Thank you for reaching out.I understand you have question regarding Azure Zone redundancy for your Azure Application Gateway and Azure Firewall.
Based on your questions above
If I continue to have these resources as regional (i.e., not explicitly specified a zone / multi zones), how does Azure handles the instances for these in the backend? Does it really gets provisioned in only one zone of Azure's choice? Or even when it is in Azure's control, it might still get distributed across the zones? Just I wouldn't be able to know which zones, right? in both cases.
As documented here both Azure Application Gateway and Azure Firewall support zonal and zone redundant deployments
In your scenario as these resources are regional (i.e pinned to a specific availability zone). Although these services support high availability it will limited to this specific zone. These resources will not be distributed across the availability zones.
For Azure Firewall this high availability is documented here
For Azure Application Gateway as per the FAQ here the v2 SKU automatically ensures that new instances are spread across fault domains and update domains. If you choose zone redundancy, the newest instances are also spread across availability zones to offer zonal failure resiliency.
Based on #1 answer, if it is still required/recommended to migrate the Firewall and AppGw to zonal, what is the best approach to go about with this, that has minimal impact and quick rollback option if something goes wrong?
Yes, it is recommended to update these resources for availability zone support. You can follow the documentation below
https://learn.microsoft.com/en-us/azure/reliability/migrate-app-gateway-v2
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.