Azure Firewall Basic vs Standard: Which Tier and When to Upgrade

Azure Firewall comes in three tiers: Basic, Standard, and Premium. Most teams choosing between Basic and Standard are asking the wrong question. They are comparing costs when they should be comparing what each tier cannot do, because the gaps in capability matter more than the price difference for anything handling production traffic.

This guide covers exactly where the two tiers differ, how the pricing model works in practice (including where Basic gets expensive), and the decision criteria that should drive the choice.

The capability gaps that actually matter

Both tiers are stateful firewalls. Both support Layer 3-7 filtering, SNAT, DNAT, availability zones, and central management via Azure Firewall Manager. The gaps are in three areas:

Threat intelligence mode. Basic supports threat intelligence in alert mode only. It identifies traffic to and from known malicious IP addresses and domains and logs the event, but it does not block it. Standard supports alert and block mode, where identified malicious traffic is dropped automatically. For a development environment, alert-only is probably fine. For production, the distinction between seeing an attack and stopping it is meaningful.

Throughput. Basic is capped at 250 Mbps. Standard autoscales up to 30 Gbps. Most SMBs sit well under 250 Mbps under normal conditions, but a single large file transfer, a backup window, or a batch job can push past that. Basic also runs on two fixed VM instances, while Standard adds capacity on demand. If you have any workload with bursty throughput, Basic's fixed cap is a risk.

Web content filtering and DNS proxy. Basic does not include web content filtering or DNS proxy capabilities. Standard includes both. Web content filtering lets you block categories of sites at the firewall level rather than relying on endpoint controls. DNS proxy lets you run custom DNS through the firewall with logging, which is useful for visibility and for certain Private Endpoint configurations. If these features are on your requirements list, Basic is not an option.

Data processing cost per GB. This is where Basic's economics reverse. Basic charges approximately £0.053 per GB processed; Standard charges approximately £0.016 per GB. At low data volumes, Basic's lower fixed deployment cost wins. At higher volumes (roughly 1.5-2 TB/month), Standard's lower per-GB rate means you pay less overall. Calculate your actual data volume before assuming Basic is cheaper.

How the pricing model works

Both tiers use a two-component pricing structure: a fixed deployment cost per hour plus a per-GB data processing charge.

Basic runs at approximately £0.32/hour (around £230/month fixed) plus £0.053/GB. Standard runs at approximately £1.25/hour (around £900/month fixed) plus £0.016/GB.

At 1 TB/month data volume: - Basic: £230 + (1,000 × £0.053) = £230 + £53 = £283 - Standard: £900 + (1,000 × £0.016) = £900 + £16 = £916

At 10 TB/month: - Basic: £230 + (10,000 × £0.053) = £230 + £530 = £760 - Standard: £900 + (10,000 × £0.016) = £900 + £160 = £1,060

At 50 TB/month: - Basic: £230 + £2,650 = £2,880 - Standard: £900 + £800 = £1,700

The crossover (where Standard becomes cheaper purely on cost) is around 15-18 TB/month depending on exact regional pricing. If you are already near that volume, model it with your actual usage data rather than an average.

Additional charges apply for Azure Firewall Policies (priced per policy per region) and Policy Analytics (optional, priced per policy per month). Azure Firewall Manager itself carries no charge; you pay for what you create through it.

Partial hours are billed as full hours. If you are running development environments that could be stopped overnight, automating firewall start/stop via Azure Automation can reduce the fixed deployment cost by 40-50% for non-production use.

Decision criteria

Start with Basic if: - You are running a dev/test environment where alert-only threat intelligence is acceptable - Your throughput is consistently well under 250 Mbps with no burst workloads - You do not need web content filtering or DNS proxy - Your data volume is under 5 TB/month

Choose Standard if: - You handle production traffic where active threat blocking is required - Your compliance requirements (FCA, PCI DSS, UK GDPR, ISO 27001) mandate automatic blocking of known malicious traffic - You have bursty workloads that can exceed 250 Mbps - You need web content filtering for productivity or compliance controls - You need DNS proxy for Private Endpoint visibility or custom DNS logging - Your data volume is above 10 TB/month (Standard's per-GB rate makes it economical)

Consider Premium if: - You need TLS inspection (decrypting and inspecting HTTPS traffic) - You need IDPS (Intrusion Detection and Prevention System signatures) - You are a financial services or healthcare business with the most stringent threat inspection requirements

Reducing costs at either tier

Regardless of tier, several practices reduce firewall spend without reducing capability:

Automate non-production shutdowns. Use Azure Automation or runbooks to stop and start the firewall outside business hours in dev and test environments. Combined with Basic's lower fixed cost, this can bring non-production firewall spend to well under £100/month.

Use Basic table plan for logging. Azure Monitor's Basic table plan costs roughly 80% less than the standard Analytics table for log data. Route Azure Firewall diagnostic logs to a Basic table for cost-efficient retention, with Analytics tables reserved for logs you actively query.

Set cost alerts. Configure Azure Cost Management alerts on firewall resource costs. Data processing charges scale with traffic and can grow faster than expected if a new workload generates higher-than-anticipated throughput.

Review tier quarterly. As workloads grow and compliance requirements evolve, the right tier can change. A business that started on Basic for valid reasons may reach a point where Standard's features are genuinely required. A regular review is cheaper than discovering the mismatch mid-audit.

Where Critical Cloud comes in

Choosing the right firewall tier and configuring it correctly, including policy design, threat intelligence tuning, and logging that satisfies audit requirements, is part of how we operate Azure for regulated businesses. The wrong tier choice either wastes money or leaves gaps that matter when a regulator asks what network controls you have in place. As the world's first Powered by Datadog accredited partner, we monitor Azure Firewall threat intelligence signals alongside application and infrastructure data, so blocked traffic and policy violations appear in the same place as operational events. See how Critical Support works.