Skip to content

Firewall scenario

Approx. cost: ~$336 / month (driven by Azure Firewall Basic).

Everything in baseline except the spoke NAT Gateway, plus:

  • AzureFirewallManagementSubnet carved from the hub /23 (required by Firewall Basic)
  • Azure Firewall (Basic SKU, zone-redundant 1/2/3) with two data PIPs + management PIP
  • Empty Firewall Policy (Basic) — extend with rule collections as needed
  • Hub ↔ Spoke VNet peering (forwarded traffic enabled)
  • Spoke route table forcing 0.0.0.0/0 → firewall private IP, applied to snet-workload
  • The customer requires managed egress filtering / TLS-less L4 inspection
  • You want central audit logging for all outbound flows
  • No on-premises connectivity needed

Use the configuration generator and choose managed firewall egress. Its commands run preflight, save a preview, apply only after review, and verify the firewall. See the Terraform or Bicep quick start.

Note — if you upgrade Firewall Basic → Standard later, change sku_tier in modules.firewall.tf and re-apply. The mgmt subnet/PIP can stay (Basic-only requirement) or be removed.