Deploying Azure Firewall Basic Tier

  • Post author:
  • Post category:Main
  • Post last modified:November 9, 2022
  • Reading time:5 mins read

Azure Firewall Basic is a new SKU of Azure Firewall geared towards small and medium size customers, designed to be at an affordable price point. The new basic tier still includes all of the great benefits of being an enterprise-grade stateful firewall, similar to the other SKU’s (Standard and Premium). 

The new tier of Azure Firewall will provide smaller customers with a better choice of choosing between the cloud-native Azure Firewall solution to protect their network and a 3rd party NVA running software such as PFsense, Fortigate or SophosXG. 

What is the difference between Azure Firewall Basic and Standard?

The basic and standard tiers of Azure Firewall are very similar however do have some differences. 

Key differences:

  • Lack of network-level FQDN filtering.
  • Azure Firewall Basic provides up to 250 Mbps throughput, compared to the 30Gbps limit of the standard tier.
  • You cannot provide web content filtering with Azure Firewall Basic.
  • You cannot use custom DNS settings with Azure Firewall Basic. DNS will be provided by Azure.
  • Threat Intelligence-based filtering can only be enabled in alert mode, which means traffic to known malicious destinations can not be automatically blocked.

See a full feature breakdown below:

Azure Firewall Tier chart

Should I use Azure Firewall Basic?

For development/test networks, I would recommend Azure Firewall basic for the purpose of providing basic functionality with the benefits of being an Azure-based solution and its simplicity. 

However, the Azure Firewall basic tier, does not provide some very (arguably) basic features, listed above, that are important in any network design.

Is Azure Firewall Basic worth the cost?

Azure firewall basic is significantly cheaper than the standard tier. Using the Azure pricing calculator we can do some breakdown of these costs. 

Let us take a look at the cost if we create an Azure Firewall instance in the UK South region, running 24/7 (roughly 730 hours a month) and processing 500GB of data.

Basic tier cost: £298.56 per month

Standard tier cost: £856.56 per month

Now, let us take a look at some other firewall Vendors and the cost of running their virtual appliances in Azure. I am basing these costs from personal experience and some research, but I am trying to be as accurate as possible. Prices are based on an Azure F2s series VM.

PF Sense (pay as you go license): £296.63 / month (based on £0.21 per hour licensing costs)

Sophos XG (pay as you go license): £588.63 / month (based on £0.61 per hour licensing costs)

Fortigate (pay as you go license): £705.48 / month (based on £0.77 per hour licensing costs)

As you can see from the above, Azure Firewall Basic tier has entered the market at a competitive price point and even more so when more basic features are released.

How to enable Azure Firewall Basic in your Azure tenant

  1. Open Powershell and connect to your Azure Tenant with the following commands
Select-AzSubscription -Subscription "your subscription name"

2. Register the Azure provider feature for Azure Firewall Basic

Register-AzProviderFeature -FeatureName "AzureFirewallBasic" -ProviderNamespace "Microsoft.Network"

3. You should see the following output

Register Azure firewall basic

4. Lastly run the following command

Register-AzResourceProvider -ProviderNamespace "Microsoft.Network"

5. You can check the registration state of the feature with the following command

Get-AzProviderFeature -FeatureName "AzureFirewallBasic" -ProviderNamespace "Microsoft.Network"

Create a basic tier Azure Firewall

During the firewall creation progress with the Azure management portal, you should have the following option to select the Basic SKU.

Once your resource has been provisioned you will see the Firewall SKU is showing as basic:

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply