Options for Retaining or Use the Existing Public IP of Azure firewall without zone redundancy while Deploying a New Azure Firewall with HA

Question

Options for Retaining or Use the Existing Public IP of Azure firewall without zone redundancy while Deploying a New Azure Firewall with HA

$@chin 150

Hi,

I am looking for a way to retain the existing public IP of the Azure Firewall, which currently does not have zone redundancy, while planning to implement zone redundancy. To achieve this, I need to create a new firewall instance, as zone redundancy cannot be enabled on the current Azure Firewall due to its integration with secured hub. The plan is to create the new Azure Firewall, un-associate the Azure Firewall policy from the old instance, and then attach it to the new one.

My question is, using Firewall Manager, is it possible to retain or reassign the public IP from the old Azure Firewall to the new instance?

Alternatively, if I delete the existing firewall, the public IP would be released. Upon deploying the new Azure Firewall, I could select the option to use the existing public IP. However, how can I minimize downtime and reduce service disruption, considering that the private IP will also change? any other option ?

$@chin 150 Reputation points

2025-03-05T14:03:16.7866667+00:00

Hi @Anonymous , My primary question remains unanswered: How can I use an existing public IP address with a new firewall instance? Is there a way to retain the IP?
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-06T12:30:46.9+00:00
Hi @$@chin

A public IP address is associated with a specific Azure resource and directly moving or reassigning a public IP to a different, newly created firewall instance within Firewall Manager is not a supported operation.

Firewall Manager primarily focuses on centralized policy management and deployment. It doesn't provide direct control over the underlying public IP resource in the way you're hoping.

Below is the solution but it involves downtime:

Reduce the TTL of your DNS records beforehand and delete the existing (non-zone-redundant) Azure Firewall. This releases the public IP.

Immediately create the new, zone-redundant Azure Firewall, selecting the option to use the existing public IP address.

Update your routing tables (UDRs) to point to the new firewall's private IP address. The downtime is the time it takes to delete the old firewall, create the new firewall, and for the routing changes to propagate.

Please refer the document for more Azure Firewall Public IP limitations.

Kindly let us know if the above helps or you need further assistance on this issue.
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-10T00:45:09.91+00:00

Hi @$@chin

I hope the below provided answer has been helpful!

Your feedback is important so please take a moment to Accept answers.

If you still have questions, please let us know what is needed in the comments so we can address them.
$@chin 150 Reputation points

2025-03-10T15:02:49.7466667+00:00

Hi @Anonymous ,

What if, in the case of an Azure Firewall with a secure hub, the public IP is Microsoft-managed rather than customer-managed ?

Can Microsoft assist in retaining that firewall's public IP, since it's Microsoft-managed, and reassign the same public IP when creating another firewall in the secure hub with all three zones ?
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-11T01:58:16.9633333+00:00

Hi @$@chin

When you deploy an Azure Firewall within a Secured Virtual Hub and if you choose Microsoft provided (classic), the public IP addresses are automatically provisioned and managed by Microsoft. This means you do not have direct control over these IPs in the same way you would with a standard, customer provided public IP resource, and the assignment and lifecycle of these IPs are tied directly to the Secured Virtual Hub and its underlying infrastructure.

As it is managing by Microsoft, trying to retain the Public IP address in the same way you might with a customer provided IP is not a supported operation. The IPs are tied to the Virtual Wan Secured Hub and the Azure Firewall within it, in a way that is very difficult to extract, and the Firewall manager does not allow to reassign the Microsoft managed Public IP addresses.

When you delete the Firewall from the Firewall Manager, the Public IP will be removed as well.

For more reference: https://learn.microsoft.com/en-us/azure/firewall-manager/vhubs-and-vnets#:~:text=Azure%20Firewall%20%E2%80%93%20multiple,Auto%20generated

If you still have questions, please let us know what is needed in the comments so that we can address them.

If the above is helpful, please click 'Accept answer' under the answer posted.

1 answer

Your answer

$@chin 150 Reputation points

2025-03-05T14:03:16.7866667+00:00

Hi @Anonymous , My primary question remains unanswered: How can I use an existing public IP address with a new firewall instance? Is there a way to retain the IP?
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-06T12:30:46.9+00:00

Hi @$@chin

A public IP address is associated with a specific Azure resource and directly moving or reassigning a public IP to a different, newly created firewall instance within Firewall Manager is not a supported operation.

Firewall Manager primarily focuses on centralized policy management and deployment. It doesn't provide direct control over the underlying public IP resource in the way you're hoping.

Below is the solution but it involves downtime:

Reduce the TTL of your DNS records beforehand and delete the existing (non-zone-redundant) Azure Firewall. This releases the public IP.

Immediately create the new, zone-redundant Azure Firewall, selecting the option to use the existing public IP address.

Update your routing tables (UDRs) to point to the new firewall's private IP address. The downtime is the time it takes to delete the old firewall, create the new firewall, and for the routing changes to propagate.

Please refer the document for more Azure Firewall Public IP limitations.

Kindly let us know if the above helps or you need further assistance on this issue.
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-10T00:45:09.91+00:00

Hi @$@chin

I hope the below provided answer has been helpful!

Your feedback is important so please take a moment to Accept answers.

If you still have questions, please let us know what is needed in the comments so we can address them.
$@chin 150 Reputation points

2025-03-10T15:02:49.7466667+00:00

Hi @Anonymous ,

What if, in the case of an Azure Firewall with a secure hub, the public IP is Microsoft-managed rather than customer-managed ?

Can Microsoft assist in retaining that firewall's public IP, since it's Microsoft-managed, and reassign the same public IP when creating another firewall in the secure hub with all three zones ?
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-11T01:58:16.9633333+00:00

Hi @$@chin

When you deploy an Azure Firewall within a Secured Virtual Hub and if you choose Microsoft provided (classic), the public IP addresses are automatically provisioned and managed by Microsoft. This means you do not have direct control over these IPs in the same way you would with a standard, customer provided public IP resource, and the assignment and lifecycle of these IPs are tied directly to the Secured Virtual Hub and its underlying infrastructure.

As it is managing by Microsoft, trying to retain the Public IP address in the same way you might with a customer provided IP is not a supported operation. The IPs are tied to the Virtual Wan Secured Hub and the Azure Firewall within it, in a way that is very difficult to extract, and the Firewall manager does not allow to reassign the Microsoft managed Public IP addresses.

When you delete the Firewall from the Firewall Manager, the Public IP will be removed as well.

For more reference: https://learn.microsoft.com/en-us/azure/firewall-manager/vhubs-and-vnets#:~:text=Azure%20Firewall%20%E2%80%93%20multiple,Auto%20generated

If you still have questions, please let us know what is needed in the comments so that we can address them.

If the above is helpful, please click 'Accept answer' under the answer posted.

Answer 1

Hi @$@chin

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

You can consider the dual firewall approach as it is recommended for minimal downtime:

Deploy the new Azure Firewall with zone redundancy in parallel with your existing firewall and attach the existing Azure Firewall Policy to the new firewall and configure all necessary routing and network rules on the new firewall. Please refer the document for more information.
Thoroughly test the new firewall in a staging or test environment to ensure its functioning correctly.
If you are using DNS to resolve to the public IP of the firewall, reduce the TTL of your DNS records well in advance of the cutover. This will minimize the time it takes for DNS changes to propagate.
Modify your routing tables and network configurations to direct traffic to the new firewall's public IP. This can be done by updating UDRs in your virtual networks and if the firewall is used to secure outbound traffic from Virtual Machines, then you will need to update the User Defined Routes on the subnet of those Virtual Machines.
Carefully monitor traffic flow and firewall logs after the cutover to ensure everything is working as expected and once you're confident that the new firewall is stable, delete the old firewall.
Use ARM templates, Azure CLI, or PowerShell to automate the deployment and configuration of the new firewall. This will reduce the risk of errors and speed up the process. Please refer the document. For more information: Best practices for Azure Firewall. Manage a public IP address by using Azure Firewall

-I hope this has been helpful!

Your feedback is important so please take a moment to accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Share via

Options for Retaining or Use the Existing Public IP of Azure firewall without zone redundancy while Deploying a New Azure Firewall with HA

1 answer

Your answer