Azure Firewall Active-Active Implementation and Configuration

Azure Firewall Active-Active Implementation and Configuration for Enterprise High Availability

In Enterprise Azure Environments, Perimeter Security cannot be a Single Point of Failure. Azure Firewall deployed in an Active-Active Configuration ensures High Availability, Horizontal Scalability, and Zone Resiliency while Maintaining Centralized Traffic Inspection and Governance Control.

This Guide provides a Production-Grade, Enterprise-Focused Walkthrough of Azure Firewall Deployment in Active-Active Mode, including Architecture Design, Configuration Steps, Routing Considerations, Availability Zones, and Best Practices.

This article assumes familiarity with Azure Networking, Routing, and Enterprise Governance Models.

Architecture Overview

Azure Firewall in Active-Active Mode is designed to:

§  Distribute Traffic Across Multiple Firewall Instances

§  Provide Zone-Redundant Resiliency

§  Maintain Consistent State Synchronization

§  Eliminate Single-Instance Bottlenecks

In Active-Active Configuration:

§  Multiple Firewall Instances Process Traffic Simultaneously

§  Azure Load Balancer Distributes Flows Internally

§  Stateful Inspection is Preserved

§  Session Persistence is Maintained

Enterprise Deployment Topology

Production-Grade Architecture Includes:

§  Hub-and-Spoke Network Design

§  Dedicated AzureFirewallSubnet

§  AzureFirewallManagementSubnet (For Forced Tunneling)

§  User Defined Routes (UDRs)

§  NAT Gateway or Outbound Control Strategy

§  Availability Zones enabled

§  Centralized Logging to Log Analytics

Key Components:

Virtual Network (Hub)
Azure Firewall (Zone Redundant)
Spoke VNets (Workloads)
Private Endpoints
Azure Firewall Policy
Azure Monitor
+ Log Analytics

Prerequisites

Before deploying Azure Firewall Active-Active:

§  Virtual Network with Address Space Defined

§  Subnet named AzureFirewallSubnet (Minimum /26 Recommended for Production)

§  Optional AzureFirewallManagementSubnet if Forced Tunneling Required

§  Availability Zones Supported in Selected Region

§  Log Analytics Workspace Created

Important: The AzureFirewallSubnet must be named exactly AzureFirewallSubnet.

Deployment Steps Using Azure Portal

Step 1: Create Azure Firewall

Navigate to:

Azure Portal Create Resource Networking Azure Firewall

Configuration Settings:

Subscription
Resource Group
Name
Region
Firewall SKU: Premium (Recommended for Enterprise)
Firewall Management: Firewall Policy

Under Availability Zones:

Enable Zone-Redundant Deployment
Select Zones 1, 2, 3

Virtual Network:

Select Hub VNet
Select AzureFirewallSubnet

Public IP:

Create Standard Public IP
Zone Redundant

This Automatically Deploys Firewall in Active-Active Configuration when Zones are enabled.

Step 2: Create Firewall Policy

Azure Firewall Firewall Policy Create

Policy structure:

Rule Collection Groups
Network Rules
Application Rules
DNAT Rules

Best Practice:

Separate Rule Groups by Function:

Infrastructure Rules
Outbound Internet Rules
Private Endpoint Rules
Management Rules

Attach the Policy to the Firewall.

Active-Active Behavior

When Availability Zones are enabled:

Azure Deploys Multiple Instances

Azure Internal Load Balancer Distributes Traffic

Health Probes Monitor Instance Health

Failed Instance Traffic Automatically Rerouted

You do not manually configure Active-Active.
It is automatically handled when Zone-Redundant Deployment is selected.

Routing Configuration

User Defined Routes are required for Traffic Inspection.

Example Route Table Configuration:

Route name: DefaultRoute
Address prefix: 0.0.0.0/0
Next hop type: Virtual appliance
Next hop IP: Private IP of Azure Firewall

Associate Route Table to Spoke Subnets.

This Ensures Outbound Traffic Flows:

Spoke Azure Firewall Internet

For East-West Traffic Inspection:

Define specific Routes between Spokes through Firewall.

Forced Tunneling Scenario

If your Enterprise requires On-Prem Inspection:

Deploy AzureFirewallManagementSubnet

Configure default route to VPN Gateway or ExpressRoute

Use Separate Management IP

This Allows:

All internet-Bound Traffic On-Premises Security Stack

High Availability Considerations

To ensure Enterprise-Grade Resiliency:

Use Availability Zones

Use Zone-redundant Public IP

Monitor Instance Health

Enable Diagnostic Logs

Deploy in Hub Network Model

Use Azure Firewall Premium for TLS Inspection

Scaling and Throughput

Azure Firewall Auto-Scales Based on Throughput Demand.

Enterprise Guidance:

Monitor SNAT Port Utilization

Monitor CPU and Throughput Metrics

Use multiple public IP Addresses if required

Consider NAT Gateway for High Outbound Volume Workloads

Diagnostics and Monitoring

Enable Diagnostic Settings:

Azure Firewall Diagnostic Settings Send to Log Analytics

 Enable Logs:

ApplicationRule
NetworkRule
DNATRule
AzureFirewallFlowTrace
ThreatIntel

 Monitor via:

Azure Monitor
Log Analytics Queries
Alerts for Dropped Traffic
Alerts for SNAT Exhaustion

Sample KQL Query for Denied Traffic:

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where action_s == "Deny"

Security Best Practices

§  Use Firewall Policy instead of Inline Rules

§  Restrict Public Access

§  Enable Threat Intelligence Mode (Alert and Deny)

§  Enable TLS Inspection (Premium SKU)

§  Use FQDN Filtering

§  Use IP Groups for Rule Organization

§  Apply Least Privilege Network Access

Common Design Mistakes

Using Basic SKU in Production
Not enabling Availability Zones
Deploying in Spoke instead of Hub
Not configuring UDR Correctly
Ignoring SNAT Exhaustion
Not enabling Diagnostic Logging

Active-Active Verification

To confirm Active-Active Behavior:

Check:

Azure Firewall Overview Zones

Ensure Multiple Zones are listed.

Monitor metrics:

Firewall Throughput
Instance Health

Azure Automatically Balances Traffic.

There is no manual Toggle for Active-Active.

Enterprise Production Checklist

AzureFirewallSubnet Sized Correctly
Zone-Redundant Deployment Enabled
Public IP Zone-Redundant
Firewall Policy Attached
UDRs applied to Spokes
Diagnostics Enabled
Threat Intelligence Enabled
Monitoring Alerts Configured

Conclusion

Azure Firewall Active-Active Deployment provides Enterprise-Grade Availability, Resiliency, and centralized security Inspection for Hub-and-Spoke Architectures.

When deployed with Availability Zones, Proper Routing, and Firewall Policies, Azure Firewall becomes a Scalable, Stateful, and Resilient Perimeter Control Point for Enterprise Azure Environments.

Active-Active is not an Optional Enhancement in Production.
It is a Baseline Requirement for High-Availability Network Security Architecture.

 

POWER SHELL DEPLOYMENT SCRIPT
Zone-Redundant Azure Firewall with Firewall Policy

# Variables
$rgName = "rg-hub-network-prod"
$location = "eastus2"
$vnetName = "vnet-hub-prod"
$firewallName = "azfw-hub-prod"
$publicIpName = "pip-azfw-prod"
$firewallPolicyName = "azfw-policy-prod"

# Create Resource Group

New-AzResourceGroup -Name $rgName -Location $location

# Create Public IP (Zone Redundant)
$publicIp = New-AzPublicIpAddress `
    -Name $publicIpName `
    -ResourceGroupName $rgName `
    -Location $location `
    -AllocationMethod Static `
    -Sku Standard `
    -Zone 1,2,3

# Create Firewall Policy
$firewallPolicy = New-AzFirewallPolicy `
    -Name $firewallPolicyName `
    -ResourceGroupName $rgName `
    -Location $location `
    -SkuTier Premium

# Get VNet
$vnet = Get-AzVirtualNetwork `
    -Name $vnetName `
    -ResourceGroupName $rgName

# Get AzureFirewallSubnet
$subnet = Get-AzVirtualNetworkSubnetConfig `
    -Name "AzureFirewallSubnet" `
    -VirtualNetwork $vnet

# Create Firewall IP Configuration
$ipConfig = New-AzFirewallIPConfiguration `
    -Name "fw-ipconfig" `
    -Subnet $subnet `
    -PublicIpAddress $publicIp

# Create Azure Firewall (Zone Redundant)
New-AzFirewall `
    -Name $firewallName `
    -ResourceGroupName $rgName `
    -Location $location `
    -VirtualNetwork $vnet `
    -FirewallPolicy $firewallPolicy `
    -IpConfiguration $ipConfig `
    -Zone 1,2,3

Important Notes:

  • AzureFirewallSubnet must be Minimum /26 for Production.
  • Public IP must be Standard SKU.
  • Availability Zones Enable Active-Active Automatically.
  • Firewall Policy is Mandatory for Enterprise Governance.

BICEP TEMPLATE
Zone-Redundant Azure Firewall with Premium SKU

param location string = resourceGroup().location
param firewallName string = 'azfw-hub-prod'
param vnetName string
param firewallPolicyName string = 'azfw-policy-prod'
param publicIpName string = 'pip-azfw-prod'

resource publicIp 'Microsoft.Network/publicIPAddresses@2023-05-01' = {
  name: publicIpName
  location: location
  sku: {
    name: 'Standard'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    publicIPAllocationMethod: 'Static'
  }
}

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-05-01' = {
  name: firewallPolicyName
  location: location
  properties: {
    sku: {
      tier: 'Premium'
    }
  }
}

resource firewall 'Microsoft.Network/azureFirewalls@2023-05-01' = {
  name: firewallName
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'AZFW_VNet'
      tier: 'Premium'
    }
    firewallPolicy: {
      id: firewallPolicy.id
    }
    ipConfigurations: [
      {
        name: 'fw-ipconfig'
        properties: {
          subnet: {
            id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnetName, 'AzureFirewallSubnet')
          }
          publicIPAddress: {
            id: publicIp.id
          }
        }
      }
    ]
  }
}

Deploy with:

New-AzResourceGroupDeployment `
  -ResourceGroupName rg-hub-network-prod `
  -TemplateFile .\azurefirewall.bicep `
  -vnetName vnet-hub-prod

PERFORMANCE TUNING DEEP DIVE
Enterprise Optimization Guide

1.      Throughput Planning

Azure Firewall Premium Auto-Scales but:

Baseline throughput ~30 Gbps depending on SKU

Scales based on CPU and Connection Count

Cold Scaling takes Time

 

Enterprise Guidance:

Pre-Warm Under Load Before Go-Live

Monitor Scale Events

2.      SNAT Port Exhaustion

Each Public IP provides approximately 64,000 SNAT Ports per Instance.

Symptoms:

Intermittent Outbound Failures

Connection Resets

Sporadic HTTP Failures

Mitigation Strategies:

Add Multiple Public IP Addresses

Use Azure NAT Gateway for High Outbound Workloads

Distribute Workloads Across Subnets

 

Add Additional Public IP Example:

New-AzFirewallPublicIpAddress `
  -FirewallName $firewallName `
  -ResourceGroupName $rgName `
  -PublicIpAddress $secondPublicIp

3.      Avoid Asymmetric Routing

Common Mistake:

Traffic enters through Firewall
Returns directly via Internet Gateway

Fix:

Ensure Consistent UDR Configuration
Force 0.0.0.0/0 Through Firewall
Validate Return Path

4.      TLS Inspection Performance

Premium SKU enables TLS Inspection.

Impact:

Increased CPU Consumption

Increased Latency

Certificate Management Overhead

Best practice:

Only inspect required Domains

Use FQDN Tags Wisely

Monitor CPU Metric

5.      Log Analytics Performance

High Traffic Generates Massive Logs.

Enterprise Guidance:

Use dedicated Log Analytics Workspace

Apply Retention Policy

Archive Older Logs

Create Alert-Based Monitoring, not Full Scans

6.      IP Groups for Rule Optimization

Large Rule sets Degrade Manageability.

Use:

IP Groups
Rule Collection Groups
Separate Policies per Environment

7.      Scaling Considerations

Auto-Scaling is Reactive.

Enterprise Best Practice:

Monitor FirewallHealth Metric

Alert on CPU above 70%

Alert on SNAT Utilization

Alert on DroppedPackets Spike

8.      Availability Zones Best Practice

Always Deploy:

Firewall in Zones 1,2,3

Public IP in Zones 1,2,3

Hub vNet supporting Zones

Active-Active is Automatically Enabled.

ENTERPRISE MONITORING QUERY EXAMPLES

High SNAT usage:

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| summarize count() by SourceIp_s

 

Denied Traffic Spike:

AzureDiagnostics
| where action_s == "Deny"
| summarize count() by bin(TimeGenerated, 5m)

FINAL ENTERPRISE CHECKLIST

AzureFirewallSubnet Minimum /26
Zone Redundant Enabled
Premium SKU
Firewall Policy Attached
Threat Intelligence Enabled
Diagnostics Enabled
SNAT Monitoring Enabled
UDR Correctly Configured
NAT Gateway Evaluated
IP Groups Used
TLS Inspection Controlled

 

0 comments

Leave a comment

Please note, comments need to be approved before they are published.