Azure Firewall: Comprehensive Comparison & Best Practices

Azure , a managed, cloud-based network security service, is an essential component of Azure's security offerings. It comes in three different versions – Basic, Standard, and Premium – each designed to cater to a wide range of customer use cases and preferences. This blog post will provide a comprehensive comparison of these versions, discuss best practices for their use, and answer the top 5 most asked questions about Azure . We will also delve into its application in hub-spoke and Azure Virtual WAN with Secure Hub architectures.

Azure Firewall Versions: Basic, Standard, and Premium

Azure Firewall Basic

Azure Firewall Basic is recommended for customers with throughput needs of 250 Mbps. It's a cost-effective solution for businesses that require fundamental network protection.

Azure Firewall Standard

Azure Firewall Standard is recommended for customers looking for Layer 3–Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. It supports enterprise features like threat intelligence, DNS proxy, custom DNS, and web categories.

Azure Firewall Premium

Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). It supports advanced capabilities like malware and inspection. Azure Firewall Premium uses advanced hardware and offers a higher-performing underlying engine, best for heavier workloads and higher traffic volumes.

Best Practices for Azure Firewall

To maximize the performance of your Azure Firewall, it's important to follow best practices. Here are some recommendations:

  • Optimize rule configuration and processing: Organize rules using firewall policy into Rule Collection Groups and Rule Collections, prioritizing them based on their use frequency.
  • Use or migrate to Azure Firewall Premium: Azure Firewall Premium offers a higher-performing underlying engine and includes built-in accelerated networking software.
  • Add multiple public IP addresses to the firewall to prevent SNAT port exhaustion: Consider adding multiple public IP addresses (PIPs) to your firewall.

Top 5 Most Asked Questions About Azure Firewall

  1. What is Azure Firewall? Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources.
  2. What capabilities are supported in Azure Firewall? Azure Firewall supports features like threat intelligence, DNS proxy, custom DNS, web categories, and more.
  3. What is the typical deployment model for Azure Firewall? Azure Firewall is typically deployed on a central virtual network and peers with other virtual networks in a hub-and-spoke model.
  4. How can I install the Azure Firewall? You can set up Azure Firewall by using the Azure portal, PowerShell, REST API, or by using templates.
  5. Does Azure Firewall support inbound traffic filtering? Yes, Azure Firewall supports both inbound and outbound filtering.

Azure Firewall in Hub-Spoke and Azure Virtual WAN with Secure Hub

Azure Firewall plays a crucial role in the hub-spoke network architecture pattern in Azure. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub, and can be used to isolate workloads. Azure Firewall secures and inspects network traffic, but it also routes traffic between VNets.

A secured hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection.

Azure Firewall Features Comparison

Here's a comparison of the features available in each version of Azure Firewall:

Feature Basic Standard Premium
Stateful firewall (Layer 3/Layer 4) Yes Yes Yes
Application FQDN filtering Yes Yes Yes
Network traffic filtering rules Yes Yes Yes
Outbound SNAT support Yes Yes Yes
Threat intelligence-based filtering No Yes Yes
Web categories No Yes Yes
Intrusion Detection and Prevention System (IDPS) No No Yes
Inspection No No Yes
URL Filtering No No Yes

In conclusion, Azure Firewall is a robust and versatile security service that offers different versions to cater to various needs. By following best practices and understanding its application in different architectures, businesses can effectively secure their Azure resources.

Hope it was helpful thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009.
Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries.
Robert's past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals
who are trying to address real concerns around business continuity, disaster and regulatory compliance issues. Robert holds the following certifications:
MCT – Microsoft Certified Trainer, MCTS – Windows Server , MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, , Azure and all things related to Cloud Computing and Infrastructure Optimalization.
Follow Robert on Twitter @ClusterMVP
Or follow his blog
Linkedin Profile Http://

Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues.

A customer says ” Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. ”

Details of the Recommendation: “I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project


This article was originally published by The Windows Server HA Blog. You can find the original article here.