewall Standard vs Premium SKU	https://learn.microsoft.com/en-us/azure/firewall/change-sku
Select the appropriate Azure Firewall SKU	https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku
Deploy Azure Firewall Basic for SMB scenarios	https://learn.microsoft.com/en-us/azure/firewall/deploy-firewall-basic-portal-policy
Compare Azure Firewall features across SKUs	https://learn.microsoft.com/en-us/azure/firewall/features-by-sku
Plan Azure Firewall performance and SKU selection	https://learn.microsoft.com/en-us/azure/firewall/firewall-performance

主题	链接
选择与更换Azure Firewall Standard与Premium SKU	https://learn.microsoft.com/en-us/azure/firewall/change-sku
选择合适的Azure Firewall SKU	https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku
为SMB场景部署Azure Firewall Basic	https://learn.microsoft.com/en-us/azure/firewall/deploy-firewall-basic-portal-policy
对比不同SKU的Azure Firewall功能	https://learn.microsoft.com/en-us/azure/firewall/features-by-sku
规划Azure Firewall性能与SKU选择	https://learn.microsoft.com/en-us/azure/firewall/firewall-performance

Architecture & Design Patterns

架构与设计模式

Topic	URL
Architect multi-hub and spoke routing with Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/firewall-multi-hub-spoke
Design Azure Firewall forced tunneling topology	https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling
Integrate Azure Firewall with Standard Load Balancer	https://learn.microsoft.com/en-us/azure/firewall/integrate-lb
Use Azure Firewall Management NIC for traffic separation	https://learn.microsoft.com/en-us/azure/firewall/management-nic
Secure hybrid networks with Azure Firewall and policy	https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy
Deploy Azure Firewall in a hybrid network via PowerShell	https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
Use private IP DNAT for overlapped Azure networks	https://learn.microsoft.com/en-us/azure/firewall/tutorial-private-ip-dnat
Protect Azure Firewall with Azure DDoS Protection	https://learn.microsoft.com/en-us/azure/firewall/tutorial-protect-firewall-ddos

主题	链接
设计Azure Firewall的多中心辐射型路由架构	https://learn.microsoft.com/en-us/azure/firewall/firewall-multi-hub-spoke
设计Azure Firewall强制隧道拓扑	https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling
集成Azure Firewall与标准负载均衡器	https://learn.microsoft.com/en-us/azure/firewall/integrate-lb
使用Azure Firewall管理网卡实现流量隔离	https://learn.microsoft.com/en-us/azure/firewall/management-nic
使用Azure Firewall与策略保护混合网络	https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy
通过PowerShell在混合网络中部署Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
为重叠Azure网络使用私有IP DNAT	https://learn.microsoft.com/en-us/azure/firewall/tutorial-private-ip-dnat
使用Azure DDoS保护防护Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/tutorial-protect-firewall-ddos

Limits & Quotas

限制与配额

Topic	URL
Deploy Azure Firewall with multiple public IP limits	https://learn.microsoft.com/en-us/azure/firewall/deploy-multi-public-ip-powershell
Azure Firewall FAQs on limits and behavior	https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
Scale Azure Firewall SNAT ports with NAT Gateway	https://learn.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway
Configure Azure Firewall prescaling capacity ranges	https://learn.microsoft.com/en-us/azure/firewall/prescaling
Manage Azure Firewall TCP session idle timeouts	https://learn.microsoft.com/en-us/azure/firewall/tcp-session-behavior

主题	链接
部署带有多个公网IP限制的Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/deploy-multi-public-ip-powershell
Azure Firewall限制与行为常见问题	https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
使用NAT网关扩展Azure Firewall SNAT端口	https://learn.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway
配置Azure Firewall预缩放容量范围	https://learn.microsoft.com/en-us/azure/firewall/prescaling
管理Azure Firewall TCP会话空闲超时	https://learn.microsoft.com/en-us/azure/firewall/tcp-session-behavior

Security

安全

Topic	URL
Understand Azure Firewall compliance certifications	https://learn.microsoft.com/en-us/azure/firewall/compliance-certifications
Deploy and configure Azure Firewall policy via PowerShell	https://learn.microsoft.com/en-us/azure/firewall/deploy-ps-policy
Detect malware using Microsoft Sentinel and Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/detect-malware-with-sentinel
Secure Azure Firewall deployments with Azure Policy	https://learn.microsoft.com/en-us/azure/firewall/firewall-azure-policy
Integrate Azure Firewall with Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/firewall/firewall-sentinel-overview
Configure TLS inspection certificates for Firewall Premium	https://learn.microsoft.com/en-us/azure/firewall/premium-certificates
Deploy Enterprise CA chain for Azure Firewall Premium	https://learn.microsoft.com/en-us/azure/firewall/premium-deploy-certificates-enterprise-ca
Protect AKS clusters using Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/protect-azure-kubernetes-service
Secure Azure Virtual Desktop with Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop
Allow Microsoft 365 traffic through Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/protect-office-365
Understand Azure Firewall roles and permissions	https://learn.microsoft.com/en-us/azure/firewall/roles-permissions
Configure Azure Firewall threat intelligence filtering	https://learn.microsoft.com/en-us/azure/firewall/threat-intel
Deploy and configure Azure Firewall in portal	https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Configure Azure Firewall DNAT for inbound filtering	https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
Configure Azure Firewall for hybrid network security	https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal

主题	链接
了解Azure Firewall合规认证	https://learn.microsoft.com/en-us/azure/firewall/compliance-certifications
通过PowerShell部署与配置Azure Firewall策略	https://learn.microsoft.com/en-us/azure/firewall/deploy-ps-policy
使用Microsoft Sentinel与Azure Firewall检测恶意软件	https://learn.microsoft.com/en-us/azure/firewall/detect-malware-with-sentinel
使用Azure Policy保护Azure Firewall部署	https://learn.microsoft.com/en-us/azure/firewall/firewall-azure-policy
集成Azure Firewall与Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/firewall/firewall-sentinel-overview
为Firewall Premium配置TLS检查证书	https://learn.microsoft.com/en-us/azure/firewall/premium-certificates
为Azure Firewall Premium部署企业CA链	https://learn.microsoft.com/en-us/azure/firewall/premium-deploy-certificates-enterprise-ca
使用Azure Firewall保护AKS集群	https://learn.microsoft.com/en-us/azure/firewall/protect-azure-kubernetes-service
使用Azure Firewall保护Azure Virtual Desktop	https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop
允许Microsoft 365流量通过Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/protect-office-365
了解Azure Firewall角色与权限	https://learn.microsoft.com/en-us/azure/firewall/roles-permissions
配置Azure Firewall威胁情报过滤	https://learn.microsoft.com/en-us/azure/firewall/threat-intel
在门户中部署与配置Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
配置Azure Firewall DNAT以实现入站过滤	https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
配置Azure Firewall以保护混合网络安全	https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal

Configuration

配置

Topic	URL
Create Azure Firewall IP Groups for rule management	https://learn.microsoft.com/en-us/azure/firewall/create-ip-group
Set customer-controlled maintenance windows for Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/customer-controlled-maintenance
Bulk manage Azure Firewall rules with PowerShell	https://learn.microsoft.com/en-us/azure/firewall/deploy-rules-powershell
Configure and monitor Azure Firewall DNAT rules	https://learn.microsoft.com/en-us/azure/firewall/destination-nat-rules
Understand Azure Firewall DNS Proxy behavior	https://learn.microsoft.com/en-us/azure/firewall/dns-details
Configure DNS servers and DNS proxy for Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/dns-settings
Use Azure Firewall Policy Draft and Deployment	https://learn.microsoft.com/en-us/azure/firewall/draft-deploy
Configure Azure Firewall explicit proxy mode	https://learn.microsoft.com/en-us/azure/firewall/explicit-proxy
Analyze Azure Firewall data with Workbooks	https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook
Use FQDN tags in Azure Firewall application rules	https://learn.microsoft.com/en-us/azure/firewall/fqdn-tags
Configure Azure Firewall FTP active and passive modes	https://learn.microsoft.com/en-us/azure/firewall/ftp-support
Configure and use IP Groups in Azure Firewall rules	https://learn.microsoft.com/en-us/azure/firewall/ip-groups
Configure monitoring and logging for Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall
Use Azure Firewall monitoring data and logs with Azure Monitor	https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference
Implement Azure Firewall Premium advanced features	https://learn.microsoft.com/en-us/azure/firewall/premium-features
Track Azure Firewall rule changes with Resource Graph	https://learn.microsoft.com/en-us/azure/firewall/rule-set-change-tracking
Configure Azure Firewall rules with service tags	https://learn.microsoft.com/en-us/azure/firewall/service-tags
Configure Azure Firewall SNAT private IP ranges	https://learn.microsoft.com/en-us/azure/firewall/snat-private-range
Configure Azure Firewall application rules for SQL FQDNs	https://learn.microsoft.com/en-us/azure/firewall/sql-fqdn-filtering
Configure Azure Firewall DNAT policy for inbound traffic	https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat-policy

主题	链接
创建Azure Firewall IP组以管理规则	https://learn.microsoft.com/en-us/azure/firewall/create-ip-group
为Azure Firewall设置客户控制的维护窗口	https://learn.microsoft.com/en-us/azure/firewall/customer-controlled-maintenance
通过PowerShell批量管理Azure Firewall规则	https://learn.microsoft.com/en-us/azure/firewall/deploy-rules-powershell
配置与监控Azure Firewall DNAT规则	https://learn.microsoft.com/en-us/azure/firewall/destination-nat-rules
了解Azure Firewall DNS代理行为	https://learn.microsoft.com/en-us/azure/firewall/dns-details
为Azure Firewall配置DNS服务器与DNS代理	https://learn.microsoft.com/en-us/azure/firewall/dns-settings
使用Azure Firewall策略草稿与部署功能	https://learn.microsoft.com/en-us/azure/firewall/draft-deploy
配置Azure Firewall显式代理模式	https://learn.microsoft.com/en-us/azure/firewall/explicit-proxy
使用工作簿分析Azure Firewall数据	https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook
在Azure Firewall应用规则中使用FQDN标签	https://learn.microsoft.com/en-us/azure/firewall/fqdn-tags
配置Azure Firewall FTP主动与被动模式	https://learn.microsoft.com/en-us/azure/firewall/ftp-support
在Azure Firewall规则中配置与使用IP组	https://learn.microsoft.com/en-us/azure/firewall/ip-groups
配置Azure Firewall的监控与日志记录	https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall
将Azure Firewall监控数据与日志用于Azure Monitor	https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference
实现Azure Firewall Premium高级功能	https://learn.microsoft.com/en-us/azure/firewall/premium-features
使用资源图追踪Azure Firewall规则变更	https://learn.microsoft.com/en-us/azure/firewall/rule-set-change-tracking
使用服务标签配置Azure Firewall规则	https://learn.microsoft.com/en-us/azure/firewall/service-tags
配置Azure Firewall SNAT私有IP范围	https://learn.microsoft.com/en-us/azure/firewall/snat-private-range
为SQL FQDN配置Azure Firewall应用规则	https://learn.microsoft.com/en-us/azure/firewall/sql-fqdn-filtering
配置Azure Firewall DNAT策略以处理入站流量	https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat-policy

Integrations & Coding Patterns

集成与编码模式

Topic	URL
Access Azure Storage via SFTP through Azure Firewall	https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp

主题	链接
通过Azure Firewall以SFTP方式安全访问Azure Storage	https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp

Deployment

部署

Topic	URL
Deploy Azure Firewall Premium with template	https://learn.microsoft.com/en-us/azure/firewall/premium-deploy
Deploy Azure Firewall and IP Groups using Bicep	https://learn.microsoft.com/en-us/azure/firewall/quick-create-ipgroup-bicep
Deploy Azure Firewall and IP Groups via ARM template	https://learn.microsoft.com/en-us/azure/firewall/quick-create-ipgroup-template
Deploy Azure Firewall and IP Groups with Terraform	https://learn.microsoft.com/en-us/azure/firewall/quick-create-ipgroup-terraform

主题	链接
使用模板部署Azure Firewall Premium	https://learn.microsoft.com/en-us/azure/firewall/premium-deploy
使用Bicep部署Azure Firewall与IP组	https://learn.microsoft.com/en-us/azure/firewall/quick-create-ipgroup-bicep
使用ARM模板部署Azure Firewall与IP组	https://learn.microsoft.com/en-us/azure/firewall/quick-create-ipgroup-template
使用Terraform部署Azure Firewall与IP组	https://learn.microsoft.com/en-us/azure/firewall/quick-create-ipgroup-terraform