Azure Firewall Manager Preview deployment overview


Azure Firewall Manager is currently a managed public preview.

This public preview is provided without a service-level agreement and shouldn't be used for production workloads. Certain features might not be supported, might have constrained capabilities, or might not be available in all Azure locations. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

There's more than one way to deploy Azure Firewall Manager Preview, but the following general process is recommended.



Azure Firewall Manager Preview must be explicitly enabled using the Register-AzProviderFeature PowerShell command. From a PowerShell command prompt, run the following commands:

Register-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network

It takes up to 30 minutes for the feature registration to complete. Run the following command to check your >registration status:

Get-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network

General deployment process

  1. Create your hub and spoke architecture

    • Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
    • Create a Virtual WAN Hub and add virtual network connections.
  2. Select security providers

    • Done while creating a Secured Virtual Hub.
    • Convert an existing Virtual WAN Hub to Secure Virtual Hub.
  3. Create a firewall policy and associate it with your hub

    • Applicable only if using Azure Firewall.
    • Third-party security as a service (SECaaS) policies are configured via partners management experience.
  4. Configure route settings to route traffic to your secured hub

    • Easily route traffic to your secured hub for filtering and logging without User Defined Routes (UDR) on spoke Virtual Networks using the Secured Virtual Hub Route Setting page.


  • You can't have more than one hub per virtual wan per region. But you can add multiple virtual WANs in the region to achieve this.
  • You can't have overlapping IP spaces for hubs in a vWAN.
  • Your hub VNet connections must be in the same region as the hub.

Next steps