Azure Firewall (Basic SKU) Pre-Deployment Checklist
Azure Firewall Basic — outbound/inbound traffic control for hub VNets, SMB and dev/test environments
A comprehensive pre-deployment checklist for Azure Firewall deployed with the Basic SKU, as offered through the Azure Marketplace offer by frametype Solutions.
This checklist covers networking prerequisites (including the Basic SKU’s mandatory management subnet), public IP requirements, firewall policy prerequisites, identity and access, monitoring, and IaC deployment. Firewall Policy is a separate Azure resource — this checklist notes its requirements but a dedicated Firewall Policy checklist covers rule collection planning in detail.
The Basic SKU is designed for environments with outbound throughput needs up to 250 Mbps. Key constraints versus Standard and Premium SKUs are called out inline on each relevant item.
View IaC on GitHub →
Resource templates, deployment scripts, and other helpful information.
Compliance alignment
This checklist is reviewed and maintained against three Microsoft architectural frameworks. Items within each section are tagged required, recommended, or optional based on framework guidance — with Zero Trust items typically driving the required bar, and Well-Architected pillar guidance informing the recommended set.
Naming follows the CAF pattern afw-{workload}-{env}-{region}-{index} for the firewall and pip-{workload}-{env}-{region}-{index} for each Public IP — naming is enforced at deployment time and cannot be changed post-deployment. The deployment is designed for hub VNet integration consistent with CAF landing zone connectivity subscriptions. Governance items address resource tagging (Workload, Environment, CostCenter, createdBy), CanNotDelete resource locks on the firewall resource group, and Azure Policy compliance for network security baselines. Note that the Azure Marketplace offer deploys through a managed template — customized naming must be applied via offer parameters before submission.
Reliability: Built-in high availability is included in the service — no additional load balancers are required. However, Basic SKU does not support availability zone deployment, limiting zone-level resiliency. Security: Centralized traffic inspection for both application-level (FQDN) and network-level (IP/port/protocol) rules; Threat Intelligence in Alert mode surfaces known-malicious traffic. Deny mode of Threat Intelligence requires Standard or Premium SKU. Performance Efficiency: Basic SKU supports up to 250 Mbps throughput — evaluate against peak workload requirements; scale-out requires SKU migration. Cost Optimization: ~$284/month base cost plus $0.065/GB; first Firewall Policy association is $0. Operational Excellence: Full IaC via Bicep with Marketplace offer deployment for repeatable, governed deployments.
Verify explicitly: All traffic to and from spoke subnets is inspected against Firewall Policy rule collections — no implicit trust based on source network. Application rules enforce FQDN allowlisting rather than broad IP ranges. Threat Intelligence in Alert mode provides visibility into connections to known malicious destinations. Least privilege: Firewall Contributor access to operations teams is time-bound through PIM; no standing Owner or Contributor on the firewall resource group. Assume breach: The firewall provides the only permitted egress path for protected subnets (enforced via UDR 0.0.0.0/0 → firewall private IP); spoke-to-spoke lateral movement can be controlled by sending inter-subnet traffic through the firewall as well. NSGs on spoke subnets remain essential — the firewall controls north-south traffic, not east-west intra-VNet movement.
References
Basic SKU & architecture
Networking & subnets
Firewall Policy
Monitoring & operations