Firewalls have long been a first line of defense for network security. The barrier that they create between internal and external networks acts as a sort of living fortress wall, monitoring the traffic and deciding what to let in. A firewall can take the form of hardware or software—and in the case of Azure Firewall, it's a service. As its name suggests, it's a cloud-native firewall security service for workloads that run in Microsoft's cloud environment Azure. Until now, Azure Firewall has come in two SKUs: Standard and Premium. These offerings have been geared toward larger enterprises, and they haven't been cost effective for many smaller organizations. Now there's a new, lower-priced option in private preview that fills in that gap for small and medium sized businesses: Azure Firewall Basic.
Azure Firewall Standard and Premium
Azure Firewall is beneficial for its unrestricted cloud scalability, built-in high availability, and excellent filtering with threat intelligence. Administrators can restrict outbound HTTP/S traffic to a specific list of fully qualified domain names (FQDN), creating rules with wild card characters when needed. The service also offers custom DNS and web content filtering. With these features and more, Azure Firewall is a great protection to enterprises—but its pricing is often out of reach for smaller businesses. (The Standard SKU costs $912 per month and Premium is $1,278.)
Feedback from Small and Medium Businesses
Microsoft has received feedback from small and medium sized businesses (SMBs) that were surveyed about Azure Firewall, and the issue has overwhelmingly been the price. It's just too high at the Standard and Premium levels, and often these SMBs don't need the amount of features that are included in them. Advanced firewall capabilities are not needed, and over three quarters of SMB customers surveyed require less than 1.5Gbps throughput.
Other big issues that these customers were concerned about were ease of use (and of ease of deployment) as well as native integration with other Azure services. When they aren't able to afford Azure Firewall, they end up going with other options that do not provide these benefits.
What SMBs are Using Instead of Azure Firewall
Many smaller businesses use the lower-priced (or free) options of Network Security Groups (NSGs) or open-source cloud firewalls such as pfSense (Netgate). The problem with these options is that they are very difficult to set up, manage, and scale. One surveyed customer called NSGs "an absolute pain." Customer have to do all of this themselves and manage all their Azure resources, which is tedious and bothersome. Medium sized organizations that can't afford Azure Firewall but still have enough machines to need a Network Virtual Appliance (NVA) turn to a provider such as Fortinet. An NVA provides the most advanced features, but it still requires a lot of setup and maintenance work and it also needs downtime for updates since there is typically no high availability. FQDN tagging and deep integration within Azure are also lacking with NVAs.
Azure Firewall Basic fills this gap by offering a much lower price and omitting some of the features of the Standard and Premium SKUs. Here's what each of them comes with:
|Feature||Firewall Basic||Firewall Standard||Firewall Premium|
|Application level FQDN filtering (SNI based) for HTTPS/SQL||✔️||✔️||✔️|
|Network level FQDN filtering – all ports and protocols||✔️||✔️|
|Stateful firewall (5 tuple rules)||✔️||✔️||✔️|
|Network Address Translation (SNAT+DNAT)||✔️||✔️||✔️|
|Threat intelligence-based filtering (known malicious IP address/ domains)||✔️||✔️|
|Web content filtering (web categories)||✔️||✔️|
|DNS Proxy + Custom DNS||✔️||✔️|
|Full logging including SIEM integration||✔️||✔️||✔️|
|Built-in HA with unrestricted cloud scalability (auto scale as traffic grows)||HA, Limited Scale||✔️||✔️|
|Service Tags and FQDN Tags for easy policy management||✔️||✔️||✔️|
|Cloud service model with Integrated monitoring and management||✔️||✔️||✔️|
|Easy DevOps integration using REST/PS/CLI/Templates||✔️||✔️||✔️|
|Inbound TLS termination (TLS reverse proxy)||Using App GW|
|Outbound TLS termination (TLS forward proxy)||✔️|
|Fully managed IDPS||✔️|
|URL filtering (full path - incl. SSL termination)||✔️|
|Application and user aware traffic filtering rules||Roadmap|
|IPSEC and SSL VPN gateway||VPN Gateway||VPN Gateway||VPN Gateway|
|Advanced Next Generation Firewall features (e.g. Sandboxing)||Roadmap|
Pricing and Timeline for Azure Firewall Basic
So how much will Azure Firewall Basic cost? The expected pricing for it is a fixed fee of $0.395/hour and $0.065/GB. This comes out to $288 per month plus a variable cost based on GB usage—total expected cost for an average SMB customer is $335/month. Since the Basic SKU comes without threat intelligence, that feature may eventually become available as an add-on.
For comparison, here's a look at how Azure Firewall Basic stacks up against other common options for SMBs:
|Service/Provider||pfSense||Fortinet||Azure Firewall Basic||Checkpoint||Palo Alto|
|Azure infra cost||$0.04||$0.06||-||$0.11||$0.23|
|Total fixed cost per hour (per month price)||$0.12 ($85)||$0.36 ($260)||$0.395 ($290)||$0.86 ($630)||$1.10 ($802)|
Azure Firewall Basic is now in private preview and will move to public preview in May 2022. Microsoft plans to make it generally available in August 2022.
Other recently added Microsoft options: