feat(azure): Add support for Azure Firewall

[kunaals]

Description

Add support for Azure Firewall to enable complete network security topology visibility in Azure environments.

Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources. Currently, Cartography supports VMs, Network Interfaces, Public IPs, Subnets, and Network Security Groups, but lacks Azure Firewall which is a key component for understanding network security posture.

New Nodes:

• AzureFirewall - Azure Firewall instances with properties: id, name, location, sku_name, sku_tier, threat_intel_mode, provisioning_state
• AzureFirewallPolicy - Firewall policies with properties: id, name, location, threat_intel_mode, base_policy_id
• AzureFirewallIPConfiguration - IP configurations with properties: id, name, private_ip_address, public_ip_address_id, subnet_id

New Relationships:

• (AzureSubscription)-[:RESOURCE]->(AzureFirewall)
• (AzureFirewall)-[:HAS_IP_CONFIGURATION]->(AzureFirewallIPConfiguration)
• (AzureFirewall)-[:USES_POLICY]->(AzureFirewallPolicy)
• (AzureFirewallIPConfiguration)-[:IN_SUBNET]->(AzureSubnet)
• (AzureFirewallIPConfiguration)-[:USES_PUBLIC_IP]->(AzurePublicIPAddress)

Example queries this enables:

-- Find all Azure Firewalls and their associated subnets
MATCH (fw:AzureFirewall)-[:HAS_IP_CONFIGURATION]->(cfg:AzureFirewallIPConfiguration)-[:IN_SUBNET]->(subnet:AzureSubnet)
RETURN fw.name, subnet.name, cfg.private_ip_address

-- Find VMs potentially protected by Azure Firewall (same VNet)
MATCH (fw:AzureFirewall)-[:HAS_IP_CONFIGURATION]->(cfg:AzureFirewallIPConfiguration)-[:IN_SUBNET]->(fwSubnet:AzureSubnet)<-[:CONTAINS]-(vnet:AzureVirtualNetwork)
MATCH (vnet)-[:CONTAINS]->(vmSubnet:AzureSubnet)<-[:ATTACHED_TO]-(nic:AzureNetworkInterface)-[:ATTACHED_TO]->(vm:AzureVirtualMachine)
RETURN fw.name, vm.name, vnet.name

Motivation

Understanding the complete network security topology is critical for security analysis. With the recent addition of Network Interfaces and Public IPs (PR #2144), Cartography now supports the VM-to-IP path. However, Azure Firewall was part of the original scope in Issue #2126 but was not implemented when that issue was closed.

Azure Firewall is commonly used in hub-and-spoke architectures and is essential for:

• Understanding which workloads are protected by centralized firewall
• Auditing firewall configurations and policies
• Mapping network traffic flows through security controls
• Identifying gaps in firewall coverage

Alternatives Considered

1. Using only NSGs for security analysis - NSGs don't capture Azure Firewall (a separate service with different capabilities like threat intelligence, FQDN filtering, etc.)
2. External Azure Resource Graph queries - Loses the benefit of Cartography's unified graph model and cross-cloud correlation

Relevant Links

• Azure Firewall Documentation
• Azure Firewall REST API
• Azure Firewall Policy REST API
• Related: Issue [Feature] Add support for Azure Firewall, Public IPs, and VM network relationships #2126 (closed) - originally requested Azure Firewall but only NIC/Public IP was implemented
• Related: PR feat(azure): Add Azure network interface and public IP ingestion #2144 (merged) - Added Network Interface and Public IP support

[ashton-suire]

added this feature and created a PR:

#2223

[ashton-suire]

I made some more updates to the PR today and got the AzureFirewallIPConfiguration added now. I missed that originally, sorry.

The above screenshot shows the example query for this issue now working:

-- Find all Azure Firewalls and their associated subnets
MATCH (fw:AzureFirewall)-[:HAS_IP_CONFIGURATION]->(cfg:AzureFirewallIPConfiguration)-[:IN_SUBNET]->(subnet:AzureSubnet)
RETURN fw.name, subnet.name, cfg.private_ip_address