Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

azureFirewalls

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Deploy Azure Firewall across multiple availability zonesHighHigh AvailabilityYesNo
Monitor Azure Firewall metricsHighMonitoring and AlertingYesNo
Configure 2-4 PIPs for SNAT Port utilizationMediumHigh AvailabilityNoNo
Monitor "AZFW Latency Probe" metricHighMonitoring and AlertingNoNo

Details

Deploy Azure Firewall across multiple availability zones

Impact:  High Category:  High Availability

APRL GUID:  c72b7fee-1fa0-5b4b-98e5-54bcae95bb74

Description:

Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.

Potential Benefits:

Enhanced SLA and reliability
Learn More:
Azure Well Architected Framework - Azure Firewall
Deploy Azure Firewall across multiple availability zones

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone
resources
| where type == 'microsoft.network/azurefirewalls'
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where array_length(zones) <= 1 or isnull(zones)
| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
| project recommendationId = "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74", name, id, tags, param1="multipleZones:false"

Monitor Azure Firewall metrics

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  3c8fa7c6-6b78-a24a-a63f-348a7c71acb9

Description:

Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.

Potential Benefits:

Improve health and performance monitoring
Learn More:
Azure Firewall metrics supported in Azure Monitor
Azure Firewall performance

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// List all Azure Firewalls resources in-scope, along with any metrics associated to Azure Monitor alert rules, that are not fully configured.
resources
| where type == "microsoft.network/azurefirewalls"
| project firewallId = tolower(id), name, tags
| join kind = leftouter (
    resources
    | where type == "microsoft.insights/metricalerts"
    | mv-expand properties.scopes
    | mv-expand properties.criteria.allOf
    | where properties_scopes contains "azureFirewalls"
    | project metricId = tolower(properties_scopes), monitoredMetric = properties_criteria_allOf.metricName, tags
    | summarize monitoredMetrics = make_list(monitoredMetric) by tostring(metricId)
    | project
        metricId,
        monitoredMetrics,
        allAlertsConfigured = monitoredMetrics contains("FirewallHealth") and monitoredMetrics contains ("Throughput") and monitoredMetrics contains ("SNATPortUtilization")
) on $left.firewallId == $right.metricId
| extend alertsNotFullyConfigured = isnull(allAlertsConfigured) or not(allAlertsConfigured)
| where alertsNotFullyConfigured
| project recommendationId = "c8fa7c6-6b78-a24a-a63f-348a7c71acb9", name, id = firewallId, tags, param1 = strcat("MetricsAlerts:", monitoredMetrics)

Configure 2-4 PIPs for SNAT Port utilization

Impact:  Medium Category:  High Availability

APRL GUID:  d2e4a38e-2307-4299-a217-4c0cebc9a7f6

Description:

Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.

Potential Benefits:

Avoids SNAT exhaustion.
Learn More:
Azure Well-Architected Framework review - Azure Firewall

ARG Query:

Click the Azure Resource Graph tab to view the query

// under development

Monitor "AZFW Latency Probe" metric

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  8faace2d-a36e-425c-aa58-2ad99e3e0b7a

Description:

Using the Azure Firewall latency probe metric to monitor sustained latency over 30ms (accounting for normal spikes) can help identify when firewall instance CPU utilization is under stress, potentially indicating performance issues

Potential Benefits:

Improved CPU stress detection
Learn More:
Azure Well-Architected Framework review - Azure Firewall
Azure Firewall metrics overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// under development