Relocate Azure Firewall to another region
This article shows you how to relocate an Azure Firewall that protects an Azure Virtual Network.
Prerequisites
We highly recommend that you use Premium SKU. If you are on Standard SKU, consider migrating from an existing Standard SKU Azure Firewall to Premium SKU before you being relocation.
The following information must be collected in order to properly plan and execute an Azure Firewall relocation:
- Deployment model. Classic Firewall Rules or Firewall policy.
- Firewall policy name. (If Firewall policy deployment model is used).
- Diagnostic setting at the firewall instance level. (If Log Analytics workspace is used).
- TLS (Transport Layer Security) Inspection configuration.: (If Azure Key Vault, Certificate and Managed Identity is used.)
- Public IP control. Assess that any external identity relying on Azure Firewall public IP remains fixed and trusted.
Azure Firewall Standard and Premium tiers have the following dependencies that you may need to be deploy in the target region:
- Azure Virtual Network
- (If used) Log Analytics Workspace
If you're using the TLS Inspection feature of Azure Firewall Premium tier, the following dependencies also need to be deployed in the target region:
Downtime
To understand the possible downtimes involved, see Cloud Adoption Framework for Azure: Select a relocation method.
Prepare
To prepare for relocation, you need to first export and modify the template from the source region. To view a sample ARM template for Azure Firewall, see review the template.
Export template
Sign in to the Azure portal.
Select All resources and then select your Azure Firewall resource.
On the Azure Firewall page, select Export template under Automation in the left menu.
Choose Download in the Export template page.
Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.
This zip file contains the .json files that include the template and scripts to deploy the template.
Modify template
In this section, you learn how to modify the template that you generated in the previous section.
If you're running classic firewall rules without Firewall policy, migrate to Firewall policy before proceeding with the steps in this section. To learn how to migrate from classic firewall rules to Firewall policy, see Migrate Azure Firewall configuration to Azure Firewall policy using PowerShell.
Sign in to the Azure portal.
If you're using Premium SKU with TLS Inspection enabled,
- Relocate the key vault that's used for TLS inspection into the new target region. Then, follow the procedures to move certificates or generate new certificates for TLS inspection into the new key vault in the target region.
- Relocate managed identity into the new target region. Reassign the corresponding roles for the key vault in the target region and subscription.
In the Azure portal, select Create a resource.
In Search the Marketplace, type
template deployment
, and then press Enter.Select Template deployment and the select Create.
Select Build your own template in the editor.
Select Load file, and then follow the instructions to load the
template.json
file that you downloaded in the previous sectionIn the
template.json
file, replace:firewallName
with the default value of your Azure Firewall name.azureFirewallPublicIpId
with the ID of your public IP address in the target region.virtualNetworkName
with the name of the virtual network in the target region.firewallPolicy.id
with your policy ID.
Create a new firewall policy using the configuration of the source region and reflect changes introduced by the new target region (IP Address Ranges, Public IP, Rule Collections).
If you're using Premium SKU and you want to enable TLS Inspection, update the newly created firewall policy and enable TLS inspection by following the instructions here.
Review and update the configuration for the topics below to reflect the changes required for the target region.
- IP Groups. To include IP addresses from the target region, if different from the source, IP Groups should be reviewed. The IP addresses included in the groups must be modified.
- Zones. Configure the availability Zones (AZ) in the target region.
- Forced Tunneling. Ensure that you've relcoated the virtual network and that the firewall Management Subnet is present before the Azure Firewall is relocated. Update the IP Address in the target region of the Network Virtual Appliance (NVA) to which the Azure Firewall should redirect the traffic, in the User Defined Route (UDR).
- DNS. Review IP Addresses for your custom custom DNS Servers to reflect your target region. If the DNS Proxy feature is enabled, be sure to configure your virtual network DNS server settings and set the Azure Firewall’s private IP address as a Custom DNS server.
- Private IP ranges (SNAT). - If custom ranges are defined for SNAT, it's recommended that you review and eventually adjust to include the target region address space.
- Tags. - Verify and eventually update any tag that may reflect or refer to the new firewall location.
- Diagnostic Settings. When recreating the Azure Firewall in the target region, be sure to review the Diagnostic Setting adn configure it to reflect the target region (Log Analytics workspace, storage account, Event Hub, or 3rd-party partner solution).
Edit the
location
property in thetemplate.json
file to the target region (The following example sets the target region tocentralus
.):
"resources": [
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2023-09-01",
"name": "[parameters('azureFirewalls_fw_name')]",
"location": "centralus",}]
To find the location code for your target region, see Data residency in Azure.
- Save the
template.json
file.
Redeploy
Deploy the template to create a new Azure Firewall in the target region.
Enter or select the property values:
Subscription: Select an Azure subscription.
Resource group: Select Create new and give the resource group a name.
Location: Select an Azure location.
The Azure Firewall is now deployed with the adopted configuration to reflect the needed changes in the target region.
Verify configuration and functionality.