Why Choose the Azure Firewall over a Virtual Firewall Appliance?

In this post, I will explain why you should choose Azure Firewall over third-party firewall network virtual appliances (NVAs) from the likes of Cisco, Palo Alto, Check Point, and so on.

Microsoft’s Opinion

Microsoft has a partner-friendly line on Azure Firewall versus third-parties. Microsoft says that third-party solutions offer more than Azure Firewall. If you want you can use them side-by-side.

Now that’s out of the way, let me be blunt … like I’d be anything else! 😊

The NVA Promise

At their base, a firewall blocks or allows TCP/UDP/etc and does NAT. Some firewalls offer a “security bundle” of extra features such as:

  • Malware scanning based on network patterns
  • Download scanning, including zero-days (detonation chamber)
  • Browser URL logging & filtering

But those cool things either make no sense in Azure or are just not available from the NVA vendors in their cloud appliances. So what you are left with is central logging and filtering.


With the exception of Palo Alto (their whitepaper for Azure is very good – not perfect) and maybe Check Point, the vendors have pretty awful documentation. I’ve been reading a certain data centre mainstay’s documents this week and they are incomplete and rubbish.

Understanding of Azure

It’s quite clear that some of the vendors are clueless about The Cloud and/or Azure. Every single vendor has written docs about deploying everything into a single VNet – if you can afford NVAs then you are not putting all your VMs into a single VNet (see hub & spoke VNet peering). Some have never heard of availability zones – if you can afford NVAs then you want as high an SLA as you can get. Most do not offer scale-out (active/active clusters) – so a single VM becomes your bottleneck on VM performance (3000 Mbps in a D3_v2). Some don’t even support highly available firewall clusters – so a single VM becomes the single point of failure in your entire cloud network! And their lack of documentation or understanding of VNet peering or route tables in a large cloud deployment is laughable.

The Comparison

So, what I’m getting at is that the third-party NVAs suck. Azure Firewall isn’t perfect either, but it’s a true cloud platform service and it is improving fast – just last night Microsoft announced Threat Intelligence-Based Filtering and Service Tags Filtering (this appeared recently). I know more things are on the way too 😊

Here is my breakdown of how Azure Firewall stacks up against firewall NVAs:

Azure Firewall NVA
Deployment Platform Linux VM + Software
Licensing Consumption: instance + GB Linux VM + Software
Scaling Automatic Add VMs + Software
Ownership Set & monitor Manage VM / OS / Software
Layer -7 Logging & filtering Potentially* deep inspection
Networking 1 subnet & PIP 1+ subnets & 1 PIP
Complexity Simple Difficult

I know: you laugh when you hear “Microsoft” and “Firewall” in the same sentence. You think of ISA Server. Azure Firewall is different. This is baked into the fabric of Azure, the strategic future of Microsoft. It is already rapidly improving, and it does more than the third parties.

Heck, what does the third-party offer compared to NSGs? NSGs filter TCP/UDP, they can log to a storage account, you can centrally log using Event Hubs, and does advanced reporting/analysis using NSG Flo Logs with Azure Monitor Logs (Log Analytics). Azure Firewall takes that another step with a hub deployment, an understanding of HTTP/S, and is now using machine learning for dynamic threat prevention!

My Opinion

Some people will always prefer a non-Microsoft firewall. But my counter would be, what are you getting that is superior – really? With Azure Firewall, I create a firewall, set my rules, configure my logging, and I’m done. Azure Firewall scales and it is highly available. Logging can be done to storage accounts, event hubs (SIEM), and Azure Monitor Logs. And here’s the best bit … it is SIMPLE to deploy and there is almost no cost of ownership. Compare that to some of the HACK solutions from the NVA vendors and you’d laugh.

The Azure Firewall was designed for The Cloud. It was designed for the way that Azure works. And it was designed for how we should use The Cloud … at scale. And that scale isn’t just about Mbps, but in terms of backend services and networks. From what I have seen so far, the same cannot be said for firewall NVAs. For me, the decision is easy: Azure Firewall. Every time.

Please follow and like us:

9 Replies to “Why Choose the Azure Firewall over a Virtual Firewall Appliance?”

  1. I like that you’re being honest and blunt (read: unbiased) in your opinions and definitely think you are right in this case. Keep writing! 🙂

  2. Very well said, keep up the good work. i definitely agree that Azure Firewall is the way to go. NVA carry additional overhead in the cloud for nothing.

  3. Palo Alto firewalls offer way way more than MS Azure firewalls, the most important difference is that PaloAlto FWs are true application based firewall and not just layer 4 firewalls.

    • What exactly do the Palo Alto virtual appliances in Azure offer that is more than the Azure Firewall? Do they use more than core 0 for processing – not so, according to Checkpoint. Do they offer zero maintenance? Nope. Do they offer config sync between clustered appliances – no brand odes yet that I have found. And will they improve at the same speed as the Azure Firewall?

  4. I do not understand the comment “… it is SIMPLE to deploy and there is almost no cost of ownership” My calculator puts the Azure firewall cost at $912.50/month. What am I doing wrong?

  5. Thanks Aidan, Really interesting read. I’ve been looking at some of your other posts on creating an Azure DMZ and wondering if I would be able to use Azure Firewall instead of an NVA for additional security besides NSG’s ? So far I’m impressed with what I’ve seen from Azure firewall and think it makes sense from an Azure cloud perspective. I’m thinking about implementing your design from the bottom of this post but with Azure firewall if possible ? https://www.petri.com/designing-a-dmz-for-azure-virtual-machines

    • Yeah, you can use Azure Firewall to do that – I do. Note that NSGs still provide basic Layer-4 security and Traffic Analytics (with Log Analytics Workspace) for protected subnets/VNets. And no matter what firewall service/appliance that you use, you better get comfortable with routing first: https://aidanfinn.com/?p=21480

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.