Azure Firewall change public IP

Question

Azure Firewall change public IP

Eddie Vincent 245

Recently Azure have made their public IP addresses zone redundant by default: https://azure.microsoft.com/en-us/blog/azure-public-ips-are-now-zone-redundant-by-default/

With basic public IP addresses being retired next year I need to remove mine from as the public IP of my Azure firewall (standard SKU) to be replaced with a zone redundant type, the only way I can find to do this is to delete and recreate the firewall but wanted to ask if there was a less destructive method of doing this?

I have tried the following with no success:

Adding a secondary IP address to the firewall via the Azure portal disassociating and deleting the primary, the primary IP cannot be deleted from the Firewall and throws up an allocation error despite the secondary IP address being present.
Using Bicep and adding the configuration zone 1,2,3 to the configuration - this fails with an error.
Using Azure PowerShell the firewall being unresponsive despite not actually deleting the secondary IP address (commands and resulting issue below).

User's image

I am now at the point of believing that complete re-creation is the only option however if anyone on this forum has any suggestions please let me know.

ChaitanyaNaykodi-MSFT 27,661 Reputation points Microsoft Employee Moderator

2024-10-01T21:30:24.44+00:00

@Eddie Vincent

Thank you for reaching out. I understand you have a question changing the Firewall IP address to standard SKU.I think you might be facing an issue here because currently Azure Firewall supports Standard SKU public IP addresses only and Basic SKU public IP address aren't supported. This currently documented here

And also there is no guidance available about this migration for Azure Firewall. Can you please share a screenshot of your Basic Public IP overview page and Azure firewall overview page? you can share it in a private message here.

Also please share more details about the errors observed as well. I will reach out to the team internally with the details above and see if there are any alternate way to achieve this migration.

Thank you!
Eddie Vincent 245 Reputation points

2024-10-03T10:26:35.9433333+00:00

Thanks for responding, apologies my terminology was incorrect in my original post. I am using a Standard public IP but with availability settings as non zonal (screenshot below). As such we are going to have to change these zonal settings for both the public IP and the Firewall itself.

To add this new Zonal IP I am expecting a complete recreation of the Firewall, however as you can upgrade Firewall SKU's on the fly and add additional public IP's to existing Firewalls I figured it would be worth checking if there were a way of doing this without completely flattening the device.

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,661 Reputation points Microsoft Employee Moderator

2024-10-01T21:30:24.44+00:00

@Eddie Vincent

Thank you for reaching out. I understand you have a question changing the Firewall IP address to standard SKU.I think you might be facing an issue here because currently Azure Firewall supports Standard SKU public IP addresses only and Basic SKU public IP address aren't supported. This currently documented here

And also there is no guidance available about this migration for Azure Firewall. Can you please share a screenshot of your Basic Public IP overview page and Azure firewall overview page? you can share it in a private message here.

Also please share more details about the errors observed as well. I will reach out to the team internally with the details above and see if there are any alternate way to achieve this migration.

Thank you!
Eddie Vincent 245 Reputation points

2024-10-03T10:26:35.9433333+00:00

Thanks for responding, apologies my terminology was incorrect in my original post. I am using a Standard public IP but with availability settings as non zonal (screenshot below). As such we are going to have to change these zonal settings for both the public IP and the Firewall itself.

To add this new Zonal IP I am expecting a complete recreation of the Firewall, however as you can upgrade Firewall SKU's on the fly and add additional public IP's to existing Firewalls I figured it would be worth checking if there were a way of doing this without completely flattening the device.

Answer 1

@Eddie Vincent

Thank you for getting back and apologies for the delay here

In this scenario as the IP address is standard SKU instead of adding an additional Zone redundant IP address, you can instead edit the existing IP Address Config on your firewall and select a Zone IP address.

Below will be the steps to achieve this.

First deploy a Zone Redundant IP address in the region where the firewall is deployed.
Then Azure Firewall->Public IP configuration page and then edit the existing IP config and select the Zone Redundant IP address you created above in drop down and save.(You can refer to my screenshots below)

After this process you can follow the steps documented here to configure availability zones for your Azure Firewall.

Hope this helps! Thanks!

Share via

Azure Firewall change public IP

1 answer

Your answer