28 Oct 2019

How to stop | start an Azure Firewall

Azure Firewall is a fully managed, stateful layer 7 firewall. In contrary to classic NVA based concepts, there is no need to care about scale and throughput because all of this is managed by Azure in the background. I always recommend it to customers, unless there are specific killer reasons to still use NVA based firewalls. As you might know, deploying highly available NVA solutions hurts big time, because you need load balancers on both, the internal and external NVA interface.

If you want to know more about the differences between NVAs and Azure Firewall I’d recommend the following articles:



Saving costs for Dev/Test Environments

Azure Firewall is not for free, of course. It can hurt your budget for test and development environments, even if you have zero amount of network traffic. Although a comparable setup with 2 NVAs may cost even more, depending on the VM size and the additional product license, it would be nice to save costs for the Azure Firewall for “off-use” times, right? To save money I’ve created a PowerShell script, which can stop (deallocate) and start an Azure Firewall instance. The script is based on the methods described in the following docs article. https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

Using the script has the following advantages:

  • It saves Firewall Information prior to the stop action (information is saved to a custom tag on the object). You’ll need the info when starting the instance again. The script reads it from the tag
  • Scenarios with multiple attached public IP addresses

Stopping / deallocating the firewall goes pretty fast. However starting the instance takes as long as spinning up a new instance. (I’m pretty sure this is what happens behind the scenes)

You can find the source code on my GitHub here.