azurerm_firewall cost estimation
Managed network firewall. Standard SKU at $1.25/hour ($912/month) plus $0.016/GB processed. Premium SKU at $1.75/hour adds TLS inspection and IDPS. Often the most expensive single resource in a subscription.
Azure Firewall is the managed network firewall service. The azurerm_firewall resource creates the firewall; rules, policies, and IP groups are separate. Pricing is per-firewall-hour plus data processed — one of the most expensive single Azure resources.
Standard SKU pricing: - $1.25/hour base ($912/month always-on) - $0.016/GB data processed - Includes basic L3-L7 filtering, threat intelligence, DNS proxy
Premium SKU pricing: - $1.75/hour base ($1,277/month always-on) - $0.016/GB data processed - Adds TLS inspection, IDPS (intrusion detection/prevention), URL filtering, web categories
Basic SKU (newer, for SMB): - $0.50/hour base ($365/month always-on) - $0.065/GB data processed (4x Standard) - Limited features, no DNS proxy
A typical mid-size workload: Standard SKU + 5 TB/month data = $912 + $80 = ~$992/month per firewall.
Common patterns: - Hub-and-spoke: one Firewall in a hub VNet serves traffic from spoke VNets. Centralizes cost but creates a single bottleneck. - Multi-region: each region needs its own Firewall (no cross-region). 5 regions = $4,500+/month minimum. - Standby Firewalls for DR are still billed at full rate.
c3x estimates Azure Firewall based on sku_tier and data processed (specified via c3x-usage.yml).
Terraform example
A minimal but realistic configuration that C3X can estimate.
resource "azurerm_firewall" "main" {
name = "prod-fw"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
sku_name = "AZFW_VNet"
sku_tier = "Standard"
ip_configuration {
name = "configuration"
subnet_id = azurerm_subnet.firewall.id
public_ip_address_id = azurerm_public_ip.fw.id
}
}
resource "azurerm_firewall_policy" "main" {
name = "prod-fw-policy"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
}Pricing dimensions
What you actually pay for when you provision azurerm_firewall.
| Dimension | Unit | What's being charged |
|---|---|---|
| Standard SKU hours | per hour | Hourly cost of Standard tier firewall. Always billed regardless of usage. $1.25/hour ($912/month) |
| Premium SKU hours | per hour | Premium tier with TLS inspection, IDPS, URL filtering. $1.75/hour ($1,277/month) |
| Basic SKU hours | per hour | Cheaper tier for SMB workloads with reduced features. $0.50/hour ($365/month) |
| Data processed | per GB | Inbound + outbound data through the firewall. $0.016/GB Standard/Premium, $0.065/GB Basic |
Optimization tips
Common ways to reduce azurerm_firewall cost without changing the workload.
Centralize via hub-and-spoke topology
$912/month per avoided firewallOne Firewall in a hub VNet serves multiple spoke VNets via VNet peering. Avoids one Firewall per VNet ($912 each saved). Most enterprises run a single Firewall per region in a hub model.
Use NSGs for simple filtering
$912/month per avoided firewallNetwork Security Groups (free) handle most L3/L4 filtering between subnets. Reserve Azure Firewall for cross-network/internet boundaries with L7 needs. Don't put Firewall between every subnet.
Skip Premium unless TLS inspection is required
$365/monthPremium adds $300/month per firewall. Justified only if you need TLS inspection or IDPS. For most workloads, Standard is sufficient.
Forced tunnel to on-prem for hybrid scenarios
If you have existing on-prem firewalls, forced tunneling can route Azure egress through them. Removes the need for Azure Firewall in those flows. Right for hybrid orgs with existing perimeter security investment.
Audit firewall usage hourly
$912/monthSome teams run a 'dev' Azure Firewall 24/7 without using it. Audit traffic via Firewall logs; if no real traffic, decommission the firewall and rely on NSGs for the time being.
FAQ
Why is Azure Firewall so expensive?
Azure Firewall is a managed, highly-available, multi-AZ stateful firewall with built-in threat intelligence. The base $912/month covers always-on capacity. AWS Network Firewall has similar pricing ($395/firewall + endpoint hours + data). For lower-cost alternatives, consider NSGs (free) or NVAs (commercial firewalls on VMs).
Can I share one Firewall across regions?
No. Azure Firewall is regional. For multi-region, deploy one Firewall per region. Some teams use Front Door for global ingress with regional Firewalls behind, but the regional Firewalls still bill separately.
Does Azure Firewall replace NSGs?
No, they complement each other. NSGs are free per-subnet ACLs (L3/L4). Azure Firewall is a stateful inspection engine (L3-L7) at network boundaries. Use NSGs everywhere for internal isolation, Firewall at internet/cross-network boundaries.
How does pricing compare to third-party NVAs?
Commercial firewalls (Palo Alto, Fortinet, Check Point) on Azure VMs typically cost $300-$1500/month per HA pair. Cheaper than Azure Firewall Standard for simple setups, but require operational overhead. Azure Firewall is fully managed; NVAs are not.
Related resources
Estimate this resource in your own Terraform
Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_firewall.