Azure · kjilla · Oct 25, 2025 · Oct 25, 2025 · Oct 27, 2025 · Oct 27, 2025
diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs
@@ -249,5 +249,29 @@ public void TestAzureFirewallAutoscaleConfiguration()
         {
             TestRunner.RunTestScript("Test-AzureFirewallAutoscaleConfiguration");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallCRUDWithEdgeZone()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallCRUDWithEdgeZone");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallVirtualHubCRUDWithEdgeZone()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallVirtualHubCRUDWithEdgeZone");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallEdgeZoneZonesValidation()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallEdgeZoneZonesValidation");
+        }
     }
 }
diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1
@@ -2495,4 +2495,236 @@ function Test-AzureFirewallAutoscaleConfiguration {
         # Cleanup
         Clean-ResourceGroup $rgname
     }
+}
+
+<#
+.SYNOPSIS
+Tests AzureFirewall CRUD with EdgeZone.
+#>
+function Test-AzureFirewallCRUDWithEdgeZone {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIpName = Get-ResourceName
+    $edgeZone = "microsoftrrezm1"
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
+
+        # Create the Virtual Network with EdgeZone
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet -EdgeZone $edgeZone
+
+        # Create public ip with EdgeZone
+        $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard -EdgeZone $edgeZone
+
+        # Create AzureFirewall with EdgeZone (should have no zones)
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress $publicip -EdgeZone $edgeZone
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+
+        # Verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location
+        Assert-NotNull $getAzureFirewall.Etag
+        Assert-AreEqual "Alert" $getAzureFirewall.ThreatIntelMode
+        Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress
+        Assert-AreEqual 0 @($getAzureFirewall.ApplicationRuleCollections).Count
+        Assert-AreEqual 0 @($getAzureFirewall.NatRuleCollections).Count
+        Assert-AreEqual 0 @($getAzureFirewall.NetworkRuleCollections).Count
+
+        # Verify EdgeZone specific behavior
+        Assert-NotNull $getAzureFirewall.ExtendedLocation
+        Assert-AreEqual $edgeZone $getAzureFirewall.ExtendedLocation.Name
+        Assert-AreEqual "EdgeZone" $getAzureFirewall.ExtendedLocation.Type
+        # Verify that zones are null when EdgeZone is specified
+        Assert-Null $getAzureFirewall.Zones
+
+        # Update the firewall to test modification
+        $azureFirewall.ThreatIntelMode = "Deny"
+        Set-AzFirewall -AzureFirewall $azureFirewall
+
+        # Verify the update
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+        Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode
+        # Verify EdgeZone properties are preserved
+        Assert-NotNull $getAzureFirewall.ExtendedLocation
+        Assert-AreEqual $edgeZone $getAzureFirewall.ExtendedLocation.Name
+        Assert-Null $getAzureFirewall.Zones
+
+        # Delete AzureFirewall
+        $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        $list = Get-AzFirewall -ResourceGroupName $rgname
+        Assert-AreEqual 0 @($list).Count
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
+<#
+.SYNOPSIS
+Tests AzureFirewall Virtual Hub CRUD with EdgeZone.
+#>
+function Test-AzureFirewallVirtualHubCRUDWithEdgeZone {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $azureFirewallPolicyName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
+    $skuName = "AZFW_Hub"
+    $skuTier = "Standard"
+    $edgeZone = "microsoftrrezm1"
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
+
+        # Create Firewall Policy
+        $azureFirewallPolicy = New-AzFirewallPolicy -ResourceGroupName $rgname -Name $azureFirewallPolicyName -Location $location
+        $azureFirewallPolicyId = $azureFirewallPolicy.Id
+
+        # Create Hub IP Address object
+        $hubIpAddresses = New-AzFirewallHubIpAddress -PublicIPCount 1
+
+        # Create AzureFirewall with EdgeZone
+        New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -SkuName $skuName -SkuTier $skuTier -HubIPAddress $hubIpAddresses -FirewallPolicyId $azureFirewallPolicyId -EdgeZone $edgeZone
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+
+        # Verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location
+        Assert-AreEqual $skuName $getAzureFirewall.Sku.Name
+        Assert-AreEqual $skuTier $getAzureFirewall.Sku.Tier
+        Assert-NotNull $getAzureFirewall.Etag
+
+        # Verify EdgeZone specific behavior for Hub firewall
+        Assert-NotNull $getAzureFirewall.ExtendedLocation
+        Assert-AreEqual $edgeZone $getAzureFirewall.ExtendedLocation.Name
+        Assert-AreEqual "EdgeZone" $getAzureFirewall.ExtendedLocation.Type
+        # Verify that zones are null when EdgeZone is specified
+        Assert-Null $getAzureFirewall.Zones
+
+        # Verify hub-specific properties
+        Assert-NotNull $getAzureFirewall.HubIPAddresses
+        Assert-AreEqual 1 @($getAzureFirewall.HubIPAddresses.PublicIPs.Addresses).Count
+
+        # Delete AzureFirewall
+        $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        $list = Get-AzFirewall -ResourceGroupName $rgname
+        Assert-AreEqual 0 @($list).Count
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
+<#
+.SYNOPSIS
+Tests EdgeZone and Zones validation - zones should be null when EdgeZone is specified.
+#>
+function Test-AzureFirewallEdgeZoneZonesValidation {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIpName = Get-ResourceName
+    $edgeZone = "microsoftrrezm1"
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
+
+        # Create the Virtual Network with EdgeZone
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet -EdgeZone $edgeZone
+
+        # Create public ip with EdgeZone
+        $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard -EdgeZone $edgeZone
+
+        # Test 1: Attempt to create firewall with both EdgeZone and Zone parameters (should fail)
+        Assert-ThrowsLike { New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress $publicip -EdgeZone $edgeZone -Zone 1,2,3 } "*Zones cannot be specified when EdgeZone is provided*"
+
+        # Test 2: Create firewall with only EdgeZone (should succeed)
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress $publicip -EdgeZone $edgeZone
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+
+        # Verify EdgeZone is set and Zones is null
+        Assert-NotNull $getAzureFirewall.ExtendedLocation
+        Assert-AreEqual $edgeZone $getAzureFirewall.ExtendedLocation.Name
+        Assert-AreEqual "EdgeZone" $getAzureFirewall.ExtendedLocation.Type
+        Assert-Null $getAzureFirewall.Zones
+
+        # Delete the firewall
+        Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -Force
+
+        # Test 3: Create firewall with only Zone parameters (no EdgeZone)
+        # Create new VNet and Public IP with zones for this test
+        $vnetName2 = Get-ResourceName
+        $publicIpName2 = Get-ResourceName
+        $subnet2 = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.1.0.0/24
+        $vnet2 = New-AzVirtualNetwork -Name $vnetName2 -ResourceGroupName $rgname -Location $location -AddressPrefix 10.1.0.0/16 -Subnet $subnet2
+        $publicip2 = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName2 -location $location -AllocationMethod Static -Sku Standard -Zone 1,2,3
+
+        $azureFirewall2Name = Get-ResourceName
+        $azureFirewall2 = New-AzFirewall -Name $azureFirewall2Name -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet2 -PublicIpAddress $publicip2 -Zone 1,2,3
+
+        # Get AzureFirewall
+        $getAzureFirewall2 = Get-AzFirewall -name $azureFirewall2Name -ResourceGroupName $rgname
+
+        # Verify Zones are set and ExtendedLocation is null
+        Assert-AreEqual 3 @($getAzureFirewall2.Zones).Count
+        Assert-Null $getAzureFirewall2.ExtendedLocation
+
+        # Delete the firewall
+        Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewall2Name -Force
+
+        # Test 4: Create firewall with only EdgeZone (no Zone parameters)
+        $azureFirewall3Name = Get-ResourceName
+        $azureFirewall3 = New-AzFirewall -Name $azureFirewall3Name -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress $publicip -EdgeZone $edgeZone
+
+        # Get AzureFirewall
+        $getAzureFirewall3 = Get-AzFirewall -name $azureFirewall3Name -ResourceGroupName $rgname
+
+        # Verify EdgeZone is set and Zones is null
+        Assert-NotNull $getAzureFirewall3.ExtendedLocation
+        Assert-AreEqual $edgeZone $getAzureFirewall3.ExtendedLocation.Name
+        Assert-Null $getAzureFirewall3.Zones
+
+        # Delete the firewall
+        Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewall3Name -Force
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
 }
diff --git a/...ands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDWithEdgeZone.json b/...ands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDWithEdgeZone.json
diff --git a/...twork.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallEdgeZoneZonesValidation.json b/...twork.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallEdgeZoneZonesValidation.json
diff --git a/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs b/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs
@@ -168,6 +168,11 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
             HelpMessage = "A list of availability zones denoting where the firewall needs to come from.")]
         public string[] Zone { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The edge zone where the firewall needs to be deployed.")]
+        public string EdgeZone { get; set; }
+
         [Alias("Sku")]
         [Parameter(
             Mandatory = false,
@@ -286,6 +291,12 @@ private PSAzureFirewall CreateAzureFirewall()
             sku.Name = !string.IsNullOrEmpty(this.SkuName) ? this.SkuName : MNM.AzureFirewallSkuName.AzfwVnet;
             sku.Tier = !string.IsNullOrEmpty(this.SkuTier) ? this.SkuTier : MNM.AzureFirewallSkuTier.Standard;
 
+            // Validate that EdgeZone and Zones are not both specified
+            if (!string.IsNullOrEmpty(this.EdgeZone) && this.Zone != null && this.Zone.Length > 0)
+            {
+                throw new ArgumentException("Zones cannot be specified when EdgeZone is provided. EdgeZone deployments do not support availability zones.", nameof(this.Zone));
+            }
+
             if (sku.Tier.Equals(MNM.AzureFirewallSkuTier.Basic) && !string.IsNullOrEmpty(this.Location))
             {
                 if (FirewallConstants.IsRegionRestrictedForBasicFirewall(this.Location))
@@ -336,10 +347,11 @@ private PSAzureFirewall CreateAzureFirewall()
                     VirtualHub = VirtualHubId != null ? new MNM.SubResource(VirtualHubId) : null,
                     FirewallPolicy = FirewallPolicyId != null ? new MNM.SubResource(FirewallPolicyId) : null,
                     HubIPAddresses = this.HubIPAddress,
-                    Zones = this.Zone == null ? null : this.Zone.ToList(),
+                    Zones = (!string.IsNullOrEmpty(this.EdgeZone)) ? null : (this.Zone == null ? null : this.Zone.ToList()),
                     EnableFatFlowLogging = (this.EnableFatFlowLogging.IsPresent ? "True" : null),
                     EnableDnstapLogging = (this.EnableDnstapLogging.IsPresent ? "True" : null),
-                    EnableUDPLogOptimization = (this.EnableUDPLogOptimization.IsPresent ? "True" : null)
+                    EnableUDPLogOptimization = (this.EnableUDPLogOptimization.IsPresent ? "True" : null),
+                    ExtendedLocation = (!string.IsNullOrEmpty(this.EdgeZone)) ? new PSExtendedLocation(this.EdgeZone) : null
                 };
 
                 if (this.PublicIpAddress != null) 
@@ -368,12 +380,13 @@ private PSAzureFirewall CreateAzureFirewall()
                     EnableFatFlowLogging = (this.EnableFatFlowLogging.IsPresent ? "True" : null),
                     EnableDnstapLogging = (this.EnableDnstapLogging.IsPresent ? "True" : null),
                     EnableUDPLogOptimization = (this.EnableUDPLogOptimization.IsPresent ? "True" : null),
-                    RouteServerId = this.RouteServerId
+                    RouteServerId = this.RouteServerId,
+                    ExtendedLocation = (!string.IsNullOrEmpty(this.EdgeZone)) ? new PSExtendedLocation(this.EdgeZone) : null
                 };
 
                 if (this.Zone != null)
                 {
-                    firewall.Zones = this.Zone?.ToList();
+                    firewall.Zones = (!string.IsNullOrEmpty(this.EdgeZone)) ? null : this.Zone?.ToList();
                 }
 
                 if (this.virtualNetwork != null)

diff --git a/src/Network/Network/ChangeLog.md b/src/Network/Network/ChangeLog.md
@@ -19,6 +19,9 @@
 --->
 
 ## Upcoming Release
+* Added EdgeZone parameter support for Azure Firewall
+  * Added `-EdgeZone` parameter to `New-AzFirewall` cmdlet
+  * When EdgeZone is specified, zones property is automatically set to null
 
 ## Version 7.22.0
 * Added new RouteTableUsageMode property for Network Manager Routing Configuration

diff --git a/src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs b/src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs
@@ -93,6 +93,8 @@ public string[] PrivateRange
 
         public string RouteServerId { get; set; }
 
+        public PSExtendedLocation ExtendedLocation { get; set; }
+
         [JsonIgnore]
         public string IpConfigurationsText
         {