Have you ever wanted to do a lab with Azure Firewall? Don’t want to delete the resource each time, just to recreate when you need it again? Allocation of an Azure Firewall can take a little while, though not nearly as long as a VPN gateway..
I have a little cost reduction tip for you today!
Price
The Azure Firewall is a costly resource. It is redundant, and scales automatically. It is available for use across availability zones. Bare minimum, you are looking at 11,70 NOK pr hour, which is around 8500 NOK each month (730*11,7).
I often need to do labbing, and sometimes it is good to have a realistic lab. This includes hub-spoke topology with an Azure Firewall in the hub. Testing aligns more with the real world, and leads to more accurate knowledge.
We can hope that there will be a cheaper tier, but for now we only have standard and premium.
Allocate/Deallocate manually
With PowerShell you can deallocate and allocate your Azure Firewall. This is not available in the GUI, as far as I can see, but as always PowerShell to the rescue!
Here is a PowerShell snippet to stop and deallocate your firewall (effectively not paying for it):
#Get the firewall object into a variable $fwName = "your-firewall-name" $rgName = "your-firewall-rg-name" $azfw = Get-AzFirewall -Name $fwName -ResourceGroupName $rgName #Deallocate the firewall in the local variable $azfw.Deallocate() #Send the local variable with deallocated firewall setting to Azure #This will stop your firewall, and stop your running cost for it Set-AzFirewall -AzureFirewall $azfw
And to start your firewall again (which also starts incurring cost):
$vnet = Get-AzVirtualNetwork -ResourceGroupName "your-rg-name" -Name "your-vnet-name" $pip = Get-AzPublicIpAddress -ResourceGroupName "your-rg-name" -Name "your-pip-name" $azFw.Allocate($vnet, $pip) Set-AzFirewall -AzureFirewall $azFw
You can find a PowerShell script in my public resources repository. Remember, if you are using forced tunneling, you need to start it like this.
Script usage for deallocation:
.\StartStop-AzureFirewall.ps1 -mode "deallocate" ` -subscription "111111-2222-3333-4444-55555555" ` -fwName "az-fw01" ` -rgName "az-network-rg" ` -dryrun $false
Script usage for allocation (network and pip in same RG):
.\StartStop-AzureFirewall.ps1 -mode "allocate" ` -subscription "111111-2222-3333-4444-55555555" ` -fwName "az-fw01" ` -rgName "az-network-rg" ` -vnetName "az-vnet01" ` -pipName "az-fw01-pip" ` -dryrun $false
Please note that the backticks ( ` ) for line break in PowerShell only works on Windows. Linux users must replace them with a backslash ( \ ).
In CI/CD
I am using this concept in my Bicep ALZ playground, which I blogged about a while ago. You can see in the workflows here for input and here for execution to get an example of using the commands. I am using this because my funds are limited, and sometimes I leave the lab alive for a while.
Summary
Use the script as an inspiration for automation of firewall allocation/deallocation, or just read it to get an understanding of how this works. It’s not something you want to do in production environments, as deallocating the central firewall effectively cuts the virtual networks off from the internet.
Labbing and testing features is an important part of the learning experience. If you have access to a lab environment, I recommend using it actively for testing deployments. It is a great way to hone your skills!
