Azure Firewall licensing is two SKUs (Standard, Premium) plus per-hour and per-GB meters on top. The annual cost of an enterprise Azure Firewall Premium deployment typically lands $80K–$220K per region. Third-party NVAs (Palo Alto, Fortinet, Check Point, Cisco) on Azure VMs add VM licensing on top of the vendor licence — usually higher capital outlay but often lower run-rate where you have existing vendor relationships and BYOL. The five decisions: which SKU (Standard vs Premium vs Basic), how many regional deployments, whether to consolidate via Virtual WAN Secured Hub, third-party NVA versus Azure-native, and whether Azure Firewall Manager justifies its cost on a multi-region footprint.
The three Azure Firewall SKUs
Azure firewall licensing follows three tiers, each with a distinct feature set and pricing model.
| SKU | Key capabilities | Per-hour | Per-GB processed |
|---|---|---|---|
| Basic | Up to 250 Mbps, no TLS inspection, no IDPS | ~$0.395/hr ($288/mo) | $0.065/GB |
| Standard | L3-L7 filtering, threat intelligence, DNAT, network rules | ~$1.25/hr ($910/mo) | $0.016/GB |
| Premium | TLS inspection, IDPS, URL filtering, web categories | ~$1.75/hr ($1,275/mo) | $0.016/GB |
The structural mistake we see: Premium deployed where Standard would suffice, because Microsoft account teams default to Premium during architecture sessions ("you need TLS inspection for security"). Standard meets most enterprise control requirements where TLS inspection is handled at the application gateway / WAF layer. The Premium-to-Standard downgrade saves $4,400/year per firewall instance on the per-hour meter alone — multiplied across multi-region deployments, $30K–$60K of annual savings is common.
Regional deployment count
Azure Firewall is regional. Each region needs its own deployment, each one pays its own per-hour meter. Enterprises with five-region footprints frequently run five Firewall Premiums at $15K/year each = $75K of per-hour spend before any data-processing charges. The consolidation pattern: Azure Virtual WAN Secured Hub centralises Firewall instances inside Virtual WAN, allowing a single Firewall deployment to service multiple regions via the WAN backbone. Trade-off: cross-region traffic to the central Firewall pays inter-region egress on the way in and out. Model carefully — this works for low-traffic security inspection of administrative paths and badly for high-volume application traffic.
Azure Firewall has high per-hour and per-GB margins. Microsoft does not surface Standard vs Premium decisions in cost-impact terms; the Azure portal does not show "you could save $X/year by downgrading to Standard" the way storage tier policies do. Customers who deploy at architecture-recommendation defaults end up at Premium across all regions. Always audit the actual TLS inspection requirement per workload before accepting Premium.
Third-party NVA licensing — when it wins
Palo Alto VM-Series, Fortinet FortiGate VM, Check Point CloudGuard, and Cisco Secure Firewall Threat Defense Virtual all run as Azure VMs. Two licensing models:
- PAYG marketplace: bundled hourly rate including the vendor licence. Easy to start, expensive at scale.
- BYOL: customer brings the vendor licence (often an existing perpetual or term licence) and pays only the Azure VM compute.
Third-party NVA wins when: (a) the enterprise already holds the vendor licence under a global ELA with cloud-burst rights; (b) advanced security stack features (SD-WAN integration, sandbox, deep IPS) are required and not in Azure Firewall; (c) the security operations team is trained on the vendor stack and a switch to Azure Firewall would incur material retraining cost. Otherwise, the simpler Azure Firewall stack typically wins on total cost and operational simplicity.
Virtual WAN Secured Hub — the consolidation play
Virtual WAN Secured Hub embeds either Azure Firewall or a third-party NVA inside a Virtual WAN hub, replacing per-spoke firewall deployments with a central hub. Cost flips: lower per-hour (one Firewall, not five), higher data-processing (every byte transits the hub). Net win for security-sensitive low-traffic patterns (admin paths, partner connectivity, jump hosts); net loss for chatty multi-region application traffic. Model carefully on actual traffic profiles before committing.
Azure Firewall Manager — necessary at scale
Azure Firewall Manager centralises policy management across multiple Firewall deployments. No additional licensing cost — it is included — but it requires the policy tier on each Firewall (Standard or Premium policy SKU). For multi-region enterprises, Firewall Manager is mandatory; policy drift across five regional Firewalls without it is the operational nightmare that pushes teams back to a third-party NVA with vendor-side central management.
Anonymised case study: $340K firewall consolidation
A media client ran six regional Azure Firewall Premium deployments at $90K/year per region = $540K of per-hour spend before data-processing. The audit found three regions were running Premium for workloads that did not need TLS inspection (the application layer handled it). Remediation: tier-down three Premium-to-Standard, consolidate two adjacent regions via Virtual WAN Secured Hub (where traffic profile permitted), retire one Firewall entirely (regional workload had moved). Annual saving: $340K, no security posture change.
The Microsoft Licensing Briefing — 3 minutes, every Friday
Independent analysis of Microsoft commercial moves, with implications for your EA and Azure commit. No vendor spin.
No spam. Unsubscribe any time.
Where to take this from here
Firewall licensing fits inside the broader networking cost picture. Sequence: SKU rationalisation first, regional consolidation second, NVA vs Azure-native re-evaluation third, Firewall Manager deployment fourth. Pair the work with the Azure networking costs guide for end-to-end traffic and architecture review, the Azure governance baseline to lock in the right SKUs via policy, and the complete Azure cost optimisation guide for the full lever map. For commitment positioning that includes Firewall, the MACC explainer covers how Firewall consumption flows through MACC. For end-to-end advisory, our Azure & MACC Advisory covers it as a single engagement. EA tier collapse 2026 reads firewall posture as part of EA renewal leverage. Book a discovery call to benchmark.