What is our primary use case?
We use Azure Firewall for designing infrastructure for big data integration applications or for applications on Kubernetes. The firewall is only on the edge of our architecture.
The problem we were trying to solve was mostly around configuration. Azure Firewall is a PaaS offering, so it's not about the technical aspects. We need, of course, to know what threats need to be protected against, who should have access to the firewall, and which applications do have access. We also have to look at how it fits with centralized management. We also must be able to state if the solution we provide as a firewall is compliant with the standards of the organization and for auditing.
We use it in a mission-critical environment. It's highly secured.
How has it helped my organization?
It has made our solution safer, more scalable, and less costly because we don't have to take care of the technical maintenance.
What is most valuable?
One of the best features is that it natively integrates with Azure Services and tools. When you have a third-party offering, that is not the case. But Azure Firewall provides a comprehensive and seamless security solution for your Azure resources. The flawless integration is really nice with the Azure AD, Azure Monitor, and Azure Bastion. Everything fits together. If you use Sentinel, it's also good for that.
What needs improvement?
You can use Azure Firewall in every technical area. It's not branch specific, rather it's more architecture specific. Palo Alto also has firewalls that protect cloud infrastructure, but Palo Alto firewalls are fully managed by Palo Alto, giving you room to configure it more like you want to configure it. That gives you more options for manual deployment. Sometimes this works great when it comes to scaling or performance and can be an advantage. It depends on the use case. The option for doing a more manual deployment with Azure Firewall should be improved.
It doesn't always fit our requirements and we have to configure it further.
Also, Azure has new versions including a premium firewall. But I would like to see them not put the premium features on Azure Firewall Premium alone because it is quite expensive. For example, we use intrusion detection and prevention systems but only mTLS (Mutual TLS) inspection, which is not in the standard Azure Firewall, but it is in the premium version.
High availability can also be an issue, so there are several reasons to go for the premium version, but the standard firewall is too modest. It's more for an SMB. If you want to scale you should go for Azure Firewall Premium.
For how long have I used the solution?
I have been using Azure Firewall for about eight years.
What do I think about the stability of the solution?
It's a very stable solution.
What do I think about the scalability of the solution?
It's very scalable because it's a PaaS solution. If you have only one event or a lot of events, it scales.
How are customer service and support?
When we have a really in-depth question when we are working in production or other environments, we use Microsoft standard support. Sometimes it's very good, and sometimes it could be better.
There is also go-live support.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We used Palo Alto. We switched because we needed to do the configuration manually. Another issue was the pricing. Azure Firewall pricing is based on a pay-as-you-go model, while the Palo Alto pricing includes the cost of the VM-Series license. It's a different usage model.
The best choice depends on your specific needs and the level of security features you require. If you need more security features, then Palo Alto would be the better one, but if you want simple management and a cost-effective solution, Azure Firewall is enough.
I also used Fortinet FortiGate. It is very popular for the same reasons that Palo Alto is. I have also used Check Point CloudGuard and some of my colleagues use Barracuda and Cisco. Nowadays it's mostly between Azure, Palo Alto, and Fortinet.
How was the initial setup?
It's a PaaS offering, always on the cloud. It's tightly connected to Azure. It's quite simple when it comes to creating it, but the configuration, the fine-grain specific needs, is more difficult. If you have a standard way of working, it would work very well. But when you have different applications and integrations, Fortinet might be a better choice.
Our implementation strategy is based on designing the architecture for the application. Then we look at cost estimation so that it fits into the budget. Then we implement it and maintain it and evaluate it yearly.
There is functional maintenance involved but not technical maintenance because that is done by Azure. Things like upgrading the OS are handled by the Capgemini and Accenture technicians.
What about the implementation team?
We made use of Accenture and Capgemini. The Accenture team had about eight people and Capgemini brought about four. My team was four architects.
What was our ROI?
It's worth the money, it's not expensive, but it depends on the requirements of the organization. When you are in a smaller organization with smaller applications, Azure Firewall will do the job. But when you are in a big organization with different needs, you should go for Fortinet or Palo Alto.
What's my experience with pricing, setup cost, and licensing?
The pricing of Azure Firewall is pay-as-you-go. Fortinet also has a pay-as-you-go model, but Azure's pricing is higher and, with FortiGate, you also have the license.
It's not that the price is always better with Azure, but if you want a simple solution, one you don't have to think about too much, go for Azure Firewall.
There are different pricing models and it also depends on how much data transfer you have. If you have a lot of data transfer, I would go for other firewalls. Azure Firewall is not the best firewall, but it's the easiest firewall.
What other advice do I have?
My advice is to start by trying the Azure Firewall, and if it's not working out, then go for Azure Firewall Premium or for Palo Alto or Fortinet.
*Disclosure: I am a real user, and this review is based on my own experience and opinions.
