Forum Discussion
Questions on use of AzureFirewall as NGFW in IntranetZone in a hub and spoke topology.
Hi All, 1. I am trying to evaluate AzureFirewall premium as an NGFW for use in an Intranet vnet. I have set the AZFW in forced tunnel mode. But since we can't avoid using the public ip for the fi...
1. Yes. It is common not to be allowed to apply NSG or custom routes to system-managed subnets such as AzureFirewallManagementSubnet and GatewaySubnet, for example.
2. Yes. Azure Firewall is a great NGFW option for most scenarios, but you can also leverage third party NVAs if you need.
The public IP address is required only for the ManagementSubnet, which is a separate subnet for operational purposes. In addition, by default, Azure Firewall denies all traffic, until rules are manually configured to allow traffic, i.e. no traffic will be allowed through the public addresses until someone allows it.