Migrate to Azure Firewall Premium in Secured vWAN hub with preserved Public IP addresses

A Secured virtual hub uses an associated Firewall (Azure Firewall, third-party security as a service (SecaaS) provider, or both.) and routing policies for governance and protection. This blog looks at the steps to successfully migrate Azure Firewall in your secure virtual hub while preserving the Public IPs already assigned to the Azure Firewall during migration. A schedule down-time should be planned for this migration.

Step 1. Migrate from Classic to Firewall Policy: This is essential if classic rules are used in the current Firewall. Firewall management tool is best suited for Firewall policies, hence ensure that the classic rules are all moved to Firewall policy. Follow this link to migrate classic rules to Firewall policy. (Steps 1 to 3)

Step 2. Back up the Azure Firewall resource

This is a recommended process in case of browser failure or loss of access to terminal during this transition. The migration step briefly involves deallocation of the Firewall and re-allocating the Firewall again while using a placeholder to retain the assigned public IPs. The backup process ensures that you have a copy of your current configuration in the case of a browser hang or internet connectivity issue during the process.

An alternative is to go to the Virtual Hub and copy the Hub ID and save it. This ID retains the definition for the properties of each unique Azure Firewall virtual hub and may be used later.

Go to Resource Group ->VWAN -> Virtual Hub ->(Click on Name) Properties -> Resource ID. Copy and keep this value.

Step 3. Deallocate and Re-allocate Azure Firewall with new Firewall premium tier and reserved Public IPs using the steps below

(Note: Minimum PowerShell Version Supported: PowerShell Gallery | Az 6.5.0)

##Get Firewall resource object $azfw = Get-AzFirewall -Name "XXXXFW_Hub” -ResourceGroupName "XXXXRG" ## Store Virtual Hub object in a variable $hub = Get-AzVirtualHub -ResourceGroupName "XXXXRG" -Name "XXXHub” ## De-allocate the Firewall. $azfw.Deallocate() ## Set the Firewall. This may take a few minutes Set-AzFirewall -AzureFirewall $azfw ##Get the Firewall resource object $azfw = Get-AzFirewall -Name "XXXXFW_Hub” -ResourceGroupName "XXXXRG" ##select new Firewall SKU $azfw.Sku.Tier="Premium" ##pass the hub information $azfw.Allocate($hub.id) ##Re-allocate the Firewall Set-AzFirewall -AzureFirewall $azfw

When the deployment completes, confirm you now have Premium Firewall SKU and the Public IP addresses are available. You can now configure all the additional Azure Firewall Premium features.

For more information about Azure Firewall premium:

Azure Firewall artifacts in Github

Azure Firewall Monitor Workbook with Premium Features view

Azure Firewall Premium Deep Dive Video

Secure your VirtualHub with Azure Firewall Manager

Published on: November 04, 2021

Learn more

Azure Network Security Blog articles

Learn more

Migrate to Azure Firewall Premium in Secured vWAN hub with preserved Public IP addresses

Related posts

From Backlog to Delivery: Running Scrum in Azure DevOps

Azure SDK Release (November 2025)

Microsoft Purview: Information Protection-Azure AI Search honors Purview labels and policies

Soluzione Earns Microsoft Solutions Partner Designation for Data & AI (Azure)

How to Automate Deployments with Azure DevOps Pipelines

What’s New with Microsoft Foundry (formerly Azure AI Foundry) from Ignite 2025

Pantone’s Palette Generator enhances creative exploration with agentic AI on Azure

Microsoft Azure Key Vault HSM Animated Explainer

Microsoft Azure Hardware Security Module (HSM): Helping you with data security and sovereignty

Premier League drives deep fan connection with Microsoft Foundry and Azure Cosmos DB