7 - Single-Region Virtual WAN with Azure Firewall
A full Platform landing zone deployment with Virtual WAN network connectivity using Azure Firewall in a single region.
WarningThe single region option is here for completeness, we recommend always having at least 2 regions to support resiliency.
- Example Platform landing zone configuration file: full-single-region/virtual-wan.tfvars
- Estimated Costs - Approximate monthly infrastructure costs
- Resources - What gets deployed in this scenario
- Configuration - How DNS, routing, and policies are configured
| Resource | Estimated Monthly Cost (USD) |
|---|---|
| Azure Firewall (Premium) | 1,277.50 |
| Firewall Policy (Standard) | 100.00 |
| VPN Gateway (VpnGw2AZ) | 394.20 |
| ExpressRoute GW (ErGw2AZ) | 461.36 |
| Azure Bastion (Standard) | 211.70 |
| DDoS Protection Plan | 2,944.00 |
| Private DNS Resolver | 180.00 |
| Private DNS Zones (x110) | 55.00 |
| Public IP Addresses (x2) | 7.30 |
| Total | 5,631.06 |
NoteEstimated fixed infrastructure costs based on Azure Retail Prices for the westus region in USD as of 2026-04-02. Consumption-based costs (data processing, log ingestion, DNS queries, etc.) are not included and will vary based on usage. DDoS Protection Plan pricing is sourced from the Azure DDoS Protection pricing page. You can generate your own estimates for any region and currency using the Get-ScenarioCostEstimates.ps1 script.
The following resources are deployed by default in this scenario:
- Management Groups
- Policy Definitions
- Policy Set Definitions
- Policy Assignments
- Policy Assignment Role Assignments
- Log Analytics Workspace
- Log Analytics Data Collection Rules for AMA
- User Assigned Managed Identity for AMA
- Automation Account
TipIdentity and Security subscriptions are recommended but optional. If you do not yet have dedicated subscriptions for identity and security workloads, you can comment out or remove the identity and security subscription placement blocks in the configuration file and add them later.
- Connectivity subscription - placed under the
connectivitymanagement group - Management subscription - placed under the
managementmanagement group - Identity subscription - placed under the
identitymanagement group (recommended) - Security subscription - placed under the
securitymanagement group (recommended)
- DDOS Protection Plan
- Virtual WAN
- Virtual Hubs in one region
- Sidecar Virtual Network
- Sidecar to Virtual Hub peering
- Subnets for Bastion, and Private DNS Resolver in one region
- Azure Firewall in one region
- Azure Firewall public IP in one region
- Azure Firewall policy in one region
- Azure Bastion in one region
- Azure Bastion public ip in one region
- Azure Private DNS Resolver in one region
- Azure non-regional Private Link Private DNS zones in one region
- Azure regional Private Link Private DNS zones in one region
- Azure Virtual Machine auto-registration Private DNS zone in one region
- Azure Private Link DNS zone virtual network links in one region
- Azure ExpressRoute Virtual Network Gateway in one region
- Azure VPN Virtual Network Gateway in one region
The following relevant configuration is applied:
Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Azure Firewall IP Address as their DNS configuration.
- Azure Firewall is configured as DNS proxy
- Azure Firewall forwards DNS traffic to the Private DNS resolver
- Azure Private DNS Resolver has an inbound endpoint from the sidecar network
- Azure Private Link DNS zones are linked to the all hub sidecar Virtual Networks