![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 33%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
781 questions
Thank you for posting your query on Microsoft Q&A.
The difference is in the level of granularity in the traffic allowed.
Network rules
Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4). We can use a network rule when you want to filter traffic based on IP addresses, any ports, and any protocols.
Application rules
Application rules allow or deny outbound and east-west traffic based on the application layer (L7). We can use an application rule when you want to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.
The preferred method depends on your security requirements. If you want to allow all traffic over port 443, regardless of the protocol or destination, use a network rule. If you want to allow only specific HTTPS traffic, use an application rule. It's always better to have more granular control over the traffic allowed.
Please refer to Network and Application rules
https://learn.microsoft.com/en-us/azure/firewall/rule-processing