Skip to content
SMB Ready Foundation

ADR-0003: AVM Firewall Migration

Status: Accepted | Date: 2026-01-30

Context

Section titled “Context”

During deployment testing of the full scenario, Azure Firewall Basic experienced intermittent InternalServerError failures during provisioning. Root cause: the AVM module created Public IPs inline during firewall deployment, causing race conditions with subnet attachment.

Symptoms

Section titled “Symptoms”
  • Firewall Policy: ✅ Provisioned successfully
  • Public IP configurations: ✅ Provisioned successfully
  • Firewall resource: ❌ Failed with privateIp: null

Decision

Section titled “Decision”

Migrate firewall.bicep from raw ARM resources to Azure Verified Modules with sequential resource creation:

  1. Phase 1: Create zone-redundant Public IPs (explicit Bicep resources)
  2. Phase 2: Create Firewall Policy (AVM module avm/res/network/firewall-policy 0.3.4)
  3. Phase 3: Create Rule Collection Groups (depends on Policy)
  4. Phase 4: Create Azure Firewall (AVM module avm/res/network/azure-firewall 0.9.2, references pre-created PIPs)

Consequences

Section titled “Consequences”

Positive: Eliminated intermittent provisioning failures, aligned with ALZ Bicep Accelerator patterns, gained AVM module benefits (tested, maintained, security defaults).

Negative: More verbose module definition (explicit PIP creation), slightly longer deployment time due to serialization.