Migrate to Azure Firewall Premium in Secured vWAN hub with preserved Public IP addresses

A Secured virtual hub uses an associated Firewall (Azure Firewall, third-party security as a service (SecaaS) provider, or both.) and routing policies for governance and protection. This blog looks at the steps to successfully migrate Azure Firewall in your secure virtual hub while preserving the Public IPs already assigned to the Azure Firewall during migration. A schedule down-time should be planned for this migration.

Step 1. Migrate from Classic to Firewall Policy: This is essential if classic rules are used in the current Firewall. Firewall management tool is best suited for Firewall policies, hence ensure that the classic rules are all moved to Firewall policy. Follow this link to migrate classic rules to Firewall policy. (Steps 1 to 3)

Step 2. Back up the Azure Firewall resource

This is a recommended process in case of browser failure or loss of access to terminal during this transition. The migration step briefly involves deallocation of the Firewall and re-allocating the Firewall again while using a placeholder to retain the assigned public IPs. The backup process ensures that you have a copy of your current configuration in the case of a browser hang or internet connectivity issue during the process.

An alternative is to go to the Virtual Hub and copy the Hub ID and save it. This ID retains the definition for the properties of each unique Azure Firewall virtual hub and may be used later.

Go to Resource Group ->VWAN -> Virtual Hub ->(Click on Name) Properties -> Resource ID. Copy and keep this value.

Step 3. Deallocate and Re-allocate Azure Firewall with new Firewall premium tier and reserved Public IPs using the steps below

(Note: Minimum PowerShell Version Supported: PowerShell Gallery | Az 6.5.0)

##Get Firewall resource object $azfw = Get-AzFirewall -Name "XXXXFW_Hub” -ResourceGroupName "XXXXRG" ## Store Virtual Hub object in a variable $hub = Get-AzVirtualHub -ResourceGroupName "XXXXRG" -Name "XXXHub” ## De-allocate the Firewall. $azfw.Deallocate() ## Set the Firewall. This may take a few minutes Set-AzFirewall -AzureFirewall $azfw ##Get the Firewall resource object $azfw = Get-AzFirewall -Name "XXXXFW_Hub” -ResourceGroupName "XXXXRG" ##select new Firewall SKU $azfw.Sku.Tier="Premium" ##pass the hub information $azfw.Allocate($hub.id) ##Re-allocate the Firewall Set-AzFirewall -AzureFirewall $azfw

When the deployment completes, confirm you now have Premium Firewall SKU and the Public IP addresses are available. You can now configure all the additional Azure Firewall Premium features.

For more information about Azure Firewall premium:

Azure Firewall artifacts in Github

Azure Firewall Monitor Workbook with Premium Features view

Azure Firewall Premium Deep Dive Video

Secure your VirtualHub with Azure Firewall Manager

Published on: November 04, 2021

Learn more

Azure Network Security Blog articles

Blog image

Azure Network Security Blog articles

Learn more

Migrate to Azure Firewall Premium in Secured vWAN hub with preserved Public IP addresses

Related posts

Azure Cosmos DB TV Recap: Supercharging AI Agents with the Azure Cosmos DB MCP Toolkit (Ep. 110)

Introducing the Azure Cosmos DB Agent Kit: Your AI Pair Programmer Just Got Smarter

Azure Ultra Disk: Experience next-generation performance for mission-critical workloads

How to back up on-premises Windows VMs to Azure

Microsoft Ignite 2025: Veeam and Azure Storage on entering a new era of data security

Introducing Markers in Azure Maps for Power BI

Azure Boards additional field filters (private preview)

Microsoft Ignite 2025: Dell and Azure Storage on bringing customer focus back to innovation

Microsoft Ignite 2025: ServiceNow and Azure Storage on next-generation AI workflows with Ultra Disk

What’s new with Azure Repos?