Azure landing zone Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure landing zone Documentation
  2. /
  3. IaC accelerator
  4. /
  5. Terraform
  6. /
  7. Options
  8. /
  9. 14 - Change Firewall SKU
Edit page

14 - Change Firewall SKU

The full scenarios default to Azure Firewall Premium SKU, which supports features like HTTPS inspection for zero trust networking. You can change the SKU to Standard or Basic if needed.

Warning
Downgrading from Premium to Standard removes TLS inspection (HTTPS inspection), IDPS (signature-based intrusion detection and prevention), and URL filtering for full URL path matching. These are key capabilities for zero trust networking.
Warning
Downgrading from Standard to Basic additionally removes DNS proxy support. Without DNS proxy, Azure Firewall cannot act as the DNS intermediary for spoke virtual networks, which means centralized Private DNS zone resolution via Azure Firewall will not work. If you use the Basic SKU, Private DNS zones should be managed directly in spoke subscriptions instead.

The steps to follow are:

  1. Update each firewall SKU in the custom_replacements > names block setting.
    Setting TypeParent block(s)KeyActionCountNotes
    linecustom_replacements > names<region>_firewall_sku_tierUpdate the value to "Basic", "Standard", or "Premium"1+<region> is the relevant region (e.g. primary or secondary). There will be two instances for a multi-region deployment
gdoc_arrow_left_alt 13 - Turn off Defender Plans 15 - Implement Sovereign Landing Zone (SLZ) controls gdoc_arrow_right_alt