Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
614 questions
Azure firewall rules processing logic
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 52%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVG%3C/text%3E%3C/svg%3E)
Venu Gopal Krishna VV
100
Reputation points
Hi All,
need some help in Azure firewall processing logic, i have two rule collection group in the application group as below.
i have google.com in both allow and deny action group. ideally lowest priority number will process fist, as shown below deny group has the highest priority and google.com shouldn't be allowed.
initially when this was implemented google.com was denied but all of a sudden, we are seeing google.com allowed though we have it mentioned in the deny action group. can someone please help on this. is there any change from Microsoft ? or am i missing something.
appreciate for help in this
{count} votes
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee2023-07-25T06:19:07.8333333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
The only way to confirm this is to check which rule allowed the connection from Firewall logs.
- Can you initiate traffic from a VM to google.com and make note of the time stamp.
- And check Azure Firewall queries to see which rule allowed the traffic?
Cheers,
Kapil
-
Venu Gopal Krishna VV 100 Reputation points
2023-07-25T06:30:51.8766667+00:00 Allow group allowed the rule, ideally it shouldn't be allowed right ?
and is my logic of rule processing is correct ?
can you please help on this
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee
2023-07-25T06:33:48.3133333+00:00 Can you please share the screenshot of Allow?
"logic of rule processing is correct ?"
- Yes
- Ideally, the traffic should be denied and rule processing should end there.
Cheers,
Kapil
-
Andreas Baumgarten 104K Reputation points MVP2023-07-25T06:34:04.04+00:00 Hi @Venu Gopal Krishna VV ,
maybe this article is helpful to figure out the Azure Firewall processing order. Configure Azure Firewall rules
The processing order might be complex if different Rule Collection types are in use and combined.
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee
2023-07-26T06:50:26.4866667+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee
2023-07-27T06:12:56.47+00:00 Can you please update us if the issue was resolved?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Thanks,
Kapil
Sign in to comment