![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
681 questions
Hello @Son ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are planning to upgrade your Standard SKU Azure Firewall to Premium SKU using the easy upgrade feature and have some queries regarding the same.
The premium SKU introduces IDPS, I was just curious as to whether that is enabled by default once you upgrade or if it is something you turn on afterwards at your choice?
IDPS is not enabled by default.
I've tested this by upgrading a Standard SKU Azure Firewall to Premium using the Change SKU option:
You can enable it and start with IDPS Alert mode before you enable Alert + Deny mode, while ensuring optimal performance for your Azure Firewall.
Below are some documents that you can follow for best practices:
https://learn.microsoft.com/en-us/azure/firewall/firewall-best-practices
https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall
If anyone has any other pointers for the upgrade and things to watch out for it would be great if you could share that!
Performance is a consideration when migrating from the standard SKU. IDPS and TLS inspection are compute-intensive operations. The premium SKU uses a more powerful VM SKU, which scales to a higher throughput comparable with the standard SKU. Microsoft recommends customers perform full-scale testing in their Azure deployment to ensure the firewall service performance meets your expectations.
https://learn.microsoft.com/en-us/azure/firewall/firewall-performance
https://learn.microsoft.com/en-us/azure/firewall/firewall-best-practices
The easiest way to change your Azure Firewall SKU with no downtime is to use the Change SKU feature.
Refer: https://learn.microsoft.com/en-us/azure/firewall/easy-upgrade
NOTE: Even though the above migration feature has no downtime, it is advised that you should always perform any upgrade/downgrade operations during off-business hours and scheduled maintenance times.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.