Azure Firewall Manager deployment overview

There's more than one way to use Azure Firewall Manager to deploy Azure Firewall, but the following general process is recommended.

To review network architecture options, see What are the Azure Firewall Manager architecture options?

General deployment process

Hub virtual networks

  1. Create a firewall policy

    • Create a new policy
      or
    • Derive a base policy and customize a local policy
      or
    • Import rules from an existing Azure Firewall. Make sure to remove NAT rules from policies that should be applied across multiple firewalls
  2. Create your hub and spoke architecture

    • Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
      or
    • Create a virtual network and add virtual network connections and peer spoke virtual networks to it using virtual network peering
  3. Select security providers and associate firewall policy. Currently, only Azure Firewall is a supported provider.

    • This is done while you create a Hub Virtual Network
      or
    • Convert an existing virtual network to a Hub Virtual Network. It's also possible to convert multiple virtual networks.
  4. Configure User Define Routes to route traffic to your Hub Virtual Network firewall.

Secured virtual hubs

  1. Create your hub and spoke architecture

    • Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
      or
    • Create a Virtual WAN Hub and add virtual network connections.
  2. Select security providers

    • Done while creating a Secured Virtual Hub.
      or
    • Convert an existing Virtual WAN Hub to Secure Virtual Hub.
  3. Create a firewall policy and associate it with your hub

    • Applicable only if using Azure Firewall.
    • Partner security as a service (SECaaS) policies are configured via partners management experience.
  4. Configure route settings to route traffic to your secured hub

    • Easily route traffic to your secured hub for filtering and logging without User Defined Routes (UDR) on spoke Virtual Networks using the Secured Virtual Hub Route Setting page.

Note

Convert virtual networks

The following information applies if you convert an existing virtual network to a hub virtual network:

  • If the virtual network has an existing Azure Firewall, you select a Firewall Policy to associate with the existing firewall. The firewall provisioning status is updated while the firewall policy replaces firewall rules. During the provisioning state, the firewall continues processing traffic and has no downtime. You can import existing rules to a Firewall Policy using Firewall Manager or Azure PowerShell.
  • If the virtual network doesn't have an associated Azure Firewall, a firewall is deployed and the Firewall Policy is associated with the new firewall.

Next steps