Share via

Upgrade an azure basic to a standard firewall

Patrick Kuehn 20 Reputation points
2026-05-06T19:42:33.7133333+00:00

Has anyone ever upgraded from azure basic firewall to standard firewall. What are the risks and the best way to mitigate the risks. I have made a copy of the policy and upgraded it to standard.

I have a script that does the upgrade and tested it on a test firewall and appeared to work very well.

Is there something I need to do with the application gateway?

Is there any routing that needs to be done post deployment.

Upgrading is my only option since the Firewall IP is utilized for many things and has been white listed by several customers.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments No comments

Answer accepted by question author

Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator
2026-05-06T21:16:00.2666667+00:00

Hi Patrick Kuehn ,

Welcome to Microsoft Q&A Platform.

As Stated in Change Azure Firewall SKU.

Azure Firewall Basic SKU does not support SKU changes on an existing firewall. Upgrading from Basic to Premium is supported only through the stop/start process.

There is no supported Basic→Standard path on the same firewall.

User's image

User's image

Alternatively, try deleting the Basic Azure Firewall. Please make sure not to delete the Firewall Public IP; by default, deleting the firewall does not remove the associated Public IP. Once the deletion is completed, please create a new Standard Firewall using Azure PowerShell, as there is currently a bug in the Azure Portal that prevents reusing the same Public IP through the portal interface.

In this way, you can reuse the same Public IP with the Standard Firewall, and there will be no service disruption on the customer side.

Here is the PowerShell script to reuse the Basic Azure Firewall Public IP with a new Standard Firewall.

Note: In my case, I used the existing Basic Firewall VNet and Public IP.

$vnet = Get-AzVirtualNetwork -Name "venkat-firewall" -ResourceGroupName "AI_RG"
$publicip = Get-AzPublicIpAddress -Name "test" -ResourceGroupName "AI_RG"
$Azfw = New-AzFirewall -Name "Test-FW01" -ResourceGroupName "AI_RG" -Location "East US" -VirtualNetwork $vnet -PublicIpAddress $publicip

Output:
User's image Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Was this answer helpful?

1 person found this answer helpful.
0 comments No comments

1 additional answer

Sort by: Most helpful
  1. AI answer

    2026-05-06T19:42:47.6333333+00:00

    Azure Firewall Basic cannot be upgraded in-place to Standard on the same existing firewall resource. The documented SKU change options are:

    • Easy SKU change: Supports Standard ↔ Premium only; explicitly does not support upgrades from Basic on an existing firewall.
    • Manual migration: Also does not enable SKU changes from Azure Firewall Basic on an existing firewall.

    From the documentation:

    • “Easy SKU change… Doesn’t support SKU upgrades from Azure Firewall Basic SKU on an existing firewall. Basic to Premium upgrades require stopping and restarting the firewall. Basic to Standard isn't supported.”
    • “Manual migration doesn’t enable SKU changes from Azure Firewall Basic on an existing firewall.”

    Implications for the scenario:

    1. Keeping the same public IP
      • Because Basic → Standard on the same resource is not supported, the supported path to Standard while preserving the IP would be to:
        • Stop/deallocate the existing Basic firewall and reuse its public IP on a new Standard firewall deployment, or
        • Use a migration pattern that recreates the firewall with the desired SKU while reattaching the existing public IP resource.
      • The documentation only explicitly calls out Basic → Premium via stop/start; Basic → Standard is not supported by the easy SKU change method and is not enabled via manual migration.
    2. Policy handling
      • A Basic firewall uses a firewall policy just like Standard/Premium. A copy of the policy can be upgraded to Standard or Premium policy as done in the test.
      • When creating a new Standard firewall, attach the Standard firewall policy copy created earlier.
    3. Routing and downstream dependencies
      • If the same firewall public IP is preserved and the firewall remains in the same subnet with the same private IP, existing UDRs and Application Gateway backend configuration typically do not need changes, because they reference IPs, not the SKU.
      • If any IP (public or private) changes, all UDRs, peering routes, and any external systems that whitelist the IP must be updated.
    4. Application Gateway
      • There is no SKU-specific requirement for Application Gateway when changing firewall SKU; what matters is that:
        • The next hop IP (firewall private IP) in UDRs remains the same, and
        • Any custom probes, NSGs, or routing that depend on the firewall IPs remain valid.
      • If the firewall IPs are unchanged, no special Application Gateway changes are required beyond normal connectivity validation.
    5. Risk and mitigation
      • Main risks:
        • Downtime during deallocate/recreate if preserving IP via stop/start or reallocation.
        • Misconfiguration of policy or routes on the new Standard firewall.
      • Mitigations from documentation:
        • Use a test environment that closely matches production and perform full-scale performance and functionality testing before cutover.
        • Plan a maintenance window if using a stop/start or manual migration pattern, as downtime is expected.

    Because Basic → Standard on an existing firewall is not supported by the documented SKU change mechanisms, any script that appears to “upgrade” Basic to Standard on the same resource is operating outside the supported paths. The supported options are to:

    • Move from Basic to Premium using stop/start (preserving IP), or
    • Recreate as Standard and reattach the existing public IP, then attach a Standard policy and validate routing.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.