Azure Firewall & Application Gateway Regional Configuration Clarity

Question

Hello team,

Good day!!

I have setup Azure Firewall and Application gateway which are 3+ years old now, and during that time, I believe there wasn't an option to choose zones for these two resources and if I check the properties in the JSON of it, I don't see the zonal properties now. I have 2 questions related to this,

1. If I continue to have these resources as regional (i.e., not explicitly specified a zone / multi zones), how does Azure handles the instances for these in the backend? Does it really gets provisioned in only one zone of Azure's choice? Or even when it is in Azure's control, it might still get distributed across the zones? Just I wouldn't be able to know which zones, right? in both cases.
2. Based on #1 answer, if it is still required/recommended to migrate the Firewall and AppGw to zonal, what is the best approach to go about with this, that has minimal impact and quick rollback option if something goes wrong?

Thank you as always. Appreciate your time and support.

Answer 1

@Alex

Thank you for reaching out.I understand you have question regarding Azure Zone redundancy for your Azure Application Gateway and Azure Firewall.

Based on your questions above

If I continue to have these resources as regional (i.e., not explicitly specified a zone / multi zones), how does Azure handles the instances for these in the backend? Does it really gets provisioned in only one zone of Azure's choice? Or even when it is in Azure's control, it might still get distributed across the zones? Just I wouldn't be able to know which zones, right? in both cases.

As documented here both Azure Application Gateway and Azure Firewall support zonal and zone redundant deployments

In your scenario as these resources are regional (i.e pinned to a specific availability zone). Although these services support high availability it will limited to this specific zone. These resources will not be distributed across the availability zones.

For Azure Firewall this high availability is documented here

For Azure Application Gateway as per the FAQ here the v2 SKU automatically ensures that new instances are spread across fault domains and update domains. If you choose zone redundancy, the newest instances are also spread across availability zones to offer zonal failure resiliency.

Based on #1 answer, if it is still required/recommended to migrate the Firewall and AppGw to zonal, what is the best approach to go about with this, that has minimal impact and quick rollback option if something goes wrong?

Yes, it is recommended to update these resources for availability zone support. You can follow the documentation below

https://learn.microsoft.com/en-us/azure/reliability/migrate-app-gateway-v2

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#how-can-i-configure-availability-zones-after-deployment

Hope this helps! Please let me know if you have any additional questions. Thank you!

---

​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello Alex,

Thanks for posting your question in the Microsoft Q&A forum.

1. If Azure Firewall or Application Gateway is deployed without specifying a zone, Azure automatically distributes them across multiple zones for fault tolerance and high availability. However, you won't know the specific zones.
2. Microsoft recommends migrating Azure Firewall and Application Gateway to a zonal or multi-zonal deployment for better control and visibility. The migration approach involves creating new zonal instances, updating backend resources, thorough testing, and then deleting the old instances if everything works well. This method minimizes downtime and offers a quick rollback option if needed.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful