Azure Firewall Upgrade/Downgrade: From Standard to Premium Made Easy
Azure Firewall now supports in-place SKU changes between Standard and Premium tiers. Previously, switching SKUs required deleting and recreating the firewall, which meant downtime and a new public IP. The upgrade/downgrade feature keeps your existing configuration intact.
What Happens During the Upgrade
When you upgrade from Standard to Premium (or downgrade the other way), Azure preserves:
- Your public IP address
- Your subnet configuration
- The firewall's private IP allocation
The process takes approximately 20-30 minutes. During this window, there will be a brief connectivity interruption as the firewall transitions between SKUs. Plan to do this during a maintenance window.
One important limitation: this feature does not support the Basic SKU. You can only switch between Standard and Premium.
Upgrading via Azure Portal
The portal option is under your firewall resource: Overview, then Upgrade/Downgrade. Select the target SKU and a Premium policy. If you only have a Standard policy, Azure can duplicate it and elevate it to Premium automatically during the process.
Upgrading via PowerShell
Upgrading via Terraform
If you manage your firewall with Terraform, the change is a single attribute:
Run terraform plan to verify the change is an in-place update, not a destroy-and-recreate.
Policy Considerations
When upgrading to Premium, your firewall policy must be a Premium-tier policy. You have two options:
- Create a new Premium policy and manually recreate your rules
- Duplicate your Standard policy to Premium, which copies all existing rules and adds Premium-only rule categories (TLS inspection, IDPS, URL filtering by category)
If you're upgrading specifically for TLS inspection or intrusion detection, remember that these features require additional configuration after the SKU change. The upgrade gives you access to Premium features but doesn't enable them automatically.
If you need help planning your firewall upgrade or evaluating whether Premium features justify the cost difference, our consultants at MADIT can help assess your network security requirements. Contact us to discuss your setup.
