Submit feedback on
Azure Firewall Premium SKU Deployed Without Using Premium Features
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Azure Firewall Premium SKU Deployed Without Using Premium Features
Aaran Bhambra
CER:

CER-0313

Service Category
Networking
Cloud Provider
Azure
Service Name
Azure Firewall
Inefficiency Type
Overprovisioned Resource
Explanation

Azure Firewall is available in three SKUs — Basic, Standard, and Premium — each designed for different security requirements and priced accordingly. The Premium SKU includes advanced threat protection capabilities such as TLS inspection, signature-based intrusion detection and prevention (IDPS), URL filtering, and web categories. These features are designed for highly sensitive and regulated environments, such as those processing payment card data or requiring PCI DSS compliance. However, many organizations deploy the Premium SKU by default — often during initial provisioning or as a precautionary measure — without actively configuring or requiring any of these Premium-exclusive features.

The cost impact is significant because the Premium SKU carries a substantially higher fixed hourly deployment charge compared to the Standard SKU — approximately 40% more — while the per-gigabyte data processing rate remains the same across both tiers. Since this hourly charge accrues continuously regardless of whether Premium features are enabled or traffic is flowing, every firewall instance running on the Premium SKU without leveraging its advanced capabilities represents a persistent and avoidable cost premium. In organizations with multiple firewall deployments across subscriptions and environments, this waste compounds quickly.

This pattern is especially common in non-production environments such as development and staging, where advanced threat protection features like TLS inspection and IDPS provide little practical value. Microsoft has recognized this as a frequent optimization opportunity and introduced a zero-downtime SKU change feature specifically to simplify the downgrade process from Premium to Standard.

Relevant Billing Model

Azure Firewall billing consists of two components:

  • Fixed hourly deployment charge — A per-hour fee based on the SKU tier (Basic, Standard, or Premium). This charge is incurred continuously as long as the firewall is provisioned, regardless of traffic volume. Partial hours are billed as full hours. The Premium SKU hourly rate is approximately 40% higher than the Standard SKU rate.
  • Variable data processing charge — A per-gigabyte fee for traffic processed through the firewall. This rate is the same for both Standard and Premium SKUs, meaning the data processing cost does not change based on SKU selection.

All Premium-exclusive features (TLS inspection, IDPS, URL filtering, web categories) are included in the Premium hourly rate with no additional per-feature charges. This means the cost difference between Premium and Standard is entirely in the fixed hourly deployment charge — a cost that accrues whether or not those advanced features are configured or in use. Firewall policies are charged separately only when associated with more than one firewall; a policy with zero or one firewall association incurs no additional cost.

For current regional pricing, see the Azure Firewall pricing page.

Detection
  • Identify all Azure Firewall instances deployed with the Premium SKU across subscriptions and resource groups
  • Review the firewall policy associated with each Premium instance to determine whether Premium-exclusive features — TLS inspection, IDPS in Alert and Deny mode, URL filtering, or web categories — are actively configured
  • Assess whether configured Premium features are operationally required by consulting with security and compliance teams about actual threat protection needs
  • Evaluate whether the environment served by each Premium firewall has regulatory or compliance requirements (such as PCI DSS) that mandate the Premium SKU
  • Identify Premium SKU firewalls deployed in non-production environments (development, testing, staging) where advanced threat protection features are unlikely to be necessary
  • Review firewall deployments that were provisioned during initial setup and have not been reassessed for SKU appropriateness since deployment
Remediation
  • Downgrade Premium SKU firewalls to Standard SKU where Premium-exclusive features are not configured or required — Azure supports zero-downtime SKU changes between Standard and Premium using the built-in Change SKU capability
  • Before downgrading, remove or disable all Premium-exclusive features (TLS inspection, IDPS in Alert and Deny mode, URL filtering, web categories) from the associated firewall policy, as these must be cleared before the SKU change can proceed
  • Standardize on the Standard SKU for non-production environments where advanced threat protection provides minimal security value
  • Establish a periodic review process to audit firewall SKU selections against actual security requirements, ensuring Premium is only retained where its features are actively used and compliance-mandated
  • Implement governance policies that require justification for Premium SKU selection during new firewall provisioning to prevent unnecessary Premium deployments from being created
  • After downgrading, perform validation testing to confirm that firewall rules and network traffic continue to function as expected under the Standard SKU
Relevant Documentation
Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences