Deploy an Azure Firewall with multiple public IP addresses
If you want to protect a virtual hub using Azure Firewall, you can deploy the firewall with multiple public IP addresses using Azure PowerShell.
Use Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.
To start Azure Cloud Shell:
| Option | Example/Link |
|---|---|
| Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. | ![]() |
| Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. | ![]() |
| Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. | ![]() |
To run the code in this article in Azure Cloud Shell:
Start Cloud Shell.
Select the Copy button on a code block to copy the code.
Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.
Select Enter to run the code.
Deploy the firewall
Use the following Azure PowerShell example to deploy an Azure Firewall with multiple public IP addresses to protect a virtual hub.
Select-AzSubscription -SubscriptionId <subscription ID>
$rgName = <resource group name>
$vHub = Get-AzVirtualHub -Name <hub name>
$vHubId = $vHub.Id
$fwpips = New-AzFirewallHubPublicIpAddress -Count 3
$hubIpAddresses = New-AzFirewallHubIpAddress -PublicIPs $fwpips
$fw = New-AzFirewall -Name <firewall name> -ResourceGroupName $rgName `
-Location <location> -Sku AZFW_Hub -HubIPAddresses $hubIpAddresses `
-VirtualHubId $vHubId
Update a public IP address
You can use Azure PowerShell to update a public IP address for an Azure Firewall. The following example deletes one public IP address from a firewall. It starts with three public IP addresses.
Select-AzSubscription -SubscriptionId <subscription ID>
$azfw = get-azfirewall -Name <firewall name> -ResourceGroupName <resource group name>
$ip1 = New-AzFirewallPublicIpAddress -Address <first ip address to keep>
$ip2 = New-AzFirewallPublicIpAddress -Address <second ip address to keep>
$ipAddresses = $ip1,$ip2
$azfw.HubIPAddresses.publicIPs.Addresses = $ipAddresses
$azfw.HubIPAddresses.publicIPs.count = 2
Set-AzFirewall -AzureFirewall $azfw


