Hello @EnterpriseArchitect ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know the best practices and use case scenario of deploying Azure Firewall in your production Subscription.
The below articles provides architectural best practices for Azure Firewall.
Refer : https://zcusa.951200.xyz/en-us/azure/architecture/framework/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json
https://zcusa.951200.xyz/en-us/azure/architecture/networking/guide/well-architected-framework-azure-firewall
You can use Azure Firewall to govern:
- Internet outbound traffic (VMs and services that access the internet).
- Non-HTTP/S inbound traffic.
- East-west traffic filtering.
You can share the same Azure Firewall across multiple workloads and Azure Virtual Networks. You could also stop Azure Firewall deployments that do not need to run for 24 hours.
If your setup has Internet outbound traffic or Non-HTTP/S inbound traffic, then it is recommended to use Azure Firewall for better security.
If you only have one VM which doesn't have a public IP with any internet connectivity, then you can skip Azure Firewall deployment.
Some more best practices that you can refer:
https://zcusa.951200.xyz/en-us/azure/security/fundamentals/network-best-practices#deploy-perimeter-networks-for-security-zones
https://zcusa.951200.xyz/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline#14-deny-communications-with-known-malicious-ip-addresses
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.