Azure Firewall Basic Geared Towards Small and Medium Sized Businesses 1

Azure Firewall Basic Geared Towards Small and Medium Sized Businesses

Firewalls have long been a first line of defense for network security. The barrier that they create between internal and external networks acts as a sort of living fortress wall, monitoring the traffic and deciding what to let in. A firewall can take the form of hardware or software—and in the case of Azure Firewall, it's a service. As its name suggests, it's a cloud-native firewall security service for workloads that run in Microsoft's cloud environment Azure. Until now, Azure Firewall has come in two SKUs: Standard and Premium. These offerings have been geared toward larger enterprises, and they haven't been cost effective for many smaller organizations. Now there's a new, lower-priced option in private preview that fills in that gap for small and medium sized businesses: Azure Firewall Basic.

Azure Firewall Standard and Premium

Azure Firewall is beneficial for its unrestricted cloud scalability, built-in high availability, and excellent filtering with threat intelligence. Administrators can restrict outbound HTTP/S traffic to a specific list of fully qualified domain names (FQDN), creating rules with wild card characters when needed. The service also offers custom DNS and web content filtering. With these features and more, Azure Firewall is a great protection to enterprises—but its pricing is often out of reach for smaller businesses. (The Standard SKU costs $912 per month and Premium is $1,278.)

Feedback from Small and Medium Businesses

Microsoft has received feedback from small and medium sized businesses (SMBs) that were surveyed about Azure Firewall, and the issue has overwhelmingly been the price. It's just too high at the Standard and Premium levels, and often these SMBs don't need the amount of features that are included in them. Advanced firewall capabilities are not needed, and over three quarters of SMB customers surveyed require less than 1.5Gbps throughput.

Other big issues that these customers were concerned about were ease of use (and of ease of deployment) as well as native integration with other Azure services. When they aren't able to afford Azure Firewall, they end up going with other options that do not provide these benefits.

What SMBs are Using Instead of Azure Firewall

Many smaller businesses use the lower-priced (or free) options of Network Security Groups (NSGs) or open-source cloud firewalls such as pfSense (Netgate). The problem with these options is that they are very difficult to set up, manage, and scale. One surveyed customer called NSGs "an absolute pain." Customer have to do all of this themselves and manage all their Azure resources, which is tedious and bothersome. Medium sized organizations that can't afford Azure Firewall but still have enough machines to need a Network Virtual Appliance (NVA) turn to a provider such as Fortinet. An NVA provides the most advanced features, but it still requires a lot of setup and maintenance work and it also needs downtime for updates since there is typically no high availability. FQDN tagging and deep integration within Azure are also lacking with NVAs.

Feature Comparison

Azure Firewall Basic fills this gap by offering a much lower price and omitting some of the features of the Standard and Premium SKUs. Here's what each of them comes with:

Feature Firewall Basic Firewall Standard Firewall Premium
Application level FQDN filtering (SNI based) for HTTPS/SQL✔️✔️✔️
Network level FQDN filtering – all ports and protocols✔️✔️
Stateful firewall (5 tuple rules)✔️✔️✔️
Network Address Translation (SNAT+DNAT)✔️✔️✔️
Threat intelligence-based filtering (known malicious IP address/ domains)✔️✔️
Web content filtering (web categories)✔️✔️
DNS Proxy + Custom DNS✔️✔️
Full logging including SIEM integration✔️✔️✔️
Built-in HA with unrestricted cloud scalability (auto scale as traffic grows)HA, Limited Scale  ✔️✔️
Availability zones✔️✔️✔️
Service Tags and FQDN Tags for easy policy management✔️✔️✔️
Cloud service model with Integrated monitoring and management✔️✔️✔️
Easy DevOps integration using REST/PS/CLI/Templates✔️✔️✔️
Central management✔️✔️✔️
Inbound TLS termination (TLS reverse proxy)Using App GW
Outbound TLS termination (TLS forward proxy)✔️
Fully managed IDPS ✔️
URL filtering (full path - incl. SSL termination)✔️
Application and user aware traffic filtering rulesRoadmap​
IPSEC and SSL VPN gatewayVPN GatewayVPN GatewayVPN Gateway
Advanced Next Generation Firewall features (e.g. Sandboxing)Roadmap

Pricing and Timeline for Azure Firewall Basic

So how much will Azure Firewall Basic cost? The expected pricing for it is a fixed fee of $0.395/hour and $0.065/GB. This comes out to $288 per month plus a variable cost based on GB usage—total expected cost for an average SMB customer is $335/month. Since the Basic SKU comes without threat intelligence, that feature may eventually become available as an add-on.

For comparison, here's a look at how Azure Firewall Basic stacks up against other common ​options for SMBs:

Service/Provider pfSense Fortinet Azure Firewall Basic Checkpoint Palo Alto
License cost/hour $0.08$0.30$0.395$0.75$0.87
Azure infra cost$0.04$0.06-$0.11$0.23
Total fixed cost per hour ​ (per month price)​$0.12 ($85)$0.36 ($260)$0.395 ($290)$0.86 ​ ($630)$1.1​0 ($802)

Azure Firewall Basic is now in private preview and will move to public preview in May 2022. Microsoft plans to make it generally available in August 2022.


Other recently added Microsoft options:

Leave a Comment