Azure Firewall Manager deployment overview
There's more than one way to use Azure Firewall Manager to deploy Azure Firewall, but the following general process is recommended.
To review network architecture options, see What are the Azure Firewall Manager architecture options?
General deployment process
Hub virtual networks
Create a firewall policy
- Create a new policy
or - Derive a base policy and customize a local policy
or - Import rules from an existing Azure Firewall. Make sure to remove NAT rules from policies that should be applied across multiple firewalls
- Create a new policy
Create your hub and spoke architecture
- Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
or - Create a virtual network and add virtual network connections and peer spoke virtual networks to it using virtual network peering
- Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
Select security providers and associate firewall policy. Currently, only Azure Firewall is a supported provider.
- This is done while you create a Hub Virtual Network
or - Convert an existing virtual network to a Hub Virtual Network. It is also possible to convert multiple virtual networks.
- This is done while you create a Hub Virtual Network
Configure User Define Routes to route traffic to your Hub Virtual Network firewall.
Secured virtual hubs
Create your hub and spoke architecture
- Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
or - Create a Virtual WAN Hub and add virtual network connections.
- Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
Select security providers
- Done while creating a Secured Virtual Hub.
or - Convert an existing Virtual WAN Hub to Secure Virtual Hub.
- Done while creating a Secured Virtual Hub.
Create a firewall policy and associate it with your hub
- Applicable only if using Azure Firewall.
- Third-party security as a service (SECaaS) policies are configured via partners management experience.
Configure route settings to route traffic to your secured hub
- Easily route traffic to your secured hub for filtering and logging without User Defined Routes (UDR) on spoke Virtual Networks using the Secured Virtual Hub Route Setting page.
Note
- You can't have overlapping IP spaces for hubs in a vWAN. For more known issues, see What is Azure Firewall Manager?
Convert virtual networks
The following information applies if you convert an existing virtual network to a hub virtual network:
- If the virtual network has an existing Azure Firewall, you select a Firewall Policy to associate with the existing firewall. The firewall provisioning status will be updating while the firewall policy replaces firewall rules. During the provisioning state, the firewall continues processing traffic and has no downtime. You can import existing rules to a Firewall Policy using Firewall Manager or Azure PowerShell.
- If the virtual network doesn't have an associated Azure Firewall, a firewall is deployed and the Firewall Policy is associated with the new firewall.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for