Enable and configure TLS inspection on Azure Firewall policy to Inspect all outbound TLS traffic to allow/deny with IDPS and Application rules

Implementation Effort: High

User Impact: Medium

Overview

In your Azure Firewall Premium policy, enable TLS inspection to decrypt and inspect all outbound TLS traffic destined for the internet.

Once Enabled, Azure Firewall intercepts outbound TLS handshakes, decrypts the sessions using the CA certificate stored in Key Vault, processes the plaintext through your configured IDPS signature checks and Application Rule collections, then re-encrypts and forwards the traffic to external endpoints. Because the firewall performs a man-in-the-middle for TLS, any client devices or VMs traversing the firewall must trust the inspection CA—you’ll need to export the root certificate (or its public key) from Key Vault and deploy it to each client’s trusted root store to avoid certificate errors. This guarantees that encrypted egress traffic is subject to the same intrusion prevention and application-layer filtering as clear-text flows—protecting against data exfiltration, malware callbacks, and illicit command-and-control communications.

Reference

• Azure Firewall Premium TLS inspection
• Manage TLS certificates for Azure Firewall Premium
• Deploy and configure Azure Firewall Premium
• Deploy and configure Enterprise CA certificates for Azure Firewall