CAMPUX Cloud Bootcamp
Field notes · Security
Azure Firewall Premium

Azure Firewall Premium: seeing inside the encrypted traffic

By Victor Thomson16 July 20267 min read

Nearly all of your traffic is encrypted now — which is great for privacy and terrible for a firewall, because a firewall that cannot read inside the tunnel is guessing. Azure Firewall Premium is the tier built to open that tunnel, inspect what is really flowing, and match it against tens of thousands of known-attack signatures.

The Standard tier of Azure Firewall is a capable stateful firewall: it filters by port, protocol, and fully qualified domain name, and it will keep most estates tidy. But it has a blind spot that matters more every year — it cannot see inside encrypted HTTPS. Azure Firewall Premium is Microsoft's answer for, in their words, "highly sensitive and regulated environments, such as payment and healthcare industries." It adds four features, and two of them are the reason anyone pays the premium: TLS inspection and IDPS.

TLS inspection: opening the envelope

Encrypted HTTPS traffic "can hide illegal user activity and malicious traffic" — malware loves TLS precisely because most firewalls wave it through unread. Premium changes that. With TLS inspection, the firewall terminates the encrypted connection, decrypts and examines the contents, then re-encrypts and forwards it on. Technically it stands up two TLS connections — one to the client, one to the server — and uses a CA certificate you provide to generate certificates on the fly so the client still sees a valid chain. The upshot: the firewall can finally read the traffic it was previously trusting on faith. (There are deliberate exceptions — categories like health and finance can be left un-decrypted for privacy and compliance.)

A firewall that cannot see inside encrypted traffic is trusting it on faith. TLS inspection is how Premium stops taking the tunnel's word for it.

IDPS: matching traffic against known attacks

The second headline feature is the IDPS — an intrusion detection and prevention system. Microsoft's definition is exact: it "monitors your network for malicious activity, logs information, reports it, and optionally blocks it." Azure Firewall Premium's IDPS is signature-based: it compares traffic against a large, continuously updated set of patterns — over 67,000 rules across categories like malware command-and-control, phishing, trojans, botnets, and exploit kits, with new rules added daily. When traffic matches a signature you can have it alert, or alert and deny. And once TLS inspection is on, the IDPS can look inside HTTPS too, so the two features compound: decrypt the traffic, then check it against every known-bad pattern.

The two supporting features

Rounding out the tier are two filtering upgrades:

When Premium is worth it — and when it is not

Premium is not the default; it is the answer to a specific need. Reach for it when you must inspect encrypted traffic for threats, run an IDPS, or meet a regulatory bar — it complies with PCI DSS, which is often the deciding factor in payments and healthcare. It runs on a more powerful VM SKU, scales to 100 Gbps, and supports availability zones for a 99.99% SLA. But TLS inspection means the firewall holds your CA certificate and decrypts traffic, which is real operational and trust weight — and it costs meaningfully more than Standard. If you do not need deep inspection or a compliance mandate, Standard is the right, cheaper tool. Premium earns its keep exactly where "we filtered the domain" is not a strong enough answer.

Where it sits in your security stack

Azure Firewall Premium is a network control — it inspects traffic crossing your network boundary, typically in a hub virtual network protecting the spokes around it. It is not a replacement for the other layers: you still use Network Security Groups for basic subnet-level rules, a Web Application Firewall (on Application Gateway or Front Door) for inbound HTTP attacks against your apps, and Defender for Cloud for posture and workload protection. Premium's distinct contribution is deep inspection of traffic in flight — the "what is actually inside these packets, and is any of it a known attack?" layer.

The takeaway

Azure Firewall Premium is the tier for regulated, high-sensitivity networks that need to see past encryption. TLS inspection lets it read inside HTTPS; the signature-based IDPS matches that traffic against tens of thousands of known-attack patterns and can block on a hit; URL filtering and web categories add path-level control. It costs more and carries the weight of decrypting traffic, so you choose it when compliance or genuine deep-inspection needs demand it — not by default. "Premium in the hub with TLS inspection and IDPS because we're under PCI and have to inspect encrypted traffic, Standard everywhere that just needs FQDN filtering" is the answer of someone who matched the tier to the threat, not the marketing.

Further reading — the Microsoft docs
Drilled in Class 31 — Security & DevSecOps. Back to all field notes →