So, you’ve decided to move to the cloud and you have migrated your workloads over to Azure but what decision did you make about the firewall?
You’ve probably got a long standing preferred firewall vendor that you’ve been using for your NGFW on premises. It works well and you trust it, right? Of course, the vast majority of these vendors now have an Azure Marketplace Virtual Appliance option. All the same features that you get on premises but running as a network virtual appliance on Azure VMs or Azure VM Scale Sets. In my experience, this is what most customers will opt for when they make that move to the Cloud. It’s what they know and what they trust and that’s perfectly understandable, but there is a trade-off here and from recent experience it’s created quite a headache for some customers I’ve worked with.
This post isn’t here to bash third-party security appliances by any means and I am not going to call out particular vendors here either. This post is here to highlight why you might want to give a PaaS based firewall like Azure Firewall a second thought.
Let me share a couple of real-world examples that illustrate the challenges that two customers of mine have faced when relying on third-party NVAs in Azure. Two different customers, two different vendors, but both hit roadblocks because of Azure’s service lifecycle changes.
Scenario 1
A customer has deployed a Marketplace solution that manages its deployment through a managed application. This application owns all of the Azure resources and enforces a deny policy on making changes to those resources outside of the initial deployment template.
Unfortunately, scenarios like this don’t factor in that Microsoft manage the lifecycle of those underlying resources so when the recently deprecated basic SKU Public IP address came along there was no way to implement the platform based migration to standard SKU. You simply have no authorisation to perform the necessary steps to complete the operation due to the managed application holding a lock on the resources.
This is an incredibly frustrating scenario for a customer as this process should only take a matter of seconds to complete. The NVA vendor’s own documentation confirmed that the only alternative here is to re-deploy the appliance, a process which will have numerous knock on effects including re-licensing, new public IP address assignment and of course – downtime! A lot of extra work, risk and worry for the customer that was never anticipated when they chose to go with an NVA.
Scenario 2
This one is pretty similar. Another service deprecation but this time it’s unmanaged disks. These will be retired on 31st March 2026. Typically, a fairly straightforward platform migration does the trick here and migrates you from the storage account based .vhd file to the managed disk resource in ARM.
However, NVAs run on Linux and are usually very restrictive in what they support, e.g. no Azure Backup support. In this case, it was the lack of support for the Azure VM agent that was the problem. This component is essential to perform the migration to managed disks and as a result this option was off the table.
Once again, the only solution as per the vendor’s own documentation is to re-deploy the appliance and as before that comes with additional work (usually out of hours), risk and stress.
Conclusion
As I’ve mentioned, this post is not here to bash these vendors or point out flaws in their deployments but it is important to understand the platform and to understand that Microsoft need to manage and maintain the lifecycle of their services.
In my opinion, if you are bought in on Azure then you should ideally use their own firewall platform – Azure Firewall. As a PaaS service, you as the customer do not need to worry about the service lifecycle – this is managed for you. It’s also a far easier service to maintain due to the built-in autoscaling functionality and no license requirement.
If you are at that juncture where you need to decide on which firewall you will use, then weigh up the trade-offs carefully. Third-party NVAs can make sense for organisations with complex requirements or multi-cloud strategies, and there’s nothing inherently wrong with sticking to what you know. If you’re fully invested in Azure then a PaaS-based solution like Azure Firewall offers a simpler, more futureproof path forward. Cloud adoption is about embracing change and not just lifting and shifting old habits.
azurealan.ie 