Azure Firewall – When to Choose Which SKU
๐น 1. Azure Firewall Basic
Choose when:
-
You are a small or mid-sized customer.
-
Use case is non-critical: dev/test environments, pilot projects.
-
You have limited throughput needs (< 250 VMs / < 100 Mbps).
-
You don’t need advanced security like TLS inspection or IDPS.
-
Budget is a concern.
Not for: Production enterprise workloads, regulated industries, or internet-facing apps.
๐น 2. Azure Firewall Standard
Choose when:
-
You need enterprise-grade L3–L7 filtering.
-
You want Threat Intelligence filtering, custom DNS, and FQDN filtering.
-
Workloads include internet access, north-south, or east-west traffic.
-
You are running production apps that are not highly regulated.
-
You want integration with Azure Monitor and Azure Sentinel for visibility.
Best for: Most production workloads in mid-large environments.
๐น 3. Azure Firewall Premium
Choose when:
-
Your apps handle PII, PHI, or financial data.
-
You are in a regulated industry (banking, healthcare, government).
-
You need TLS inspection (SSL decryption) for outbound traffic control.
-
You need Intrusion Detection & Prevention (IDPS).
-
You want URL category-based access control (not just FQDN logging).
-
You face sophisticated threats or require zero-trust egress control.
Best for: High-security workloads, compliance-sensitive environments, e-commerce, or hybrid apps with critical data.
๐ Summary Recommendations
| Scenario | Recommended SKU |
|---|---|
| Dev/Test Environment | ✅ Basic |
| Small Business with ~100 VMs | ✅ Basic |
| Production Workload (General Enterprise) | ✅ Standard |
| Public-facing App with Egress Control | ✅ Standard or Premium |
| PCI, HIPAA, or Financial Compliance | ✅ Premium |
| Need for TLS/SSL Outbound Decryption | ✅ Premium |
| Advanced Threat Protection & IDPS | ✅ Premium |
| Cost-Optimized Centralized Firewall | ✅ Standard (with Autoscaling) |
Basic vs Standard Vs Premium
| Feature | Basic | Standard | Premium |
|---|---|---|---|
| Use Case | Small orgs, dev/test | Enterprise prod environments | High-security regulated workloads |
| Deployment Scale | Up to 100 Mbps throughput | Scales with VMSS (Gbps+) | Scales with VMSS (Gbps+) |
| Availability Zones | ✅ Zone-redundant (select regions) | ✅ Zone-redundant | ✅ Zone-redundant |
| Threat Intelligence-based Filtering | ❌ | ✅ Alert & deny modes | ✅ Alert & deny modes |
| TLS/SSL Inspection | ❌ | ❌ | ✅ Yes (with cert management) |
| IDPS (Intrusion Detection/Prevention) | ❌ | ❌ | ✅ Signature-based |
| Web Categories (FQDN Filtering) | ❌ | ✅ URL category logging | ✅ + URL category filtering |
| Custom DNS / DNS Proxy | ❌ | ✅ | ✅ |
| FQDN Tags & Service Tags | ✅ Basic tags | ✅ All available tags | ✅ All available tags |
| SNAT/DNAT Support | ✅ | ✅ | ✅ |
| Network & Application Rules | ✅ | ✅ | ✅ |
| Pricing | Lowest | Moderate | Highest |
| Azure Policy Integration | ✅ | ✅ | ✅ |
| Logging & Monitoring | Basic Logs | Full diagnostic logs | Full diagnostic logs + Threat logs |
No comments:
Post a Comment