Azure Firewall - Shared between prod and non-prod or separate per environment?

Question

According to the Microsoft's diagram in the Hub-spoke network topology in Azure article, Hub network and Azure Firewall are shared between production and non-production spoke virtual networks.

Historically, I have separated prod with non-prod resources. It is not clear to me why I would not do that for a Firewall, aside for cost.

Assuming there is no cost factor for Azure Firewall, is there a reason why I would not want to follow the design in the article and have a separate Hub/Firewall per environment?

Thank you

Answer 1

There are no strict technical constraints that prevent you from having separate Azure Firewall instances for each environment (production and non-production). Here are the main points to consider- If you have a Shared Firewall

• Simplified management with a centralized set of rules.
• Cost savings as you are running and managing fewer resources.
• Potentially easier to apply a consistent security posture across all environments.

If you have a Separate Firewall

• Enhanced security through environment isolation.
• Reduced risk of misconfigurations affecting production.
• Ability to customize rules and settings per environment based on different needs.
• Easier compliance with certain regulations that may require separation.

The decision between a shared versus separate Azure Firewall setup should be as per your organization's operational and compliance needs.

References:

• What are the Azure Firewall Manager architecture options?
• Hub-and-spoke network topology
• Azure DDoS Protection reference architectures