Share via

my Azure Firewall zone redundancy

Iu Donadeu Renau 25 Reputation points
2026-06-02T13:22:11.1533333+00:00

Hi, i have one Azure FIrewall that i though it was zone redundant, beocouse on creation i found this information:

In regions that support multiple Availability Zones, Azure Firewall is deployed as zone-redundant by default and automatically placed across two or more zones based on capacity. If multi-zone capacity isn't available, the deployment will fail and you must select another region or deploy to specific zones via the API.Learn more

I created it in Spain Central, region that supports availiability Zones, but I cant find anywere on setting or overview that in fact firewall its zone redundant , actually I found oposite using Resource graph explorer : image

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 9,830 Reputation points Microsoft External Staff Moderator
    2026-06-02T14:16:14.7366667+00:00

    Hi Iu Donadeu Renau,

    Welcome to Microsoft Q&A Platform.

    In regions that support Availability Zones (like Spain Central), any new Azure Firewall you create without explicitly specifying a zone is automatically deployed as zone-redundant—even though the portal doesn’t show a “Zone redundancy” toggle.

    You can verify:

    Default zone-redundant deployment

    • When you deploy via the portal (or via CLI/PowerShell without a –zones parameter), Azure treats it as “None” in your ARM JSON, then transparently spreads instances across two or more zones.
    • You won’t see a UI flag; this is a platform-managed feature.

    Zonal versus zone-redundant in ARM/CLI

    • If you explicitly deploy to a single zone (e.g. --zones 1), the firewall is zonal. You’ll see "zones": ["1"] in the resource JSON.
    • If you leave out zones (or it shows as null/empty), it’s zone-redundant.

    Verify via CLI or PowerShell

    az network firewall show -g MyRG -n MyFirewall --query zones

    PowerShell:

    (Get-AzFirewall -ResourceGroupName MyRG -Name MyFirewall).Zones

    Empty/null = zone-redundant; populated = zonal

    Resource Graph behavior

    Resource Graph will show the zones property as an empty array or null for zone-redundant firewalls. That’s expected and confirms your firewall is indeed spread across multiple zones. So, even though the portal doesn’t show “zone redundant” in the blades, your firewall in Spain Central is automatically zone-redundant as long as you didn’t pin it to a specific zone.

    As stated in Zone redundancy

    Azure Firewall uses a Zone-redundant-by-default deployment model to improve resiliency, availability, and protection against zonal failures.

    Current behavior:

    • All new Azure Firewall deployments that don't explicitly specify zones (that is, set to None) are zone redundant by default in regions that support availability zones.
    • All existing firewalls without a specified zone (that is, set to None) are being platform-migrated to become zone redundant (ZR).
    • All existing firewalls deployed in a single zone aren't migrated at this time.
    • You don't need to take any administrator action to migrate.

    References: Configure availability zone support
    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, **this can be beneficial to other community members.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.