Skip to main content
Azure Firewall Manager is a centralized security management service that helps you deploy and maintain network-level security at scale. It provides a policy-driven foundation to roll out and operate Azure Firewall consistently across regions and subscriptions, simplifying large-scale enforcement and operational overhead.

Deployment models shown in the diagram

The architecture diagram below illustrates two primary deployment models you can choose depending on your operational preferences:
  • Secured Virtual Hub (Microsoft-managed): Firewall Manager manages a secured Virtual Hub (Virtual WAN) that can include integrated third‑party security providers. This model is ideal for organizations that want simplified, global connectivity with partner security integrations.
  • Hub VNet (tenant-managed): Firewall Manager manages hub VNets that host Azure Firewall instances you control. This model gives you full lifecycle control of the VNet and firewall instances.
Both deployment types allow central management of Azure Firewall instances and policies using Firewall Manager. Choose the model that best matches your requirements for control, partner integration, and centralized connectivity.

Core capabilities and when to use them

CapabilityBenefitExample
Centralized deploymentDeploy and roll out Azure Firewall instances and policies across regions and subscriptions from one place, reducing per-region configuration overhead.Provision an Azure Firewall and apply a common policy across 5 subscriptions.
Hierarchical policy managementCreate Azure Firewall Policy objects scoped to management groups, subscriptions, or individual firewalls to enable global baselines and local refinements.Push a company-wide allowlist and let subscription owners add local DNAT rules.
Third‑party security integrationIntegrate partner security providers (Zscaler, Check Point, iBoss, etc.) into secured hubs for deeper inspection and filtering.Forward traffic to an integrated partner appliance in a secured vHub for advanced threat inspection.
Central route managementManage how traffic is steered for inspection (UDRs/forced‑tunneling) so inspection points are enforced consistently across your estate.Configure route tables to ensure east–west or internet-bound traffic traverses the central firewall.
Wide region availabilityApply consistent firewalling and policy enforcement across many regions to protect workloads regardless of geography.Replicate policies and firewall deployments to multiple regions for redundancy and compliance.
Secured Virtual Hubs (Virtual WAN) are typically Microsoft-managed and are ideal when you want integrated partner security and simplified global connectivity. Hub VNet deployments are tenant-managed and offer more control over the VNet and firewall instance lifecycle.
A diagram titled "Azure Firewall Manager" showing key features (centralized deployment, hierarchical policy management, third‑party integration, central route management, wide region availability) on the left and a network architecture on the right with Azure Firewall instances in a secured vHub and Hub VNET, global/local admins, VPN/Virtual WAN connections to HQ/branch, datacenter and end-user devices, plus third‑party security integrations.
With these capabilities, Azure Firewall Manager enables policy-driven, scalable network security that delivers consistent protection across regions and operational boundaries. For more details and step-by-step guidance, see the official Azure documentation:

Watch Video