Forum Discussion
SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
Valon_Kolica Since Azure Firewall is a highly available solution, I assume that the underlying mechanism for this resource employs some sort of VM/app cluster. Could you give us a bit more insight into how HA is achieved at the backend level? Also, could you let us know if such HA mode is done via either an active-passive (where only one firewall device takes care of the entire traffic load) or active-active (where two or more firewall devices handle the traffic) modes? Finally, how is traffic flow consistency, especially in regard to stateful connections, achieved if HA is done following an active-active model? Thank you
- gusmodena
Microsoft
RodrigoFerraz, Azure Firewall is a cloud-native resource. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It is based off Virtual Machine Scale Set, and by default, there are two active VMSS instances. Azure Firewall gradually scales out when the average throughput or CPU consumption is at 60%, and it takes 5 to 7 minutes. The scale in also happens gradually when the average throughput or CPU consumption is below 20%. Note: The scaling doesn't apply to the Basic SKU, as it has a fixed scale unit to run the service on two virtual machine backend instances.
Azure Firewall doesn't share connection state between the instances. So, in case of scale in a VM instance is put in drain mode for 90 seconds before being recycled. It may also happen when there's a planned maintenance of the Firewall.
For reliability, we recommend deploying Azure Firewall with Availability Zones.
