Azure firewall basic in public preview
Microsoft has released a new SKU for Azure Firewalls called Basic, it's still in Preview, so keep that in mind.
It is cheaper than Standard but has enough capabilities for most customers.
See the full announcement here.
Azure Firewall Basic now in preview
And more information on my AZ-500 study guide on what Azure Firewall is about and how to set it up.
Section 5 - Implement platform protection - Implement advanced network security - Azure Firewall
Features
I made a table from the picture inside the announcement for easier reading. So credits go to Microsoft.
From here you can see the differences with them all with one glimpse.
| Feature Category | Feature | Firewall Basic | Standard | Firewall Premium |
| L3-L7 Filtering | Application level FQON filtering (SNI based) for HTTPS and SQL | X | X | X |
| Network level FQDN filtering — all ports and protocols | X | X | ||
| Stateful firewall (S tuple rules) | X | X | X | |
| Network Address Translation (SNAT/DNAT) | X | X | X | |
| Reliability & Performance | Availability zones | X | X | X |
| Built-in HA | X | X | X | |
| Cloud scalability (auto-scale as traffic grows) | up to 250Mbps | Up to 30 Gbps | Up to 1M Gbps | |
| Fat Flow support | N/A | 1 Gbps | 10 Gbps | |
| Ease Of Management | Central management via Firewall Manager | X | X | X |
| Policy Analytics (Rule Management over time) | X | X | X | |
| Enterprise Integration | Full logging including SIEM integration | X | X | X |
| Service Tags and FQDN Tags for easy policy management | X | X | X | |
| Easy DevOps integration using REST/pS/CLl/Templbtes/ Terraform | X | X | X | |
| Web content filtering (web categories) | X | X | ||
| DNS Proxy and custom DNS | X | X | ||
| Advanced Threat Protection | Threat intelligence-based filtering (known malicious IP address/ domains) | Alert | X | X |
| Inbound TLS termination (TLS reverse proxy) | using App GW | |||
| Outbound TLS termination (TLS forward proxy) | X | |||
| Fully managed IDPS | X | |||
| URL filtering (full path - incl. SSI termination) | X |
Availability zones
Availability zones are still supported in Basic.
You can place your Azure Firewall in an availability zone in some areas (or multiple, for zone redundancy). You might have selected an Azure region that doesn't yet support availability zones if you are unable to select a zone.
Azure regions with availability zones
Azure provides the most extensive global footprint of any cloud provider and is rapidly opening new regions and availability zones.
| Americas | Europe | Middle East | Africa | Asia Pacific |
|---|---|---|---|---|
| Brazil South | France Central | Qatar Central | South Africa North | Australia East |
| Canada Central | Germany West Central | UAE North | Central India | |
| Central US | North Europe | Japan East | ||
| East US | Norway East | Korea Central | ||
| East US 2 | UK South | Southeast Asia | ||
| South Central US | West Europe | East Asia | ||
| US Gov Virginia | Sweden Central | China North 3 | ||
| West US 2 | Switzerland North | |||
| West US 3 |
Performance
The performance will be gapped to 250mb/s, which is enough from remote locations and SMB sector clients.
Threat protection
Protection gets the biggest hit but you get alerts and can act based on them but all other features isn't there with Basic.
Pricing
But the pricing is a lot lower for deployment but higher for data processing.
| Basic (Preview) | Standard | Premium | |
|---|---|---|---|
| Deployment | €0.411 per deployment hour | €1.298 per deployment hour | €1.818 per deployment hour |
| Data Processing | €0.068 per GB processed | €0.017 per GB processed | €0.017 per GB processed |
Deployment
And remember the Hub and Spoke for all the firewall deployments inside Azure, it just makes sense.
CIDR cheat sheet
And if you are like me, you need this also. I never ever remember them, , so if You are like me, here You go.
| CIDR | SUBNET MASK | WILDCARD MASK | # OF IP ADDRESSES | # OF USABLE IP ADDRESSES |
|---|---|---|---|---|
| /32 | 255.255.255.255 | 0.0.0.0 | 1 | 1 |
| /31 | 255.255.255.254 | 0.0.0.1 | 2 | 2* |
| /30 | 255.255.255.252 | 0.0.0.3 | 4 | 2 |
| /29 | 255.255.255.248 | 0.0.0.7 | 8 | 6 |
| /28 | 255.255.255.240 | 0.0.0.15 | 16 | 14 |
| /27 | 255.255.255.224 | 0.0.0.31 | 32 | 30 |
| /26 | 255.255.255.192 | 0.0.0.63 | 64 | 62 |
| /25 | 255.255.255.128 | 0.0.0.127 | 128 | 126 |
| /24 | 255.255.255.0 | 0.0.0.255 | 256 | 254 |
| /23 | 255.255.254.0 | 0.0.1.255 | 512 | 510 |
| /22 | 255.255.252.0 | 0.0.3.255 | 1,024 | 1,022 |
| /21 | 255.255.248.0 | 0.0.7.255 | 2,048 | 2,046 |
| /20 | 255.255.240.0 | 0.0.15.255 | 4,096 | 4,094 |
| /19 | 255.255.224.0 | 0.0.31.255 | 8,192 | 8,190 |
| /18 | 255.255.192.0 | 0.0.63.255 | 16,384 | 16,382 |
| /17 | 255.255.128.0 | 0.0.127.255 | 32,768 | 32,766 |
| /16 | 255.255.0.0 | 0.0.255.255 | 65,536 | 65,534 |
| /15 | 255.254.0.0 | 0.1.255.255 | 131,072 | 131,070 |
| /14 | 255.252.0.0 | 0.3.255.255 | 262,144 | 262,142 |
| /13 | 255.248.0.0 | 0.7.255.255 | 524,288 | 524,286 |
| /12 | 255.240.0.0 | 0.15.255.255 | 1,048,576 | 1,048,574 |
| /11 | 255.224.0.0 | 0.31.255.255 | 2,097,152 | 2,097,150 |
| /10 | 255.192.0.0 | 0.63.255.255 | 4,194,304 | 4,194,302 |
| /9 | 255.128.0.0 | 0.127.255.255 | 8,388,608 | 8,388,606 |
| /8 | 255.0.0.0 | 0.255.255.255 | 16,777,216 | 16,777,214 |
| /7 | 254.0.0.0 | 1.255.255.255 | 33,554,432 | 33,554,430 |
| /6 | 252.0.0.0 | 3.255.255.255 | 67,108,864 | 67,108,862 |
| /5 | 248.0.0.0 | 7.255.255.255 | 134,217,728 | 134,217,726 |
| /4 | 240.0.0.0 | 15.255.255.255 | 268,435,456 | 268,435,454 |
| /3 | 224.0.0.0 | 31.255.255.255 | 536,870,912 | 536,870,910 |
| /2 | 192.0.0.0 | 63.255.255.255 | 1,073,741,824 | 1,073,741,822 |
| /1 | 128.0.0.0 | 127.255.255.255 | 2,147,483,648 | 2,147,483,646 |
| /0 | 0.0.0.0 | 255.255.255.255 | 4,294,967,296 | 4,294,967,294 |
