Azure Firewall is Microsoft's managed stateful L3-L7 firewall and network security service. It is typically deployed in the Hub VNet of a hub-and-spoke architecture to centralize organization-wide traffic control, FQDN filtering, and threat intelligence integration. This article gives you a comprehensive walk-through of Azure Firewall: SKU selection, rule design, Firewall Manager integration, and operational best practices.
| Item | Basic | Standard | Premium |
|---|---|---|---|
| Target | SMB / small-mid size | Standard enterprise | Advanced security requirements |
| Max throughput | 250 Mbps | 30 Gbps | 30 Gbps |
| Application Rule | Supported | Supported | Supported + URL Filtering |
| Network Rule | Supported | Supported | Supported |
| Threat Intelligence | Basic | Standard | Standard |
| TLS Inspection | Not supported | Not supported | Supported |
| IDPS | Not supported | Not supported | Supported |
| Web Categories | Not supported | Not supported | Supported |
| Zone Redundancy | Not supported | Supported | Supported |
| Monthly cost | From ~$300 | From ~$900 | From ~$2,600 |
For most production environments, Standard is sufficient. Premium is required when you need malware inspection inside encrypted traffic, or when you must meet advanced compliance requirements such as PCI DSS or HIPAA.
*.microsoft.comA DNAT Rule forwards traffic that arrives at the Azure Firewall's public IP to a private IP inside the VNet.
Caveat: pay special attention to the security of any VM exposed via a DNAT Rule. For production web publishing, the recommended combination is Application Gateway / Front Door + WAF + Private Endpoint, and Azure Firewall DNAT is best reserved for management scenarios.
Azure Firewall Manager is a control-plane service for centrally managing multiple Azure Firewall instances.
For enterprises running multi-region hub-and-spoke deployments, the best practice is to define common policies (allow Microsoft 365, block risky countries, etc.) as a parent policy inherited by every firewall, and add region-specific rules in child policies.
Forced Tunneling routes internet-bound traffic from Azure Firewall or an Azure VNet out through an on-premises firewall.
Trade-offs: the on-prem firewall becomes a bottleneck, latency rises, and costs increase. Cloud-native-leaning companies rarely use it, but it's worth knowing as a required pattern in regulated industries.
| Item | NSG | Azure Firewall |
|---|---|---|
| Layer | L3-L4 | L3-L7 |
| Scope | Subnet / NIC | Entire VNet |
| Pricing | Free | Paid (hundreds to thousands of USD per month) |
| FQDN filtering | Not supported | Supported (Application Rule) |
| Threat intelligence | Not supported | Supported |
| Log aggregation | NSG Flow Logs | Diagnostic Logs |
| Use | Baseline security | Organization governance / advanced control |
The two are complementary, not competing, and using them together is the standard. Microsoft also recommends combining both.
What is Azure Firewall?
Azure Firewall is a Microsoft-managed stateful L3-L7 firewall and network security service. Deployed per VNet, it delivers organization-wide traffic control, FQDN filtering, threat intelligence integration, IDPS (Premium), and TLS inspection (Premium). The standard pattern is to place it in the Hub VNet of a hub-and-spoke architecture. It plays a complementary role to Network Security Groups (NSGs): NSGs handle subnet-level L3-L4 controls while Azure Firewall provides L7 governance across the entire VNet.
What are the differences between Basic, Standard, and Premium SKUs?
Basic SKU (GA 2023): targeted at SMBs, up to 250 Mbps, starting around $300/month. Includes Application/Network Rules, basic threat intelligence, and IP Groups. Standard SKU: for typical enterprises, up to 30 Gbps, starting around $900/month. Supports Forced Tunneling, DNS Proxy, and Zone Redundancy. Premium SKU: for advanced security requirements, starting around $2,600/month. Adds TLS inspection (encrypted traffic inspection), IDPS (intrusion detection and prevention), URL filtering, and Web Categories. Use Premium when you need malware inspection inside encrypted traffic or advanced compliance such as PCI DSS or HIPAA. Most production environments are well served by Standard.
What is Azure Firewall Manager?
Azure Firewall Manager is a control-plane service for centrally managing multiple Azure Firewall instances. You create JSON-based Firewall Policies and apply them across firewalls with inheritance support. Integrating Azure Firewall into a Secured Virtual Hub in Virtual WAN requires going through Firewall Manager. In enterprises operating multi-region hub-and-spoke deployments, the best practice is to define common policies (allow Microsoft 365, block risky countries, etc.) as a parent policy inherited by every firewall, then layer region-specific rules in child policies. You can also delegate Firewall Policy ownership to your SOC team via Microsoft Entra ID RBAC.
What is the difference between Application Rules and Network Rules?
Network Rules provide L3-L4 control based on IP addresses, ports, and protocols (TCP/UDP/ICMP) — the classic firewall rule. Application Rules provide L7 control based on FQDNs (Fully Qualified Domain Names), and apply only to HTTP/HTTPS. For example, "allow HTTPS to *.microsoft.com" or "allow HTTP/HTTPS to *.windowsupdate.com". Microsoft also ships FQDN Tags — pre-defined FQDN groups such as Microsoft365, WindowsUpdate, and AzureBackup. The design principle: outbound access to Microsoft 365, Windows Update, and Azure services should be configured concisely with Application Rules + FQDN Tags, while server-to-server traffic should be controlled by Network Rules using IP and port.
How do you use DNAT (Destination NAT) Rules?
DNAT Rules forward traffic that reaches the Azure Firewall's public IP to a private IP inside the VNet. Typical use cases: 1) RDP/SSH management access (e.g., forward port 22 on the firewall's public IP to port 22 on a Jumpbox VM inside the VNet); 2) Web server publishing (forward 80/443 on the firewall to a Web Server VM); 3) Receiving specific ports from IoT devices. Caveat: pay special attention to the security of any VM exposed via a DNAT Rule — going through Application Gateway WAF or Front Door is more secure. For production web publishing, the recommended combination is Application Gateway / Front Door + WAF + Private Endpoint. Azure Firewall DNAT is best reserved for management scenarios.
What is Forced Tunneling?
Forced Tunneling is a configuration that routes internet-bound traffic from Azure Firewall or an Azure VNet out through an on-premises firewall. It's the pattern used by financial institutions and government agencies whose security policies require all internet egress to be inspected by an on-premises firewall. It is supported by Azure Firewall Standard and Premium (Basic does not support it), and it is configured by pointing the default route (0.0.0.0/0) in the AzureFirewallSubnet UDR to a VPN Gateway or ExpressRoute Gateway. Trade-offs: the on-prem firewall becomes a bottleneck, latency increases, and costs rise. Cloud-native-leaning companies rarely use it, but it's worth understanding as a required pattern in regulated industries.
When do you use NSGs vs. Azure Firewall?
NSGs (Network Security Groups) provide stateful L3-L4 control at the subnet/NIC level, are free of charge, and apply across every VNet by default. Azure Firewall provides L3-L7 control at the VNet level, is a paid service, and is used for organization-wide governance. Design principle: always apply NSGs for baseline security, and place Azure Firewall in the Hub VNet for advanced control, FQDN filtering, and threat intelligence. Concretely: control VM-to-VM traffic inside a subnet with NSGs by IP and port; control Spoke-to-Internet egress through the Hub's Azure Firewall with FQDN filtering and centralized logging. The two are complementary rather than competing, and using them together is the standard. Microsoft also recommends combining both. See the VNet complete design guide for details.
Which certifications cover Azure Firewall?
AZ-700 (Network Engineer Associate) covers Azure Firewall in depth — design decisions around Application Rules, Network Rules, DNAT, FQDN Tags, Firewall Manager, and Forced Tunneling appear frequently. AZ-104 (Administrator) covers the basics in Domain 4. AZ-305 (Solutions Architect Expert) covers selection from an architect's perspective. SC-100 (Cybersecurity Architect Expert) treats it as central to zero-trust network design. SC-500 (formerly AZ-500, GA September 2026) treats it as a major topic in Azure security implementation. Understanding Azure Firewall is an essential skill for any network or security engineer working with Azure.
Related Articles & Deep Dives
Azure Application Gateway vs Front Door 完全比較|L7 ロードバランサーの選定ガイド【2026 年版】
Azure の L7 ロードバランサー Application Gateway と Front Door を完全比較。リージョン vs グローバル・WAF 機能・SKU 選定 (Standard / Premium)・コスト・適用シーンを表形式で整理。両方組み合わせる多層構成、Traffic Manager / Azure CDN との関係、関連認定試験 (AZ-700 / AZ-305) を日本語で網羅。
Azure NSG / ASG 設計集|Network Security Group ルール設計・Application Security Group 活用パターン【2026 年版】
Azure の NSG (Network Security Group) と ASG (Application Security Group) の完全設計ガイド。ルール優先度・Service Tags・3-tier ASG 設計パターン・NSG Flow Logs・Traffic Analytics・落とし穴・関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Azure VPN Gateway 完全ガイド|SKU 選定・Site-to-Site/Point-to-Site・BGP・Active-Active【2026 年版】
Azure VPN Gateway の完全ガイド。SKU 選定 (VpnGw1-5)・Site-to-Site / Point-to-Site / VNet-to-VNet・BGP 動的ルーティング・Active-Active 高可用構成・Zone Redundant SKU・IKE Policy 強化・運用ベストプラクティス・関連認定試験 (AZ-700 / AZ-305) を日本語で網羅。
Azure Policy 完全ガイド|Effect・Built-in/Custom・Initiative・Remediation・コンプライアンス【2026 年版】
Azure Policy の完全ガイド。Effect 7 種類 (Deny/Audit/Modify/DeployIfNotExists/Append/AuditIfNotExists/Disabled) の使い分け、Built-in vs Custom Policy、Initiative (Policy Set)、Assignment Scope、Remediation、Microsoft Cloud Security Benchmark コンプライアンス活用、関連認定試験 (AZ-104 / SC-100 / AZ-305) を日本語で網羅。
Technical information in this article is based on the Azure Firewall Documentation. This article is not an official Microsoft Corporation product and has no affiliation, partnership, or sponsorship with Microsoft. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.
Practice with certification-focused question sets
View Azure exam prepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...