New – Azure Firewall Basic
** Update – As of 3/15/2023 Azure Firewall Basic is generally available with no significant changes to features or pricing. **
Microsoft just released the new Azure Firewall Basic SKU to public preview and I have thoughts. You can find the original announcement here. I’m excited that Microsoft is targeting a lower price point with this service and thinking about the budget of an SMB. I think there are some interesting considerations and potential reasons to use this service. But I would be careful saying this is the firewall solution that SMBs have been waiting for.
Microsoft has done a great job in working with network security vendors like Palo Alto, Cisco, and others over the past several years. This has given clients a lot of great options when designing a network security architecture. In parallel, Microsoft has been developing a world class first party managed firewall solution. This leaves clients with some great options for network security on Azure.
What I would like to do is give a comparison of the features, cost, and throughput of some of some of these solutions and then make a recommendation on some scenarios where each makes sense. That being said, every situation is unique.
One of the key questions I always ask organizations when it comes to network security solutions is “what is your team familiar with using today?” It is important to consider the human factor along with these decisions, so if your organization is heavily invested in a particular vendor, I would use that as a starting point to see if they have offerings that meet your needs without having to learn a completely new product.
1st Party vs 3rd Party Solutions
When choosing network security solutions to run on Azure, there are two types of solutions to choose from, first party solutions or third party solutions. First party solutions are those directly supported and operated by Microsoft (such as Azure Firewall). Third party solutions are those that run on Azure, but are developed and supported by another vendor (such as Palo Alto or Barracuda).
If you are already heavily invested in a particular vendor, you should start by checking if they offer a virtual appliance supported on Azure. If they don’t you should look to the first party solutions. However, if they do, you should weigh feature sets and costs. Does your vendor have deep support for running their products in an Azure environment? If not, you may still be better served by moving to a first party service.
Solutions Overview
I want to give a quick overview of some of the first party network security solutions on Azure to give a baseline for comparison:
- NSG – simple stateful network rules that can be applied to subnets or interfaces
- NAT Gateway – simple SNAT/DNAT gateway assignable to a single subnet
- Firewall Basic – Zone redundant firewall with stateful rules and alerting for known bad addresses
- Firewall Standard – Zone redundant firewall with high throughput and blocking of known bad addresses
- Firewall Premium – Zone redundant firewall with high throughput, blocking of known bad addresses, IDPS, TLS inspection, and more
These are not all tiers of the same type of service, so it is important to understand the capabilities of each of these solutions. Below is a table of features that each service supports along with an estimated cost per month.
Feature | NSG | NAT Gateway | Basic | Standard | Premium |
Price Per Month | Free | ~$35 | ~$300 | ~$1000 | ~$1350 |
Stateful Firewall | Yes | No | Yes | Yes | Yes |
FQDN Filtering | No | No | Yes | Yes | Yes |
Availability Zones | N/A | No | Yes | Yes | Yes |
Throughput | N/A | 50Gbps | 250Mbps | 30Gbps | 100Gbps |
Central Mgmt | No | No | Yes | Yes | Yes |
Change Reporting | No | No | Yes | Yes | Yes |
Service Tags | Yes | No | Yes | Yes | Yes |
DevOps | Yes | Yes | Yes | Yes | Yes |
SIEM Integration | No | No | Yes | Yes | Yes |
DNS Proxy | No | No | Yes | Yes | Yes |
Threat Intelligence | No | No | Alert | Yes | Yes |
Inbound TLS | No | No | No | No | Yes |
Outbound TLS | No | No | No | No | Yes |
IDPS | No | No | No | No | Yes |
Path Based Filtering | No | No | No | No | Yes |
Solution Scenarios
Network Security Groups (NSGs) are very simple but powerful traffic rules that can be associated with multiple subnets or network interfaces. NSGs should be applied across most or all subnets and interfaces to give a basic level of protection. They are highly scalable and cost nothing by themselves.
NAT Gateways are useful if you need to force traffic for a subnet to always show the same outbound public IP. This is useful when another party needs to whitelist traffic for your application. NAT Gateways are high throughput, but they are not zone redundant.
Azure Firewall Premium is a high throughput, zone redundant, network security service with a lot of additional features. The feature set and maturity is nearly on parity with some of the leading next generation firewall appliances. With features like IDPS, TLS inspection, content filtering, and more, it is a very robust enterprise network security solution.
The Firewall Standard SKU is similar to the above, however it lacks some of the more advanced security features such as IDPS and TLS inspection. While there is some cost savings and high throughput, there isn’t a lot left in the way of features to make it a compelling solution in very many situations.
Azure Firewall Basic is a lower cost and lower throughput version that also limits the capabilities even further. While Basic is still zone redundant and does have some limited FQDN filtering, I would argue that it is so limited it is little better than an NSG.
One scenario I find interesting is possibly using Azure Firewall Basic as a zone redundant NAT gateway.
This scenario could significantly reduce the complexity of configuring a zone redundant application hosted on virtual machines as long as the limited throughput and increased cost can be justified.
Managed vs Unmanaged Solutions
I think it is important to remember that these 1st party solutions from Microsoft are “managed” solutions. What I mean by that is Microsoft takes care of updates, maintenance, hardware, etc. Compared to a 3rd party solution, the management effort is dramatically lower. That is very important to keep in mind when comparing cost. With a 3rd party network security solution you will likely have to do some regular maintenance activities manually and it is important to consider this cost.
In my opinion, the Azure Firewall Premium SKU is a very compelling solution because the features are sufficiently advanced to give an appropriate level of security. When the price is considered in light of it being a managed solution it is a lot more palatable. Finally the throughput and redundancy are very impressive.
The Standard SKU doesn’t seem like it compares well to a third party solution on either feature set or price. This would lead me to recommend either going up to the Premium SKU or looking to a 3rd party solution hosted on Azure.
The Basic SKU barely qualifies as a security solution in my opinion, but it does have some intriguing possibility as a zone redundant NAT solution. At this price point it is definitely worth looking at a 3rd party solution hosted in Azure.
Conclusion
While I am excited to see Microsoft continuing to build out their network security solutions, I don’t think the Azure Firewall Basic quite hits their target segment. I think they have stripped out too many features to call it a real security solution. In my opinion it makes more sense to look at either a 3rd party offering or step up to the great Azure Firewall Premium service. But I do think there is an interesting use case for the Firewall Basic as a zone redundant gateway. Thanks for reading and stay tuned for more new Azure services and features!
Share this content:
I am a leader and solutions architect with over 10 years of hands on experience in private, public, and hybrid cloud technologies, networking, security, and data center management. My passion is to help clients gain agility and accelerate their business through IT modernization using cloud technologies.
I have consulted for some of the largest universities and corporations in the world on topics such as Azure Architecture, Infrastructure as Code, Azure Virtual Desktop, Application Hosting, Network Security, Identity Management, and much more.
Finally, I am actively involved in Christian ministry as a teacher and I strive to reflect the character of Jesus in every area of life.
The best place to contact me is on LinkedIn
You can subscribe to receive new posts via email.
Leave a Reply