
Azure Firewall Active-Active Implementation and Configuration for Enterprise High Availability
In Enterprise Azure Environments, Perimeter Security cannot be a Single Point of Failure. Azure Firewall deployed in an Active-Active Configuration ensures High Availability, Horizontal Scalability, and Zone Resiliency while Maintaining Centralized Traffic Inspection and Governance Control.
This Guide provides a Production-Grade, Enterprise-Focused Walkthrough of Azure Firewall Deployment in Active-Active Mode, including Architecture Design, Configuration Steps, Routing Considerations, Availability Zones, and Best Practices.
This article assumes familiarity with Azure Networking, Routing, and Enterprise Governance Models.
Architecture Overview
Azure Firewall in Active-Active Mode is designed to:
§ Distribute Traffic Across Multiple Firewall Instances
§ Provide Zone-Redundant Resiliency
§ Maintain Consistent State Synchronization
§ Eliminate Single-Instance Bottlenecks
In Active-Active Configuration:
§ Multiple Firewall Instances Process Traffic Simultaneously
§ Azure Load Balancer Distributes Flows Internally
§ Stateful Inspection is Preserved
§ Session Persistence is Maintained
Enterprise Deployment Topology
Production-Grade Architecture Includes:
§ Hub-and-Spoke Network Design
§ Dedicated AzureFirewallSubnet
§ AzureFirewallManagementSubnet (For Forced Tunneling)
§ User Defined Routes (UDRs)
§ NAT Gateway or Outbound Control Strategy
§ Availability Zones enabled
§ Centralized Logging to Log Analytics
Key Components:
Virtual Network (Hub)
Azure Firewall (Zone Redundant)
Spoke VNets (Workloads)
Private Endpoints
Azure Firewall Policy
Azure Monitor + Log Analytics
Prerequisites
Before deploying Azure Firewall Active-Active:
§ Virtual Network with Address Space Defined
§ Subnet named AzureFirewallSubnet (Minimum /26 Recommended for Production)
§ Optional AzureFirewallManagementSubnet if Forced Tunneling Required
§ Availability Zones Supported in Selected Region
§ Log Analytics Workspace Created
Important: The AzureFirewallSubnet must be named exactly AzureFirewallSubnet.
Deployment Steps Using Azure Portal
Step 1: Create Azure Firewall
Navigate to:
Azure Portal → Create Resource → Networking → Azure Firewall
Configuration Settings:
Subscription
Resource Group
Name
Region
Firewall SKU: Premium (Recommended for Enterprise)
Firewall Management: Firewall Policy
Under Availability Zones:
Enable Zone-Redundant Deployment
Select Zones 1, 2, 3
Virtual Network:
Select Hub VNet
Select AzureFirewallSubnet
Public IP:
Create Standard Public IP
Zone Redundant
This Automatically Deploys Firewall in Active-Active Configuration when Zones are enabled.
Step 2: Create Firewall Policy
Azure Firewall → Firewall Policy → Create
Policy structure:
Rule Collection Groups
Network Rules
Application Rules
DNAT Rules
Best Practice:
Separate Rule Groups by Function:
Infrastructure Rules
Outbound Internet Rules
Private Endpoint Rules
Management Rules
Attach the Policy to the Firewall.
Active-Active Behavior
When Availability Zones are enabled:
Azure Deploys Multiple Instances
Azure Internal Load Balancer Distributes Traffic
Health Probes Monitor Instance Health
Failed Instance Traffic Automatically Rerouted
You do not manually configure Active-Active.
It is automatically handled when Zone-Redundant Deployment is selected.
Routing Configuration
User Defined Routes are required for Traffic Inspection.
Example Route Table Configuration:
Route name: DefaultRoute
Address prefix: 0.0.0.0/0
Next hop type: Virtual appliance
Next hop IP: Private IP of Azure Firewall
Associate Route Table to Spoke Subnets.
This Ensures Outbound Traffic Flows:
Spoke → Azure Firewall → Internet
For East-West Traffic Inspection:
Define specific Routes between Spokes through Firewall.
Forced Tunneling Scenario
If your Enterprise requires On-Prem Inspection:
Deploy AzureFirewallManagementSubnet
Configure default route to VPN Gateway or ExpressRoute
Use Separate Management IP
This Allows:
All internet-Bound Traffic → On-Premises Security Stack
High Availability Considerations
To ensure Enterprise-Grade Resiliency:
Use Availability Zones
Use Zone-redundant Public IP
Monitor Instance Health
Enable Diagnostic Logs
Deploy in Hub Network Model
Use Azure Firewall Premium for TLS Inspection
Scaling and Throughput
Azure Firewall Auto-Scales Based on Throughput Demand.
Enterprise Guidance:
Monitor SNAT Port Utilization
Monitor CPU and Throughput Metrics
Use multiple public IP Addresses if required
Consider NAT Gateway for High Outbound Volume Workloads
Diagnostics and Monitoring
Enable Diagnostic Settings:
Azure Firewall → Diagnostic Settings → Send to Log Analytics
Enable Logs:
ApplicationRule
NetworkRule
DNATRule
AzureFirewallFlowTrace
ThreatIntel
Monitor via:
Azure Monitor
Log Analytics Queries
Alerts for Dropped Traffic
Alerts for SNAT Exhaustion
Sample KQL Query for Denied Traffic:
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where action_s == "Deny"
Security Best Practices
§ Use Firewall Policy instead of Inline Rules
§ Restrict Public Access
§ Enable Threat Intelligence Mode (Alert and Deny)
§ Enable TLS Inspection (Premium SKU)
§ Use FQDN Filtering
§ Use IP Groups for Rule Organization
§ Apply Least Privilege Network Access
Common Design Mistakes
Using Basic SKU in Production
Not enabling Availability Zones
Deploying in Spoke instead of Hub
Not configuring UDR Correctly
Ignoring SNAT Exhaustion
Not enabling Diagnostic Logging
Active-Active Verification
To confirm Active-Active Behavior:
Check:
Azure Firewall → Overview → Zones
Ensure Multiple Zones are listed.
Monitor metrics:
Firewall Throughput
Instance Health
Azure Automatically Balances Traffic.
There is no manual Toggle for Active-Active.
Enterprise Production Checklist
AzureFirewallSubnet Sized Correctly
Zone-Redundant Deployment Enabled
Public IP Zone-Redundant
Firewall Policy Attached
UDRs applied to Spokes
Diagnostics Enabled
Threat Intelligence Enabled
Monitoring Alerts Configured
Conclusion
Azure Firewall Active-Active Deployment provides Enterprise-Grade Availability, Resiliency, and centralized security Inspection for Hub-and-Spoke Architectures.
When deployed with Availability Zones, Proper Routing, and Firewall Policies, Azure Firewall becomes a Scalable, Stateful, and Resilient Perimeter Control Point for Enterprise Azure Environments.
Active-Active is not an Optional Enhancement in Production.
It is a Baseline Requirement for High-Availability Network Security Architecture.
POWER SHELL DEPLOYMENT SCRIPT
Zone-Redundant Azure Firewall with Firewall Policy
# Variables
$rgName = "rg-hub-network-prod"
$location = "eastus2"
$vnetName = "vnet-hub-prod"
$firewallName = "azfw-hub-prod"
$publicIpName = "pip-azfw-prod"
$firewallPolicyName = "azfw-policy-prod"
# Create Resource Group
New-AzResourceGroup -Name $rgName -Location $location
# Create Public IP (Zone Redundant)
$publicIp = New-AzPublicIpAddress `
-Name $publicIpName `
-ResourceGroupName $rgName `
-Location $location `
-AllocationMethod Static `
-Sku Standard `
-Zone 1,2,3
# Create Firewall Policy
$firewallPolicy = New-AzFirewallPolicy `
-Name $firewallPolicyName `
-ResourceGroupName $rgName `
-Location $location `
-SkuTier Premium
# Get VNet
$vnet = Get-AzVirtualNetwork `
-Name $vnetName `
-ResourceGroupName $rgName
# Get AzureFirewallSubnet
$subnet = Get-AzVirtualNetworkSubnetConfig `
-Name "AzureFirewallSubnet" `
-VirtualNetwork $vnet
# Create Firewall IP Configuration
$ipConfig = New-AzFirewallIPConfiguration `
-Name "fw-ipconfig" `
-Subnet $subnet `
-PublicIpAddress $publicIp
# Create Azure Firewall (Zone Redundant)
New-AzFirewall `
-Name $firewallName `
-ResourceGroupName $rgName `
-Location $location `
-VirtualNetwork $vnet `
-FirewallPolicy $firewallPolicy `
-IpConfiguration $ipConfig `
-Zone 1,2,3
Important Notes:
- AzureFirewallSubnet must be Minimum /26 for Production.
- Public IP must be Standard SKU.
- Availability Zones Enable Active-Active Automatically.
- Firewall Policy is Mandatory for Enterprise Governance.
BICEP TEMPLATE
Zone-Redundant Azure Firewall with Premium SKU
param location string = resourceGroup().location
param firewallName string = 'azfw-hub-prod'
param vnetName string
param firewallPolicyName string = 'azfw-policy-prod'
param publicIpName string = 'pip-azfw-prod'
resource publicIp 'Microsoft.Network/publicIPAddresses@2023-05-01' = {
name: publicIpName
location: location
sku: {
name: 'Standard'
}
zones: [
'1'
'2'
'3'
]
properties: {
publicIPAllocationMethod: 'Static'
}
}
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-05-01' = {
name: firewallPolicyName
location: location
properties: {
sku: {
tier: 'Premium'
}
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2023-05-01' = {
name: firewallName
location: location
zones: [
'1'
'2'
'3'
]
properties: {
sku: {
name: 'AZFW_VNet'
tier: 'Premium'
}
firewallPolicy: {
id: firewallPolicy.id
}
ipConfigurations: [
{
name: 'fw-ipconfig'
properties: {
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnetName, 'AzureFirewallSubnet')
}
publicIPAddress: {
id: publicIp.id
}
}
}
]
}
}
Deploy with:
New-AzResourceGroupDeployment `
-ResourceGroupName rg-hub-network-prod `
-TemplateFile .\azurefirewall.bicep `
-vnetName vnet-hub-prod
PERFORMANCE TUNING DEEP DIVE
Enterprise Optimization Guide
1. Throughput Planning
Azure Firewall Premium Auto-Scales but:
Baseline throughput ~30 Gbps depending on SKU
Scales based on CPU and Connection Count
Cold Scaling takes Time
Enterprise Guidance:
Pre-Warm Under Load Before Go-Live
Monitor Scale Events
2. SNAT Port Exhaustion
Each Public IP provides approximately 64,000 SNAT Ports per Instance.
Symptoms:
Intermittent Outbound Failures
Connection Resets
Sporadic HTTP Failures
Mitigation Strategies:
Add Multiple Public IP Addresses
Use Azure NAT Gateway for High Outbound Workloads
Distribute Workloads Across Subnets
Add Additional Public IP Example:
New-AzFirewallPublicIpAddress `
-FirewallName $firewallName `
-ResourceGroupName $rgName `
-PublicIpAddress $secondPublicIp
3. Avoid Asymmetric Routing
Common Mistake:
Traffic enters through Firewall
Returns directly via Internet Gateway
Fix:
Ensure Consistent UDR Configuration
Force 0.0.0.0/0 Through Firewall
Validate Return Path
4. TLS Inspection Performance
Premium SKU enables TLS Inspection.
Impact:
Increased CPU Consumption
Increased Latency
Certificate Management Overhead
Best practice:
Only inspect required Domains
Use FQDN Tags Wisely
Monitor CPU Metric
5. Log Analytics Performance
High Traffic Generates Massive Logs.
Enterprise Guidance:
Use dedicated Log Analytics Workspace
Apply Retention Policy
Archive Older Logs
Create Alert-Based Monitoring, not Full Scans
6. IP Groups for Rule Optimization
Large Rule sets Degrade Manageability.
Use:
IP Groups
Rule Collection Groups
Separate Policies per Environment
7. Scaling Considerations
Auto-Scaling is Reactive.
Enterprise Best Practice:
Monitor FirewallHealth Metric
Alert on CPU above 70%
Alert on SNAT Utilization
Alert on DroppedPackets Spike
8. Availability Zones Best Practice
Always Deploy:
Firewall in Zones 1,2,3
Public IP in Zones 1,2,3
Hub vNet supporting Zones
Active-Active is Automatically Enabled.
ENTERPRISE MONITORING QUERY EXAMPLES
High SNAT usage:
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| summarize count() by SourceIp_s
Denied Traffic Spike:
AzureDiagnostics
| where action_s == "Deny"
| summarize count() by bin(TimeGenerated, 5m)
FINAL ENTERPRISE CHECKLIST
AzureFirewallSubnet Minimum /26
Zone Redundant Enabled
Premium SKU
Firewall Policy Attached
Threat Intelligence Enabled
Diagnostics Enabled
SNAT Monitoring Enabled
UDR Correctly Configured
NAT Gateway Evaluated
IP Groups Used
TLS Inspection Controlled
0 comments