Azure Firewall is a cloud-native security service that provides workload and threat protection for cloud workloads. Azure Firewall helps inspect traffic for both east-west and north-south traffic across workloads and services. Azure Firewall is available in three SKUs: Basic, Standard, and Premium.
To learn more about the Azure firewall, visit the Microsoft page.
Dynamic Scaling:
Azure Firewall earlier supported dynamic scaling based on CPU utilisation, throughput, and connection volume. This is much-needed functionality for enterprise customers with mission-critical workloads and predictable traffic patterns. This helps maintain control over the firewall configuration as needed to ensure consistent performance.
Azure Firewall uses an Azure VM scale set for dynamic scaling, which helps scale out and in based on demand. This can cause delays during scaling activities, leading to dropped packets and degraded performance.
Scale out occurs when the average throughput or CPU consumption of the firewall instance reaches predefined thresholds – 60% for throughput and 80% for connections.
During scale-in, existing connections are temporarily disrupted, leading to dropped packets as TCP RST packets are sent.
During both scaling processes, appropriate planning and testing are crucial to maintaining stable performance and efficiently managing connections. To learn more about dynamic scaling, pls visit the Azure Firewall FAQ section.
Prescaling: How does it differ?
Microsoft has announced prescaling for Azure Firewall, a new feature that lets you proactively set minimum and maximum capacity units. This configuration provides predictable performance while autoscaling occurs within the defined range.
Prescaling enables capacity planning in advance, which can foster greater confidence and control. The following are key features of Azure Firewall prescaling:
- Plan by setting a baseline of firewall capacity units to handle increased demand.
- Stay flexible with defined minimum and maximum capacity values to allow for growth.
- Monitor trends with a new capacity metric and configure alerts for scaling events.
How does prescaling work?
To set up prescaling, specify two parameters: minimum capacity (minCapacity) and maximum capacity (maxCapacity). The valid range for these settings is 2-50. If both minCapacity and maxCapacity are set to the same value, the firewall will operate at a fixed capacity, which means there will be no autoscaling.
Important: The minimum and maximum capacity values must either be the same or differ by more than 1. For instance, if you set minCapacity to 5, then maxCapacity must be at least 7.
The table below provides the cost for prescaling. Prescaling has a new billing meter, Capacity Unit Hour, that is charged in addition to the regular Azure Firewall fees. The fee is calculated per provisioned capacity unit per hour.
| SKU | Price per capacity unit |
|---|---|
| Azure Firewall Standard | $0.07 per capacity unit hour |
| Azure Firewall Premium | $0.11 per capacity unit hour |
Prescaling can be enabled via the Azure portal, PowerShell, Bicep and Azure Resource Manager templates.
Thanks for taking the time to learn about the Azure Firewall Prescaling feature.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
