Deploying Azure Firewall

This guide walks through deploying Azure Firewall from the Azure portal, explains how it fits into a hub‑and‑spoke topology, and compares its capabilities to Network Security Groups (NSGs). Follow the portal steps and design guidance below to create a scalable, centralized inspection point for your Azure network. Begin by selecting the subscription and resource group where the firewall will reside. Provide a descriptive firewall name and choose the Azure region for deployment. Select the SKU (Basic, Standard, or Premium) — note that Premium adds advanced capabilities such as TLS inspection and IDPS — and choose whether to manage rules using a Firewall Policy (recommended) or the legacy rule model on the firewall resource itself. Attach or create a Firewall Policy and select the virtual network where the firewall will be deployed.

Portal deployment checklist

Step	What to configure	Example / notes
Subscription & Resource Group	Choose the billing scope and logical grouping	Use separate RG for firewall + policy if you version policies
Name & Region	Descriptive name and preferred region	myHubFirewall-eus
SKU	Basic / Standard / Premium	Premium = TLS inspection + IDPS
Firewall Policy	Attach an existing policy or create a new one	Recommended for centralized management
Virtual Network	Select the VNet to host the firewall	Firewall requires a dedicated subnet
Subnet	Must be named AzureFirewallSubnet	No spaces; dedicated subnet only
Public IP(s)	One or more depending on SNAT/DNAT needs	Multiple for scale or NAT requirements
Forced tunneling / UDRs	Route 0.0.0.0/0 to on-prem or NVA as needed	Implement via UDR or firewall forced-tunnel setting
Diagnostics	Enable Azure Monitor logs and alerts	Use logging for threat telemetry and auditing

Network requirements and the firewall subnet You must define the virtual network address space and create a dedicated subnet for Azure Firewall. The subnet must be named exactly AzureFirewallSubnet (no spaces) because Azure Firewall requires its own dedicated subnet. Do not deploy other resources into this subnet. Public IP addresses and forced tunneling Assign or create one or more public IP addresses to the firewall depending on whether you need DNAT (inbound) or SNAT (outbound). Configure DNAT for inbound connections (port forwarding) and SNAT for outbound translations by associating public IPs with the firewall. Optionally, configure forced tunneling so outbound traffic is routed to on‑premises appliances or a third‑party NVA. Forced tunneling is implemented by ensuring 0.0.0.0/0 in the relevant route table(s) points to your chosen next hop (for example a virtual network gateway or virtual appliance). You can configure this via a UDR on the firewall subnet, applied on spoke route tables, or by using the firewall’s forced‑tunneling setting. Quick SKU comparison

SKU	Use case	Notable features
Basic	Small or test environments	Basic stateful filtering
Standard	Production workloads	Firewall policy, FQDN rules, NAT
Premium	Advanced enterprise scenarios	TLS inspection, IDPS, extra features

Overall, portal deployment is straightforward: pick the subscription/resource group, name, region, SKU, firewall policy, VNet, AzureFirewallSubnet, and public IP(s), then create the firewall and enable diagnostics. Hub‑and‑spoke deployment pattern When used in a hub‑and‑spoke topology, Azure Firewall provides centralized inspection and control. Deploy the firewall in the hub virtual network and peer spoke VNets with the hub. User‑defined routes in each spoke point traffic to the firewall so it can inspect and allow or deny flows according to policy. Ensure VNet peering is configured to allow forwarded traffic so the hub can receive and forward traffic from spokes. If you extend the hub to on‑premises (via VPN Gateway or ExpressRoute), you can route on‑premises traffic through the firewall before it reaches spoke VNets.

A diagram titled "Deploying Azure Firewall in a Hub-Spoke network topology" showing a hub virtual network hosting Azure Firewall, Bastion and a VPN gateway connected to on-premises and multiple spoke virtual networks with VM resource subnets. It also shows Azure Monitor for diagnostics/forced tunnel and lists benefits like centralized security, route table configuration, transitive connectivity and scalable design.

Key design considerations

Azure Firewall sits in the hub VNet and acts as a centralized inspection point for traffic entering, leaving, or traversing between spokes.
Each spoke peers with the hub; UDRs in the spokes direct traffic to the firewall.
Cross‑spoke traffic flows through the hub and is inspected by the firewall, enabling secure inter‑spoke communication.
The hub‑and‑spoke model is scalable: add or remove spokes without reconfiguring the firewall itself—only update spoke route tables.
Azure Monitor integration and traffic capture on the firewall let you observe and log traffic for diagnostics and security monitoring.

You can forward traffic from spoke VMs to a network virtual appliance using UDRs and capture traffic for analysis. Replacing a VM‑based NVA with Azure Firewall gives you a managed, highly available, and intelligent inspection point capable of layer‑7 controls, NAT, and richer telemetry.

Remember: the firewall subnet must be named AzureFirewallSubnet (no spaces) and should be sized to accommodate Azure Firewall’s requirements. Use a dedicated subnet and avoid deploying other resources into it.

How Azure Firewall differs from Network Security Groups (NSGs) Before deploying, understand the differences so you choose the right tool for each layer of your network security model. NSGs are lightweight ACLs suitable for per‑subnet or NIC filtering. Azure Firewall is a managed, centralized, stateful firewall with application‑aware controls and NAT.

A slide titled "Compare Azure Firewall to NSGs" showing five feature rows with green check or red X icons indicating support for each feature. Azure Firewall has green checks for all features, while NSGs have checks for protocol filtering, service tags and logging but red Xs for application FQDN tags and SNAT/DNAT.

Feature comparison table

Feature	NSGs	Azure Firewall
Scope	Subnet / NIC ACLs	Centralized managed firewall (hub)
Stateful inspection	No	Yes
Protocol filtering (TCP/UDP/ICMP)	Yes	Yes
Service tags	Yes	Yes
Application FQDN / Layer‑7 rules	No	Yes (FQDN, FQDN tags, app rules)
SNAT / DNAT (NAT)	No	Yes (outbound SNAT + inbound DNAT)
TLS inspection / IDPS	No	Premium SKU only
Monitoring & telemetry	Integrates with Azure Monitor	Rich threat telemetry and rule logging

In short: NSGs are excellent for simple, distributed ACLs at the subnet or NIC level. Azure Firewall is recommended when you need centralized, stateful, application‑aware inspection, NAT capabilities, and richer logging and policy management. Next steps Now that you understand the deployment steps, hub‑and‑spoke integration, and how Azure Firewall compares to NSGs, proceed to the Azure Portal and create the firewall using the configuration items and checklist above. Be sure to:

Size the AzureFirewallSubnet appropriately and reserve sufficient IP space.
Enable diagnostics and export logs to a Log Analytics workspace or Storage account.
Apply a Firewall Policy for centralized management and reuse across multiple firewalls.

References and further reading

Watch Video

Azure Firewall

Rule processing in Azure Firewall

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Deploying Azure Firewall

Watch Video