Firewall scenario
Approx. cost: ~$336 / month (driven by Azure Firewall Basic).
What you get
Section titled “What you get”Everything in baseline except the spoke NAT Gateway, plus:
AzureFirewallManagementSubnetcarved from the hub/23(required by Firewall Basic)- Azure Firewall (Basic SKU, zone-redundant
1/2/3) with two data PIPs + management PIP - Empty Firewall Policy (Basic) — extend with rule collections as needed
- Hub ↔ Spoke VNet peering (forwarded traffic enabled)
- Spoke route table forcing
0.0.0.0/0→ firewall private IP, applied tosnet-workload
When to choose it
Section titled “When to choose it”- The customer requires managed egress filtering / TLS-less L4 inspection
- You want central audit logging for all outbound flows
- No on-premises connectivity needed
Deploy
Section titled “Deploy”Use the configuration generator and choose managed firewall egress. Its commands run preflight, save a preview, apply only after review, and verify the firewall. See the Terraform or Bicep quick start.
Note — if you upgrade Firewall Basic → Standard later, change
sku_tierinmodules.firewall.tfand re-apply. The mgmt subnet/PIP can stay (Basic-only requirement) or be removed.