Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure Firewall Manager

Copper Contributor

I'm looking for confirmation as to whether my suspicions are correct or I'm a complete idiot. If I'm using AFM and it is deployed in West US, for example, am I able to modify policies in the event there is some kind of Azure outage in the West US region (let's just pretend complete outage for the sake of the conversation)? I'm assuming a managed service like AFM is set up with native HA/failover and would not be impacted by something like this...is that wrong of me?

2 Replies
Is this thing on?
best response confirmed by Brant_Boyd (Copper Contributor)
Solution

@Brant_Boyd 

Hello Brant, that is an excellent question and I'd be happy to clarify this for you. Azure Firewall Manager itself is not a deployable resource and does not have a location that it references, it is purely a centralized security management service for your Azure Firewall Policies, Web Application Firewall Policies, DDoS Protection Plans, and Security Partner Providers. The resource that gets deployed to a specific region is the Azure Firewall Policy, but this is still considered to be a global resource. You can think of the Azure Firewall Policy as a construct, or image, that will be replicated and available throughout all of the Azure datacenters.

 

To clarify your scenario, if the Azure Firewall Policy is deployed to West US, and you use this to manage Azure Firewalls in East US, Central US, etc., and there happens to be an outage at the West US datacenter, the Azure Firewall Policy will continue to service the Azure Firewall's globally with no impact.

1 best response

Accepted Solutions
best response confirmed by Brant_Boyd (Copper Contributor)
Solution

@Brant_Boyd 

Hello Brant, that is an excellent question and I'd be happy to clarify this for you. Azure Firewall Manager itself is not a deployable resource and does not have a location that it references, it is purely a centralized security management service for your Azure Firewall Policies, Web Application Firewall Policies, DDoS Protection Plans, and Security Partner Providers. The resource that gets deployed to a specific region is the Azure Firewall Policy, but this is still considered to be a global resource. You can think of the Azure Firewall Policy as a construct, or image, that will be replicated and available throughout all of the Azure datacenters.

 

To clarify your scenario, if the Azure Firewall Policy is deployed to West US, and you use this to manage Azure Firewalls in East US, Central US, etc., and there happens to be an outage at the West US datacenter, the Azure Firewall Policy will continue to service the Azure Firewall's globally with no impact.

View solution in original post