azure firewall rule collection vs rules

prasantc 936 Reputation points
2024-04-23T16:05:24.24+00:00

azure firewall rule collection vs rules how determine the collection of rules.

How to plan collection? Can I keep all ADDS collection group e.g. with inbound rules for client, outbound /inbound for DC to DC rules, inbound for management and reporting server rules, and inbound for jump boxes to DCs rules.

One rule collection about ADDS or domain services put all the rules under that grouping?

Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
92 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee
    2024-04-24T03:45:29.8866667+00:00

    Hello @prasantc ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how to group the Firewall rules in a rule collection.

    As mentioned in the Azure Firewall FAQ documentation,

    A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. DNAT rule collections are higher priority than network rule collections, which are higher priority than application rule collections, and all rules are terminating.

    There are three types of rule collections:

    • Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a Virtual Network. Application rules allow or deny outbound and east-west traffic based on the application layer (L7).
    • Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses. Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4).
    • NAT rules: Configure DNAT rules to allow incoming/inbound Internet connections.

    A rule collection can contain one or multiple rules and they follow a priority order based on values. Rule collections must have a defined action (allow or deny) and a priority value. The defined action applies to all the rules within the rule collection. The priority value determines order the rule collections are processed.

    Rule types must match their parent rule collection category. For example, a DNAT rule can only be part of a DNAT rule collection.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/policy-rule-sets#rule-collections

    Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. Rule Collections with highest priority (lowest number) are processed first. Application rules are always processed after Network rules, which are processed after DNAT rules regardless of Rule collection group or Rule collection priority and policy inheritance.

    You can get an understanding of the Rule processing logic with example in the below doc.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/rule-processing

    So, you should plan the rule collection as below:

    • First segregate the type of rule i.e. DNAT or Network or Application.
    • Then decide the action type i.e. Allow or Deny
    • Then decide the priority in which you would like the Firewall to process them.

    For example: If you have 4 rules, out of which 3 are DNAT rules and 1 is Network rule, and out of the 3 DNAT rules, 2 of them you would like to allow and the remaining one you would like to deny. And the priority that you want to follow is allowed DNAT rules before the deny. Then your rule collection would be as below:

    DNAT rule collection 1:

    • Name: Allow-collection <-- It should contain the 2 DNAT rules that you want to allow.
    • Priority: 100
    • Action: Allow

    DNAT rule collection 2:

    • Name: Deny-collection <-- It should contain the 1 DNAT rule that you want to deny.
    • Priority: 200
    • Action: Deny

    Network rule collection 1: <-- It should contain the 1 Network rule that you want to deny.

    • Name: Deny-collection
    • Priority: 300
    • Action: Deny

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.