Should we use Azure Firewall?

Let me start with a disclaimer:
I like Microsoft Azure.
I work with it daily and have done so for years. Azure is a fantastic platform, and most of its services are genuinely excellent.

But not all of them have evolved at the same pace, and I believe Azure Firewall is one of those services.

The Question I Get Every Month: “Should we use Azure Firewall?”

Honestly, I still struggle to understand why this question is so common.

Most organizations asking it already operate large enterprise networks with:

Multiple office locations
Datacenters
A distributed workforce
Mature network security teams
A single, standardized NGFW vendor today
Firewall clusters deployed at every existing site

If the discussion was about a new datacenter or a new branch office, nobody would ever ask:

“Should we switch to a different firewall vendor for this one site?”

The answer would be obvious:
Of course not!
Consistency equals control, visibility, and efficiency.

So why would the cloud be any different?

Azure Is Just Another Site

You wouldn’t deploy a different firewall vendor in a new physical location.
So why consider it for Azure?

Organizations already benefit from:

A single management plane across all firewalls
A single-pane-of-glass for traffic (north–south and east–west)
Operational familiarity
Existing rulebase structure
Staff that already knows the vendor inside out

Introducing a second firewall platform Azure Firewall brings:

More complexity
More tools to learn
More operational overhead
Fragmented visibility

And importantly:
In most mature enterprises I’ve seen it brings exactly no unique capabilities.

“But Azure Firewall is built-in!”

Sure. But that doesn’t make it better.

Azure Firewall costs roughly the same as firewalls from the “Big Four” NGFW vendors: (Depending on throughput and license model)

Palo Alto Networks
Fortinet
Check Point
Cisco

And it doesn’t do anything they can’t.

Want to use Azure Tags?
✔️ They support it. Match resource tags directly in firewall rules.

Want IaC?
✔️ Terraform and even Bicep modules are available.

Don’t want to manage IaaS firewalls?
✔️ Use Azure Virtual WAN with a PaaS NGFW from the same vendors — fully integrated, scalable, supported, and centrally managed.

After years of working with cloud firewalls, I still haven’t found a single Azure Firewall capability that these four can’t replicate or outperform.

Complexity and Administration

Azure Firewall introduces yet another interface, yet another logging model, yet another rulebase concept, and yet another troubleshooting workflow.

Meanwhile, the Big Four have spent decades refining:

Rulebase management
Audit workflows
Logging and visibility
Threat inspection
Enterprise-scale administration

Your team already knows how to operate your existing platform.
Adding Azure Firewall doesn’t make things easier — it makes them harder.

To Be Fair: Azure Firewall Has Improved

Azure Firewall has come a long way since its debut. The recent packet capture capability is genuinely valuable, especially given how often asymmetric routing becomes an issue in Azure networks.

So yes, it’s improving.
No, it’s still not competitive with the established NGFW vendors.

Absolutely. Two cases:

1. Small, Cloud-Only Environments

If you only have a minimal footprint in Azure, no on-premises network, and you need a NGFW purely for segmentation or compliance, Azure Firewall is an acceptable place to start.

2. Temporary Use in a Greenfield

If you’re building something new, haven’t selected an enterprise firewall vendor yet, and just need something functional while your architecture matures, Azure Firewall can serve as a short-term placeholder.

Final Thoughts

Azure Firewall is not a bad product — it’s simply not the right product for organizations that already run a mature NGFW platform across their enterprise.

For those companies, the best strategy is straightforward:

Use the firewall vendor you already trust, know, and operate successfully everywhere else. Azure shouldn’t be the exception.

🔗 (LinkedIn)
🐙 (GitHub)
📝 Blog