Deploy firewall instances using availability zones

March 21, 2025 ยท View on GitHub

SYNOPSIS

Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience.

DESCRIPTION

Azure Firewall supports the use of availability zones to provide zone redundancy. Zone redundancy enhances the resiliency and high availability of the firewall by deploying instances across data centers in physically separated zones.

Azure Firewall utilizes auto-scaling, and as the firewall scales, it creates instances within the zones it is configured to use. If the firewall is configured to use only Zone 1, all new instances will be created in Zone 1. However, if the firewall is configured to use all three zones (Zone 1, Zone 2, and Zone 3), new instances will be distributed across these zones as it scales, ensuring balanced distribution and improved resilience.

RECOMMENDATION

To improve the resiliency of firewall instances against zone failures, it is recommended to use at least two (2) availability zones. This configuration enhances fault tolerance and ensures continued operation even if one zone experiences an outage.

EXAMPLES

Configure with Azure template

To set availability zones for a firewall:

  • Set zones to a minimum of two zones from ["1", "2", "3"].

For example:

{
  "type": "Microsoft.Network/azureFirewalls",
  "apiVersion": "2023-11-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Premium"
    },
    "firewallPolicy": {
      "id": "[resourceId('Microsoft.Network/firewallPolicies', format('{0}_policy', parameters('name')))]"
    }
  },
  "zones": [
    "1",
    "2",
    "3"
  ],
  "dependsOn": [
    "firewall_policy"
  ]
}

Configure with Bicep

To set availability zones for a firewall:

  • Set zones to a minimum of two zones from ["1", "2", "3"].

For example:

resource firewall 'Microsoft.Network/azureFirewalls@2023-11-01' = {
  name: name
  location: location
  properties: {
    sku: {
      name: 'AZFW_VNet'
      tier: 'Premium'
    }
    firewallPolicy: {
      id: firewall_policy.id
    }
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

NOTES

Availability zones must be configured during the initial deployment. It is not possible to modify an existing firewall to include availability zones after it has been deployed.