Azure Firewall Basic Diagram by Microsoft Docs

Azure Firewall Basic is available as Public preview

Microsoft announces with the Azure Firewall Standard and Premium two new Firewall Services available as PaaS solution what are a great benefit to classic Firewall deployments, because of native Autoscaling Features, no need for VM Management and more. Unfortunately the price was to high for SMBs, with 900€ for the Standard and over 1200€ for the Premium Edition. A frequently requested Features, was a cheaper variant aimed at small and medium businesses.

This wish has been answered and is now available in the form of the Azure Firewall Basic edition. The Azure Firewall Basic (AzFw Basic) is available as public preview and the planned subscription must first be prepared before the deployment can begin with some Powershell commands. This article will guide you through the setup process for a Hub and Spoke Network and the main difference between the three Azure Firewall editions.


Azure Firewall edition comparison

Microsoft already introduced the Azure Firewall as Standard Edition in 2018 and expanded it with numerous updates in 2019. The Firewall Manager followed at the end of 2019 to manage various Azure firewalls under one roof. Mid of 2021 Microsoft announced the Azure Firewall Premium edition and extend the capabilities compared to the standard edition by the following features: TLS Inspetion, IDPS, Web categories and URL Filerting.

The acceptance of the firewall has been high so far due to the numerous features and the fact that the firewall is provided as a PaaS solution. As an SMB solution, the prices called are too high and that is where the Basic Edition is now trying to attract attention.

The following table list the difference between the edition. Please note the Maximum throughput between the different edition. Azure Basic Firewall is limited at time of article of 2 VMs under the hood and a maximum troughput of 250 (maybe increase to GA).

Azure Firewall edition comparison include pricing for West Europe

The AzFw Basic public preview is available in the same regions as the Azure Firewall Standard and Premium.

Here are the Azure Firewall comparison provided by Microsoft.

Azure Firewall Editions comparison provided by Microsoft

Prepare the subscription

To deploy the AzFw Basic we need to prepare the subscription with some Powershell commands. Login to your Azure environment with an account with Contributor (or higher) permissions on the planned subscription.

Start a Azure Commandline in PowerShell mode and enter the following commands

Set-AzContext "Enter name of your Subscription"
Register-AzProviderFeature -FeatureName AzureFirewallBasic -ProviderNamespace Microsoft.Network

This process registers the AzFw Basic Provider in the selected subscription and can take up to 15 minutes to complete successfully.

Prepare the Network

The AzFw Basic needs a separate subnet inside a Azure VNET called “AzureFirewallSubnet“. You can use a existing VNET or create a new one for the Azure Firewall. The AzureFirewallSubnet must have a minimum size of 64 adresses – /26.

Please keep in mind the Azure Firewall must be deployed in the same resource group as the VNET exists. The Azure Firewall can not be deployed in a separate resource group, outside of the VNET RG.

After the resource provider is enrolled and the AzureFirwallSubnet is created you can create the AzFw Basic over the Azure Portal.

MS Docs – Deploy Azure Firewall Basic via Azure Portal


The Azure Firewall Basic is a great and long requested feature for Network security in Azure and from price perspective a needed addition to the existing editions specially for SMBs.

I had the possibility to test it during the private preview phase in the Azure Security team and like this new edition, because there is no change from mangement perspective compared to Standard and Premium.

If you have a question about the new version, please leave a comment.


Leave a Reply

Your email address will not be published. Required fields are marked *