Deploy and enable Azure Firewall for TLS Inspection

Implementation Effort: High

User Impact: Medium

Overview

Deploy and enable Azure Firewall Premium’s TLS inspection by provisioning your firewall in the AzureFirewallSubnet of your Hub VNet and configuring the TLS inspection feature in your Firewall Policy.

Under TLS inspection, switch the feature to Enabled, specify the firewall’s managed identity, select the Key Vault and certificate to use. Once enabled, Azure Firewall intercepts TLS handshakes, decrypts sessions with the configured certificate, passes the plaintext traffic through your IDPS and application rule collections for inspection, and then re-encrypts the sessions before forwarding to their destinations.

Reference

• Azure Firewall Premium TLS inspection
• Manage TLS certificates for Azure Firewall Premium
• Deploy and configure Azure Firewall Premium