Migrate to Azure Firewall Premium in Secured vWAN hub with preserved Public IP addresses

A Secured virtual hub uses an associated Firewall (Azure Firewall, third-party security as a service (SecaaS) provider, or both.) and routing policies for governance and protection. This blog looks at the steps to successfully migrate Azure Firewall in your secure virtual hub while preserving the Public IPs already assigned to the Azure Firewall during migration. A schedule down-time should be planned for this migration.

Step 1. Migrate from Classic to Firewall Policy: This is essential if classic rules are used in the current Firewall. Firewall management tool is best suited for Firewall policies, hence ensure that the classic rules are all moved to Firewall policy. Follow this link to migrate classic rules to Firewall policy. (Steps 1 to 3)

Step 2. Back up the Azure Firewall resource

This is a recommended process in case of browser failure or loss of access to terminal during this transition. The migration step briefly involves deallocation of the Firewall and re-allocating the Firewall again while using a placeholder to retain the assigned public IPs. The backup process ensures that you have a copy of your current configuration in the case of a browser hang or internet connectivity issue during the process.

An alternative is to go to the Virtual Hub and copy the Hub ID and save it. This ID retains the definition for the properties of each unique Azure Firewall virtual hub and may be used later.

Go to Resource Group ->VWAN -> Virtual Hub ->(Click on Name) Properties -> Resource ID. Copy and keep this value.

Step 3. Deallocate and Re-allocate Azure Firewall with new Firewall premium tier and reserved Public IPs using the steps below

(Note: Minimum PowerShell Version Supported: PowerShell Gallery | Az 6.5.0)

##Get Firewall resource object $azfw = Get-AzFirewall -Name "XXXXFW_Hub” -ResourceGroupName "XXXXRG" ## Store Virtual Hub object in a variable $hub = Get-AzVirtualHub -ResourceGroupName "XXXXRG" -Name "XXXHub” ## De-allocate the Firewall. $azfw.Deallocate() ## Set the Firewall. This may take a few minutes Set-AzFirewall -AzureFirewall $azfw ##Get the Firewall resource object $azfw = Get-AzFirewall -Name "XXXXFW_Hub” -ResourceGroupName "XXXXRG" ##select new Firewall SKU $azfw.Sku.Tier="Premium" ##pass the hub information $azfw.Allocate($hub.id) ##Re-allocate the Firewall Set-AzFirewall -AzureFirewall $azfw

When the deployment completes, confirm you now have Premium Firewall SKU and the Public IP addresses are available. You can now configure all the additional Azure Firewall Premium features.

For more information about Azure Firewall premium:

Azure Firewall artifacts in Github

Azure Firewall Monitor Workbook with Premium Features view

Azure Firewall Premium Deep Dive Video

Secure your VirtualHub with Azure Firewall Manager

Published on: November 04, 2021

Learn more

Azure Network Security Blog articles

Blog image

Azure Network Security Blog articles

Learn more

Migrate to Azure Firewall Premium in Secured vWAN hub with preserved Public IP addresses

Related posts

Azure Data Factory and Databricks Lakeflow: An Architectural Evolution in Modern Data Platforms

Azure Confidential Computing with KT Corporation and AMD

Part 2: Building a Python CRUD API with Azure Functions and Azure Cosmos DB

Azure Cosmos DB Data Explorer now supports Dark Mode

Microsoft Entra ID Governance: Azure subscription required to continue using guest governance features

Azure Developer CLI (azd) – January 2026: Configuration & Performance

Azure SDK Release (January 2026)

Azure Cosmos DB TV Recap – From Burger to Bots – Agentic Apps with Cosmos DB and LangChain.js | Ep. 111

Accelerate Your Cosmos DB Infrastructure with GitHub Copilot CLI and Azure Cosmos DB Agent Kit

Accelerate Your Cosmos DB Infrastructure with GitHub Copilot CLI and Azure Cosmos DB Agent Kit