Azure firewall rules

Question

Azure firewall rules

prasantc 976

Is it possible to built rules in a Network or application rule set with different priority numbers using code? I do not see that option on the portal or perhaps it is not recommended.

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-07-13T00:40:29.4633333+00:00

@prasantc

We noticed your feedback that the answer below was not helpful.

Thank you for taking time to share your feedback.

Kindly let us know what we could have done better to improve the answer and make your engagement experience good.

We are here to help you and strive to make your experience better and greatly value your feedback.

Looking forward to your reply. Much appreciate your feedback!
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-07-15T00:41:40.0233333+00:00

@prasantc

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
prasantc 976 Reputation points

2023-07-15T17:16:05.8366667+00:00

I am trying to find having different priority with custom rule set. And best practice with the example of custom rulel set with different priority over default three default rule set.

Specially, for a company where the network policy rules grows and they want to group allow and deny policy specific to application or department or environment. Whichever would be the best approach to organize the rules to meaningful group and priority.

I guess did not ask the much detail at the first question which is my mistake and I was looking specific cases of portal or bicep rather than TF

3 answers

Your answer

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-07-13T00:40:29.4633333+00:00

@prasantc

We noticed your feedback that the answer below was not helpful.

Thank you for taking time to share your feedback.

Kindly let us know what we could have done better to improve the answer and make your engagement experience good.

We are here to help you and strive to make your experience better and greatly value your feedback.

Looking forward to your reply. Much appreciate your feedback!
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-07-15T00:41:40.0233333+00:00

@prasantc

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
prasantc 976 Reputation points

2023-07-15T17:16:05.8366667+00:00

I am trying to find having different priority with custom rule set. And best practice with the example of custom rulel set with different priority over default three default rule set.

Specially, for a company where the network policy rules grows and they want to group allow and deny policy specific to application or department or environment. Whichever would be the best approach to organize the rules to meaningful group and priority.

I guess did not ask the much detail at the first question which is my mistake and I was looking specific cases of portal or bicep rather than TF

Answer 1

Luke Murray 11,436 MVP Volunteer Moderator

Yes you can.

For example you can set the priority at the Rule collection using Teraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_application_rule_collection

You can also either priority to the rules as well, or it will jut inherit from the group, using the same priority.

I would leave it as the priority on the rule collection group, unless you need to change it, then add the priority on the ruleset.

prasantc 976 Reputation points

2023-07-11T21:45:16.2633333+00:00

I guess the same applies to bicep. I should be able to create rule with different priority number which is not an option in the portal when I am testing in manually?
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-11T21:50:48.9633333+00:00

For Bicep - you could try it in the rules and see if it works: https://learn.microsoft.com/en-us/azure/templates/microsoft.network/firewallpolicies/rulecollectiongroups?pivots=deployment-language-bicep

I just referred to a Terraform deployment I have done within the last few days and was able to add Priority.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-12T21:52:08.8233333+00:00

In regards to your Azure policies and rule collections:

It can really depend; an example is:

A parent policy - that has your shared services

A child policy, that has all your application rules, each in a Collection Group - i.e., Security, App1, App2.

Especially if those policies are going to be edited or reviewed by people no in the firewall team, ie, App1 team will be editing App1 policies, then it makes sense to separate them.

I would have all core policies (ie M365, Azure Backup etc) in one collection group, then separate your applications into their own group.

If it's a small environment, then one policy is enough, and then a rule collection - it just needs to be understood by your support staff.
prasantc 976 Reputation points

2023-07-13T03:35:59.68+00:00

Thanks, that gives some baseline to start with

Answer 2

prasantc 976

what is best practices how different group collection should be created? Would it be too many if we have group collection separated based on application like DCs in one group, fille server in another group, and have different priorities

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-12T21:52:16.01+00:00

It can really depend; an example is:

A parent policy - that has your shared services

A child policy, that has all your application rules, each in a Collection Group - i.e., Security, App1, App2.

Especially if those policies are going to be edited or reviewed by people no in the firewall team, ie, App1 team will be editing App1 policies, then it makes sense to separate them.

I would have all core policies (ie M365, Azure Backup etc) in one collection group, then separate your applications into their own group.

If it's a small environment, then one policy is enough, and then a rule collection - it just needs to be understood by your support staff.

Answer 3

@prasantc

Apologies for the delayed response here.

Based on your questions above

And best practice with the example of custom rule set with different priority over default three default rule set.

Currently there is no official documentation available for this specific scenario and I am filing a doc-request with the team internally regarding this request.

Specially, for a company where the network policy rules grows and they want to group allow and deny policy specific to application or department or environment. Whichever would be the best approach to organize the rules to meaningful group and priority.

Based on this documentation for Azure Well-Architected Framework review - Azure Firewall it is recommended to assign a global Azure Firewall policy to govern the security posture across global network environments and assign the policy to all instances of Azure Firewall in your network or as the network evolves. Then Delegate incremental firewall policies to local security teams through role-based access control (RBAC). You can also use Azure Firewall Manager to centrally manage Azure Firewall policies across multiple secured virtual hubs. Your central IT teams can author global firewall policies to enforce organization wide firewall policy across teams. Locally authored firewall policies allow a DevOps self-service model for better agility. You can take a look at this documentation for more information.

In Azure Firewall Manager new policies can be created from scratch or inherited from existing policies. Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy. Network rule collections inherited from a parent policy are always prioritized over network rule collections defined as part of a new policy. The same logic also applies to application rule collections. However, network rule collections are always processed before application rule collections regardless of inheritance. You can take a look at the example here on how to implement a a rule hierarchy.

You can also explore the option of using these leading third-party solutions that support Azure Firewall central management using standard Azure REST APIs.

I guess did not ask the much detail at the first question which is my mistake and I was looking specific cases of portal or bicep rather than TF

You can refer to this tutorial here to create an Azure Firewall and a firewall policy. Please let us know if you are facing any issue while deploying using bicep.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure firewall rules

3 answers

Your answer