How to migrate an existing Standard Azure Firewall to Premium

Published Wednesday, February 23, 2022

Migrate an existing Standard SKU Azure Firewall to Premium SKU

If you have an existing Azure Standard Firewall and are looking to move forward with upgrading it to Azure Premium Firewall to take advantage of the advanced features like TLS Inspection, Threat Intelligence, and URL filtering, supported with Azure Firewall Premium and are also looking to use the existing Public IP and VNET configuration, then this post is for you!

Use Case: This can be used when there is an existing Standard SKU Azure Firewall with a single Public IP and if you might want to upgrade the existing Standard SKU Azure Firewall to a Premium SKU Azure Firewall. This can be done currently using Azure PowerShell only. This can either be done using Azure Cloud Shell in PowerShell mode or from Azure PowerShell. If Azure PowerShell is being used, the minimum required version of the Azure PowerShell module is 6.5.0. Please refer Az 6.5.0 .

This blog talks about the steps to be done on the currently existing Standard SKU Azure Firewall, using the stop/start method using Azure PowerShell, which deallocates or removes the Public IP associated with the Azure Firewall (stop operation) to then re-attach the Public IP (start operation) with the upgraded Azure Firewall.

Downtime Consideration:

Please be aware that this is involving deallocating and allocating the Azure Firewall so we recommend performing this migration during a planned maintenance window as stop and start operation takes some time. Please refer https://docs.microsoft.com/en-us/azure/firewall/premium-migrate#downtime

Steps to deallocate the Standard Azure Firewall:

In order to deallocate the Standard Azure Firewall, please follow these steps using Azure PowerShell.

Please use the below command to set the correct subscription ID of the subscription where the existing Standard Azure Firewall is deployed.

Set-AzContext "<Subscription ID>"

We need the following inputs for running the Azure PowerShell commands to perform the stop operation.

Example:

Firewall Name = Test-FW01

Firewall resource group name = Test-FW-RG

This command is used to get the Firewall configuration in the $azfw variable.

$azfw = Get-AzFirewall -Name "<firewall-name>" -ResourceGroupName "<resource-group-name>"

The below method is used to deallocate the Azure Standard Firewall which is nothing but stopping the existing Standard Azure Firewall and removing the Public IP associated with it, the end of running the below command, you can see the Public IP will be successfully detached from the existing standard SKU Azure Firewall.

$azfw.Deallocate()

The below command is used to save the updated configuration changes to the Azure Firewall.

Set-AzFirewall -AzureFirewall $azfw

To check if Azure Firewall has been stopped and is deallocated:

To validate if deallocation is complete, you can go to the Azure Portal and navigate to the Azure Firewall resource, and to the Overview Page, under the Provisioning state, you will notice that the Azure Standard Firewall shows that it is in the "Succeeded" state after stop operation is complete and also you will find that the Public IP is not seen listed under the Public IP settings of Azure Firewall resource.

Steps to upgrade the Standard Azure Firewall to Premium SKU and update the Azure Premium Firewall with the same public IP:

With the deallocate operation complete, now we have to upgrade the existing Standard Azure Firewall to Premium SKU, with a start operation which can also be currently performed, only using Azure PowerShell, to allocate the Standard SKU Azure Firewall with the same public IP and upgrade the SKU to Premium SKU.

Inputs Needed:

Firewall name = Name of the Standard SKU Azure Firewall that exists

Resource-group-name = Name of the resource group where the Standard SKU Azure Firewall is deployed

$azfw = Existing Standard SKU Azure Firewall configuration

$vnet = VNET configuration of the existing Standard SKU Azure Firewall.

$publicip = Public IP associated with the Standard SKU Azure Firewall.

This command below is used to get the existing Standard Azure Firewall configuration in the $azfw variable.

$azfw = Get-AzFirewall -Name "<firewall-name>" -ResourceGroupName "<resource-group-name>"

Setting the $azfw variable, please run the below command, which is used to upgrade the SKU tier of the existing Standard SKU Firewall to Premium.

$azfw.Sku.Tier="Premium"

With the migration to Premium SKU complete for the Standard Azure Firewall, running this command below will get the Virtual network configuration of the existing Standard SKU Azure Firewall into the $vnet variable.

$vnet = Get-AzVirtualNetwork -ResourceGroupName "<resource-group-name>" -Name "<Virtual-Network-Name>"

Then, this command below will fetch the Public IP Address configuration that is associated with the existing Standard SKU Azure Firewall and save it in the variable $publicip for using it.

$publicip = Get-AzPublicIpAddress -Name "<Firewall-PublicIP-name>" -ResourceGroupName "<resource-group-name>"

After completing the above steps to set the variables, this step below is used to allocate the existing Public IP that was associated with the Standard SKU Azure Firewall and also the VNET configuration pre-fetched using variables $publicip and $vnet respectively, in the previous steps, to use it to attach to the new Azure Premium Firewall.

$azfw.Allocate($vnet,$publicip)

The below step is to make sure the updated changes are saved to the Azure Firewall Premium successfully.

Set-AzFirewall -AzureFirewall $azfw

End of performing the above steps, you will see that the Standard Azure Firewall has been successfully upgraded to Premium SKU with the same Public IP.

To check if Azure Firewall has been upgraded to Premium SKU after being started and is allocated with the same public IP:

To validate if the allocation is complete, you can go to the Azure Portal and navigate to the Azure Firewall resource, and to the Overview Page, under the Provisioning state, you will notice that the Azure Standard Firewall shows that it is in the "Succeeded" state after the start operation is complete, under SKU, you can see that it is "Premium" and also you will find that the Public IP is seen listed under the Public IP settings of Azure Firewall Premium resource that shows the allocation of the same Public IP succeeded.

Note:

TLS Inspection and other related features with Azure Firewall Premium will have to be enabled manually using Azure Portal or Azure PowerShell, or related supported methods as that will not be automatically enabled with upgrading the Azure Standard Firewall to Azure Premium Firewall.

This will not upgrade Azure Standard Firewall Policy and for upgrading Standard Firewall Policy to Azure Premium Firewall Policy, please use this ready run PowerShell script, Migration script to upgrade Azure Standard Firewall Policy to Premium .

Also, the necessary Powershell modules like Az. Resources, Az.Network and Az. Account has to be installed with the latest version available as per Az 6.5.0, if Azure PowerShell is chosen as the preferred method to implement the migration instead of Azure Cloud Shell in PowerShell mode.

Hope this post was insightful! Happy Learning!