![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 95%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEB%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
725 questions
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to know the best practices for Azure firewall with disaster recovery.
I could not find any specific documents for Azure Firewall, however, it should be similar to any other Networking resource.
Can I keep a public IP address after failover?
- You can't keep the public IP address for a production app after a failover.
- When you bring up a workload as part of the failover process, you need to assign an Azure public IP address resource to it. The resource must be available in the target region.
- https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-common-questions#can-i-keep-a-public-ip-address-after--failover
Can I keep a private IP address after failover?
- Yes. By default, when you enable disaster recovery for Azure VMs, Site Recovery creates target resources, based on source resource settings.
- For Azure VMs configured with static IP addresses, Site Recovery tries to provision the same IP address for the target VM, if it's not in use
For more information : Retain IP addresses during failover
Now, to answer your actual query,
Just like a VPN Gateway or any other PaaS resource in the VNet,
- ASR can replicate the subnet configuration
- But it will not be able to replicate the actual resource
- You will be required to deploy it prior to the migration in the target region's VNet
or
Deploy it during the migration using template. (minor downtime to be expected) - I believe you will be using an Azure Firewall Policy.
- The target region Firewall Policy must instead use the Public IP created in that target region
- You can use an ARM template to
a. either define the Firewall and Firewall Policy configuration
b. or export the Firewall and Firewall Policy configuration from the existing one and modify the Public IP settings - Post which you can use this new Firewall in the target region since the Private IPs of the VMs are going to be the same.
- You can consider using Azure Traffic Manager
- Your exact scenario is documented here : https://learn.microsoft.com/en-us/azure/site-recovery/concepts-traffic-manager-with-site-recovery#azure-to-azure-failover
- Traffic Manager uses the Domain Name System (DNS) to direct client requests to the most appropriate endpoint, based on a traffic-routing method and the health of the endpoints.
Traffic Manager is not a proxy or a gateway, and it does not see the traffic passing between the client and the service.
These docs may come handy:
- How can I stop and start Azure Firewall?
- Deploy Azure Firewall with Availability Zones - ARM template
- Microsoft.Network firewallPolicies Templates
Also, I came across this blog which might help you with automation : https://techcommunity.microsoft.com/t5/azure-network-security-blog/backup-azure-firewall-and-azure-firewall-policy-with-logic-apps/ba-p/3613928#:~:text=The%20Logic%20App%20runs%20every%20three%20days%20to,your%20Firewall%20and%20Firewall%20Policy%20deployments%20as%20required.
Hope this helps.
Thanks,
Kapil
