|
1 | 1 | --- |
2 | | -title: Azure Firewall performance |
3 | | -description: Compare Azure Firewall performance for Azure Firewall Basic, Standard, and Premium. |
4 | | -services: firewall |
| 2 | +title: Azure Firewall performance |
| 3 | +description: Learn about Azure Firewall performance data and throughput benchmarks for Basic, Standard, and Premium SKUs across different use cases. |
5 | 4 | author: duongau |
6 | 5 | ms.service: azure-firewall |
7 | 6 | ms.topic: concept-article |
8 | | -ms.date: 12/26/2024 |
| 7 | +ms.date: 03/28/2026 |
9 | 8 | ms.author: duau |
10 | 9 | # Customer intent: As a network engineer, I want to compare the performance metrics of Azure Firewall Basic, Standard, and Premium, so that I can choose the appropriate version to meet my organization’s security and performance requirements. |
11 | 10 | --- |
12 | 11 |
|
13 | 12 | # Azure Firewall performance |
14 | 13 |
|
15 | | -Reliable firewall performance is essential to operate and protect your virtual networks in Azure. More advanced features (like those found in Azure Firewall Premium) require more processing complexity, and affect firewall performance and overall network performance. |
| 14 | +Reliable firewall performance is essential to operate and protect your virtual networks in Azure. More advanced features, like those found in Azure Firewall Premium, require more processing complexity and affect firewall performance and overall network performance. |
16 | 15 |
|
17 | 16 | Azure Firewall has three versions: Basic, Standard, and Premium. |
18 | 17 |
|
19 | 18 | - Azure Firewall Basic |
20 | | - |
| 19 | + |
21 | 20 | Azure Firewall Basic is intended for small and medium size (SMB) customers to secure their Azure cloud environments. It provides the essential protection SMB customers need at an affordable price point. |
22 | 21 |
|
23 | 22 | - Azure Firewall Standard |
24 | 23 |
|
25 | | - Azure Firewall Standard became generally available in September 2018. It's cloud native, highly available, with built-in auto scaling firewall-as-a-service. You can centrally govern and log all your traffic flows using a DevOps approach. The service supports both application and network level-filtering rules, and is integrated with the Microsoft Threat Intelligence feed for filtering known malicious IP addresses and domains. |
| 24 | + Azure Firewall Standard became generally available in September 2018. It's cloud native, highly available, with built-in auto scaling firewall-as-a-service. You can centrally govern and log all your traffic flows by using a DevOps approach. The service supports both application and network-level-filtering rules, and is integrated with the Microsoft Threat Intelligence feed for filtering known malicious IP addresses and domains. |
26 | 25 | - Azure Firewall Premium |
27 | 26 |
|
28 | | - Azure Firewall Premium is a next generation firewall. It has capabilities that are required for highly sensitive and regulated environments. The features that might affect the performance of the Firewall are TLS (Transport Layer Security) inspection and IDPS (Intrusion Detection and Prevention). |
| 27 | + Azure Firewall Premium is a next generation firewall. It has capabilities that are required for highly sensitive and regulated environments. The features that might affect the performance of the firewall are TLS (Transport Layer Security) inspection and IDPS (Intrusion Detection and Prevention). |
29 | 28 |
|
30 | 29 | For more information about Azure Firewall, see [What is Azure Firewall?](overview.md) |
31 | 30 |
|
32 | 31 | ## Performance testing |
33 | 32 |
|
34 | | -Before you deploy Azure Firewall, the performance needs to be tested and evaluated to ensure it meets your expectations. Not only should Azure Firewall handle the current traffic on a network, but it should also be ready for potential traffic growth. You should evaluate on a test network and not in a production environment. The testing should attempt to replicate the production environment as close as possible. You should account for the network topology, and emulate the actual characteristics of the expected traffic through the firewall. |
| 33 | +Before you deploy Azure Firewall, test and evaluate the performance to ensure it meets your expectations. Azure Firewall should handle the current traffic on a network and be ready for potential traffic growth. Evaluate the performance on a test network, not in a production environment. The testing should attempt to replicate the production environment as closely as possible. Account for the network topology, and emulate the actual characteristics of the expected traffic through the firewall. |
35 | 34 |
|
36 | 35 | ## Performance data |
37 | 36 |
|
38 | | -The following set of performance results demonstrates the maximal Azure Firewall throughput in various use cases. All use cases were measured while Threat intelligence mode was set to alert/deny. Azure Firewall Premium performance boost feature is enabled on all Azure Firewall premium deployments by default. This feature includes enabling Accelerated Networking on the underlying firewall virtual machines. |
| 37 | +The following performance results demonstrate the maximum Azure Firewall throughput in various use cases. You measure all use cases while Threat intelligence mode is set to alert or deny. The Azure Firewall Premium performance boost feature is enabled by default on all Azure Firewall premium deployments. This feature includes enabling Accelerated Networking on the underlying firewall virtual machines. |
39 | 38 |
|
40 | 39 |
|
41 | | -|Firewall type and use case |TCP/UDP bandwidth (Gbps) |HTTP/S bandwidth (Gbps) | |
| 40 | +| Firewall type and use case | TCP/UDP bandwidth (Gbps) | HTTP/S bandwidth (Gbps) | |
42 | 41 | |---------|---------|---------| |
43 | | -|Basic SKU |0.25|0.25| |
44 | | -|Standard SKU |30|30| |
45 | | -|Premium SKU with both TLS disabled and IDPS disabled |100|100| |
46 | | -|Premium SKU with TLS inspection enabled and IDPS disabled |-|100| |
47 | | -|Premium SKU with TLS enabled and IDPS enabled in Alert only mode |100|100| |
48 | | -|Premium SKU with TLS enabled and IDPS enabled in Deny mode |10|10| |
| 42 | +| Basic SKU | 0.25 | 0.25 | |
| 43 | +| Standard SKU | 30 | 30 | |
| 44 | +| Premium SKU with both TLS disabled and IDPS disabled | 100 | 100 | |
| 45 | +| Premium SKU with TLS inspection enabled and IDPS disabled | - | 100 | |
| 46 | +| Premium SKU with TLS enabled and IDPS enabled in Alert only mode | 100 | 100 | |
| 47 | +| Premium SKU with TLS enabled and IDPS enabled in Deny mode | 10 | 10 | |
49 | 48 |
|
50 | 49 | ### Throughput for single connections |
51 | 50 |
|
52 | | -|Firewall use case |Throughput (Gbps)| |
| 51 | +| Firewall use case | Throughput (Gbps) | |
53 | 52 | |---------|---------| |
54 | | -|Basic|up to 250 Mbps| |
55 | | -|Standard<br>Max bandwidth for single TCP connection |up to 1.5| |
56 | | -|Premium<br>Max bandwidth for single TCP connection |up to 9| |
57 | | -|Premium single TCP connection with IDPS on *Alert and Deny* mode|up to 300 Mbps| |
| 53 | +| Basic | up to 250 Mbps | |
| 54 | +| Standard<br>Max bandwidth for single TCP connection | up to 1.5 | |
| 55 | +| Premium<br>Max bandwidth for single TCP connection | up to 9 | |
| 56 | +| Premium single TCP connection with IDPS on *Alert and Deny* mode | up to 300 Mbps | |
58 | 57 |
|
59 | | -### Total throughput for initial firewall deployment |
| 58 | +### Total throughput for initial firewall deployment |
60 | 59 |
|
61 | | -The following throughput numbers are for an Azure Firewall Standard and Premium deployments before autoscale (out of the box deployment). Azure Firewall gradually scales out when the average throughput and CPU consumption is at 60% or if the number of connections usage is at 80%. Scale out takes five to seven minutes. Azure Firewall gradually scales in when the average throughput, CPU consumption, or number of connections is below 20%. |
| 60 | +The following throughput numbers are for Azure Firewall Standard and Premium deployments before autoscale (out-of-the-box deployment). Azure Firewall gradually scales out when the average throughput and CPU consumption reach 60% or if the number of connections usage reaches 80%. Scale out takes five to seven minutes. Azure Firewall gradually scales in when the average throughput, CPU consumption, or number of connections drops below 20%. |
62 | 61 |
|
63 | | -When performance testing, make sure you test for at least 10 to 15 minutes, and start new connections to take advantage of newly created firewall nodes. |
| 62 | +When performance testing, test for at least 10 to 15 minutes, and start new connections to take advantage of newly created firewall nodes. |
64 | 63 |
|
65 | 64 |
|
66 | | -|Firewall use case |Throughput (Gbps)| |
| 65 | +| Firewall use case | Throughput (Gbps) | |
67 | 66 | |---------|---------| |
68 | | -|Standard<br>Max bandwidth |up to 3 | |
69 | | -|Premium<br>Max bandwidth |up to 18| |
| 67 | +| Standard<br>Max bandwidth | up to 3 | |
| 68 | +| Premium<br>Max bandwidth | up to 18 | |
70 | 69 |
|
71 | 70 | > [!NOTE] |
72 | 71 | > Azure Firewall Basic doesn't autoscale. |
73 | 72 |
|
74 | | -## Next step |
| 73 | +## Next steps |
75 | 74 |
|
76 | 75 | > [!div class="nextstepaction"] |
77 | | -> [deploy and configure an Azure Firewall](tutorial-firewall-deploy-portal.md) |
| 76 | +> [Deploy and configure an Azure Firewall](tutorial-firewall-deploy-portal.md) |
0 commit comments