Azure Firewall policy rule sets (2024)

Table of Contents
In this article Rule collection groups Rule collections Rules Inbound vs. outbound Rule types Next steps
  • Article

Firewall Policy is a top-level resource that contains security and operational settings for Azure Firewall. You can use Firewall Policy to manage rule sets that the Azure Firewall uses to filter traffic. Firewall policy organizes, prioritizes, and processes the rule sets based on a hierarchy with the following components: rule collection groups, rule collections, and rules.

Azure Firewall policy rule sets (1)

Rule collection groups

A rule collection group is used to group rule collections. They're the first unit that the firewall processes, and they follow a priority order based on values. There are three default rule collection groups, and their priority values are preset by design. They're processed in the following order:

See Also
Azure Firewall rule processing logicAzure Firewall vs WAFAzure Firewall – Cloud Network Security Solutions | Microsoft AzureBest practice and use case scenario of Azure Firewall ? - Microsoft Q&A

Rule collection group namePriority
Default DNAT (Destination Network Address Translation) rule collection group100
Default Network rule collection group200
Default Application rule collection group300

Even though you can't delete the default rule collection groups nor modify their priority values, you can manipulate their processing order in a different way. If you need to define a priority order that is different than the default design, you can create custom rule collection groups with your wanted priority values. In this scenario, you don't use the default rule collection groups at all and use only the ones you create to customize the processing logic.

Rule collection groups contain one or multiple rule collections, which can be of type DNAT, network, or application. For example, you can group rules belonging to the same workloads or a virtual in a rule collection group.

For rule collection group size limits, see Azure subscription and service limits, quotas, and constraints.

Rule collections

A rule collection belongs to a rule collection group, and it contains one or multiple rules. They're the second unit processed by the firewall and they follow a priority order based on values. Rule collections must have a defined action (allow or deny) and a priority value. The defined action applies to all the rules within the rule collection. The priority value determines order the rule collections are processed.

There are three types of rule collections:

See Also
No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

  • DNAT
  • Network
  • Application

Rule types must match their parent rule collection category. For example, a DNAT rule can only be part of a DNAT rule collection.

Rules

A rule belongs to a rule collection, and it specifies which traffic is allowed or denied in your network. They're the third unit that the firewall processes and they don't follow a priority order based on values. The processing logic for rules follows a top-down approach. The firewall uses defined rules to evaluate all traffic passing through the firewall to determine whether it matches an allow or deny condition. If there's no rule that allows the traffic, then the traffic is denied by default.

Our built-in infrastructure rule collection processes traffic for application rules before denying it by default.

Inbound vs. outbound

An inbound firewall rule protects your network from threats that originate from outside your network (traffic sourced from the Internet) and attempts to infiltrate your network inwardly.

An outbound firewall rule protects against nefarious traffic that originates internally (traffic sourced from a private IP address within Azure) and travels outwardly. This is usually traffic from within Azure resources being redirected via the Firewall before reaching a destination.

Rule types

There are three types of rules:

  • DNAT
  • Network
  • Application

DNAT rules

DNAT rules allow or deny inbound traffic through one or more firewall public IP addresses.You can use a DNAT rule when you want a public IP address to be translated into a private IP address. The Azure Firewall public IP addresses can be used to listen to inbound traffic from the Internet, filter the traffic and translate this traffic to internal resources in Azure.

Network rules

Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4).
You can use a network rule when you want to filter traffic based on IP addresses, any ports, and any protocols.

Application rules

Application rules allow or deny outbound and east-west traffic based on the application layer (L7).You can use an application rule when you want to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.

Next steps

  • Learn more about Azure Firewall rule processing: Configure Azure Firewall rules.
Azure Firewall policy rule sets (2024)
Top Articles
How will fintech transform Investment Banking in the next decade?
Cost Of Living In Sweden Vs The UK For Students 2024 - UniAcco
Dainty Rascal Io
Celebrity Extra
Nwi Police Blotter
Tv Guide Bay Area No Cable
10 Popular Hair Growth Products Made With Dermatologist-Approved Ingredients to Shop at Amazon
Videos De Mexicanas Calientes
Paketshops | PAKET.net
Ohiohealth Esource Employee Login
Large storage units
Azeroth Pilot Reloaded - Addons - World of Warcraft
Https //Advanceautoparts.4Myrebate.com
Immediate Action Pathfinder
Superhot Unblocked Games
Craigslist Pets Longview Tx
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Mzinchaleft
Tygodnik Polityka - Polityka.pl
Effingham Bookings Florence Sc
Mahpeople Com Login
How to Watch the Fifty Shades Trilogy and Rom-Coms
EASYfelt Plafondeiland
Dwc Qme Database
Great Clips Grandview Station Marion Reviews
Putin advierte que si se permite a Ucrania usar misiles de largo alcance, los países de la OTAN estarán en guerra con Rusia - BBC News Mundo
Mtr-18W120S150-Ul
Haunted Mansion Showtimes Near Epic Theatres Of West Volusia
Rogue Lineage Uber Titles
Dei Ebill
Synergy Grand Rapids Public Schools
Is Henry Dicarlo Leaving Ktla
Alternatieven - Acteamo - WebCatalog
Deleted app while troubleshooting recent outage, can I get my devices back?
Xemu Vs Cxbx
Best Weapons For Psyker Darktide
KITCHENAID Tilt-Head Stand Mixer Set 4.8L (Blue) + Balmuda The Pot (White) 5KSM175PSEIC | 31.33% Off | Central Online
Sabrina Scharf Net Worth
Hireright Applicant Center Login
3 bis 4 Saison-Schlafsack - hier online kaufen bei Outwell
Wilson Tire And Auto Service Gambrills Photos
Memberweb Bw
Tommy Bahama Restaurant Bar & Store The Woodlands Menu
Lyons Hr Prism Login
Booknet.com Contract Marriage 2
Sacramentocraiglist
Lebron James Name Soundalikes
Is Chanel West Coast Pregnant Due Date
Skyward Login Wylie Isd
Powah: Automating the Energizing Orb - EnigmaticaModpacks/Enigmatica6 GitHub Wiki
How to Find Mugshots: 11 Steps (with Pictures) - wikiHow
Att Corporate Store Location
Latest Posts
ATMs in Vietnam: locations, fees, and tips (UK guide)
Chime Bonus Offers Of September 2024: Sign-Up, Referral Bonus
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6009

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.