Azure Firewall Premium vs Standard: AZ-500 Exam Guide
Azure Firewall Premium adds IDPS, TLS inspection, and web category filtering to the Standard SKU. Know the exact feature differences, when each mode of IDPS applies, and the Key Vault dependency for TLS inspection.
Standard vs Premium: Feature Comparison
| Feature | Standard | Premium |
|---|---|---|
| FQDN filtering | Yes | Yes |
| Threat intelligence | Alert/Deny | Alert/Deny |
| IDPS (Intrusion Detection & Prevention) | No | Yes |
| TLS Inspection | No | Yes |
| Web Categories | No | Yes |
| URL Filtering | No | Yes |
IDPS: Alert vs Deny Mode
IDPS in Premium SKU inspects traffic against Microsoft's signature database. Two operational modes:
- Alert mode: Logs matching traffic, does not block it. Use during initial deployment to understand baseline.
- Alert and Deny mode: Logs and blocks matching traffic. Use in production.
TLS Inspection
Premium Firewall can decrypt, inspect, and re-encrypt TLS traffic. Requirements:
- An intermediate CA certificate stored in Azure Key Vault
- A managed identity granted access to the Key Vault certificate
- The Firewall Policy configured to reference that Key Vault certificate
Forced Tunneling
To route all internet-bound firewall traffic through an on-premises NVA, configure forced tunneling. Requirements:
- Create a AzureFirewallManagementSubnet subnet: this keeps management traffic out of the forced tunnel
- A route table pointing 0.0.0.0/0 to the on-premises NVA
Get weekly security insights
Cloud security, zero trust, and identity guides — straight to your inbox.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Questions & Answers
Related Articles
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us