Azure Firewall Premium now in General Availability

Published Aug 10 2021 02:52 PM 3,972 Views

Azure Firewall premium is now generally available for most Azure regions. Thank you to community members who participated in both the private and public previews. This SKU is compatible in a Virtual WAN Hub (Secure Virtual Hub), and Hub Virtual Network scenarios.

The Azure Firewall Premium SKU utilizes a more powerful compute engine for advanced content filtering and threat protection through IDPS. The Premium SKU can seamlessly scale up to 30 Gbps and integrates with availability zones to support the service level agreement (SLA) of 99.99 percent. 

It provides Threat intelligence-based filtering for both encrypted and non-encrypted traffic and Intrusion detection and prevention for all ports and protocols as a managed service to our customers, with support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways.


All new features of the Firewall premium SKU will be configurable via Firewall Policy only. Azure firewall infrastructure features ported from Azure Firewall Standard and Classic rules such as Threat Intelligence and Custom DNS, including new features such as TLS inspection and Web categories etc. can all be managed via Azure Firewall premium policy SKU.

The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs and is ICSA labs certified.




  1. Transport Layer Security (TLS) Inspection: Azure Firewall Premium decrypts outbound East-West TLS connections, performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
  2. Intrusion Detection and Prevention System (IDPS): Azure Firewall Premium provides signature based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
  3. Web Categories: Allows administrators to allow or deny user access to the Internet based on categories (e.g., social networking, search engines, gambling), reducing the time spent on managing individual FQDNs and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
  4. URL Filtering: TLS inspection enables filtering beyond the FQDN root domain and allow users to access specific URLs for both plain text and encrypted traffic, typically being used in conjunction with web categories.


By using Firewall Policy, you can achieve central management of your firewalls using Azure Firewall Manager. Firewall Rules (Classic) continues to be supported and can be used for configuring existing features of Standard Firewall. Firewall Policy can be managed independently or by using Azure Firewall manager.


Migrating to the new Firewall Premium SKU
To migrate your existing Azure firewall standard policy to Premium policy, you connect to your Azure account, retrieve the existing policy and modify the parameters by adding the features required for a premium firewall policy to the existing firewall policy image. The existing firewall instance is then deleted as you create a new one with the premium features.  The new instance is compute intensive due to the TLS inspection and IDPS actions, hence the Azure firewall premium SKU is deployed with a more powerful compute engine.



$NewPolicyParameters = @{ 

  Name =(GetPolicyNewName -Policy $Policy) 
  ResourceGroupName = $Policy.ResourceGroupName 
  Location = $Policy.Location 
  ThreatIntelMode = $Policy.ThreatIntelMode 
  BasePolicy = $Policy.BasePolicy 
  DnsSetting = $Policy.DnsSettings 
  Tag = $Policy.Tag 
  SkuTier = "Premium"



You can follow the detailed step by step guide in Azure firewall Premium migration. Once deployed, you can test and validate the different Premium features.



Some helpful use case scenarios and reference architectures for Azure Firewall Premium :

* How to use Azure Firewall Premium with WVD

* Certificate Management for Azure Firewall Premium TLS Inspection

* Deep dive video on Azure Firewall Standard and Premium SKU

* Azure Firewall Monitor Workbook with Premium feature logs.

* Getting started with Azure Firewall Manager

* Content Inspection Using TLS Termination with Azure Firewall Premium


For more information, see the Azure Firewall Premium documentation


Occasional Visitor

SSL offloading is a job of Firewall.
In Azure, it says that Application Gateway does this and not Azure Firewall. Is my understanding correct?


@mepruth Azure Firewall Premium terminates outbound and east-west TLS connections. Inbound TLS inspection is supported in conjunction with Azure Application Gateway allowing end-to-end encryption. So in short Azure Firewall premium can do TLS inspection ( SSL offloading )  for outbound traffic only currently . So in case you want TLS termination for inbound traffic use ALB for  it . Refer

Occasional Visitor

Hi, I have a doubt about Azure Firewall Premium and Azure Virtual WAN. Can we combine these services? And, when we use Azure Calculator, the option to automatically including Firewall integration with Azure Virtual WAN is related with Azure Firewall Premium? Thanks.

Version history
Last update:
‎Aug 18 2021 08:12 AM
Updated by: