WTH is Azure Firewall Basic?
This announcement slipped my notice, but back in October, Microsoft announced a preview of a new SKU for Azure Firewall, Azure Firewall Basic. Azure Firewall can be a pretty pricey offering so let’s take a closer look at what this new SKU offers and why it might interest you (or not).
What is Azure Firewall Basic?
Azure Firewall has been around for some time. Originally it only had a single SKU (now referred to as “standard”), but back in 2021, Microsoft released a premium SKU that added additional Data Loss Prevention (DLP) features at a premium price. Now we have a third SKU being added, the basic SKU. Azure Firewall basic removes several features from the firewall but significantly reduces the cost. This SKU is primarily aimed at small to medium businesses (SMB) for reasons you will see in the restrictions section.
Why Would I Want to use Azure Firewall Basic?
The primary driver for using this SKU is cost. Azure Firewall Standard can be pricey, running at $1.25 per hour. Generally, you will be running your firewall 24/7, so this works out at around $900 a month just for the base cost. In addition, you are paying $0.016 per GB of data processed by the firewall. Firewalls are region specific, so if you need a DR or HA region, that’s another $900 a month.
The basic SKU comes in at $0.395 per hour, around $285 per month, so a significant base cost savings. However, there is a complication with the per GB cost. See the section below.
What restrictions does Azure Firewall Basic Have?
The first restriction to be aware of is around cost. As mentioned, the per-hour price is significantly lower than the standard firewall. However, the per GB cost is actually more expensive at $0.065 per GB vs $0.016 per GB for standard. At first, this seems odd, but it makes some sense if you realise that the basic SKU is aimed squarely at the SMB market, which should have less throughput. Microsoft is using this per GB meter to deter large enterprises from using this SKU as a cut-price firewall if they don’t need some of the other features that have been removed. If you use this basic SKU, put push large amounts of data through it, you’re likely to pay an increased price for the data throughput and eventually, you’ll get to a point where the standard SKU would be cheaper. So bear this in mind and have a good idea of what sort of data throughput you will want to push through the firewall.
Aside from the cost changes, the basic SKU removes several features that are present in standard and/or premium to justify the cost reduction:
- Network-level filtering only supports IP-based filters, not FQDNs (FQDNs can still be used for application-level filtering)
- Traffic throughout capped at 250Mbps
- Fast Flow is not supported
- Web content filtering not present
- DNS proxy and Customer DNS not available
- Threat intelligence is only present in alert mode and cannot automatically block traffic
- None of the features of Firewall premium (TLS termination, IDPS)
If your primary use for the firewall is for filtering outbound HTTP/HTTPS traffic, then the basic SKU will do that well. If you want to filter traffic other than HTTP/HTTPS, then it’s a bit more tricky as it only supports IP-based filters and not FQDNs, but if you can live with that, then it should work for you, so long as the throughput requirement isn’t a limitation.
You can see a matrix of which features are present in which SKU below:
The final thing to be aware of is that the service is currently in preview, so you should only use it in production once it goes GA.