Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Azure firewall rules processing logic
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 52%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVG%3C/text%3E%3C/svg%3E)
Venu Gopal Krishna VV
100
Reputation points
Hi All,
need some help in Azure firewall processing logic, i have two rule collection group in the application group as below.
i have google.com in both allow and deny action group. ideally lowest priority number will process fist, as shown below deny group has the highest priority and google.com shouldn't be allowed.
initially when this was implemented google.com was denied but all of a sudden, we are seeing google.com allowed though we have it mentioned in the deny action group. can someone please help on this. is there any change from Microsoft ? or am i missing something.
appreciate for help in this
Azure Firewall
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
-
KapilAnanth 49,876 Reputation points Moderator2023-07-25T06:19:07.8333333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
The only way to confirm this is to check which rule allowed the connection from Firewall logs.
- Can you initiate traffic from a VM to google.com and make note of the time stamp.
- And check Azure Firewall queries to see which rule allowed the traffic?
Cheers,
Kapil
-
Venu Gopal Krishna VV 100 Reputation points
2023-07-25T06:30:51.8766667+00:00 Allow group allowed the rule, ideally it shouldn't be allowed right ?
and is my logic of rule processing is correct ?
can you please help on this
-
KapilAnanth 49,876 Reputation points Moderator
2023-07-25T06:33:48.3133333+00:00 Can you please share the screenshot of Allow?
"logic of rule processing is correct ?"
- Yes
- Ideally, the traffic should be denied and rule processing should end there.
Cheers,
Kapil
-
Andreas Baumgarten 131.7K Reputation points MVP Volunteer Moderator2023-07-25T06:34:04.04+00:00 Hi @Venu Gopal Krishna VV ,
maybe this article is helpful to figure out the Azure Firewall processing order. Configure Azure Firewall rules
The processing order might be complex if different Rule Collection types are in use and combined.
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
-
KapilAnanth 49,876 Reputation points Moderator
2023-07-26T06:50:26.4866667+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
KapilAnanth 49,876 Reputation points Moderator
2023-07-27T06:12:56.47+00:00 Can you please update us if the issue was resolved?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Thanks,
Kapil
Sign in to comment
Sign in to answer