Skip to main content

Enable and configure TLS inspection on Azure Firewall policy to Inspect all east-west TLS traffic to allow/deny with IDPS and Application rules

Implementation Effort: High

User Impact: Medium

Overview

In your Azure Firewall Premium policy, enable TLS inspection to decrypt and inspect all east–west (internal) TLS traffic between VNets and peered networks.

Once Enabled, Azure Firewall intercepts TLS handshakes, decrypts sessions using the CA certificate stored in Key Vault, processes the plaintext through your configured IDPS signature checks and Application Rule collections, then re-encrypts and forwards the traffic to its internal destinations. Because the firewall performs a man-in-the-middle for TLS, every VM or service endpoint traversing the firewall must trust the inspection CA—you’ll need to export the root certificate from Key Vault and deploy it to the trusted root stores of those internal clients to avoid TLS errors. This ensures lateral movement attempts over encrypted channels are subject to the same intrusion prevention and application-layer controls as perimeter traffic.

Reference