Azure Firewall Rules Order

Handian Sudianto 6,101 Reputation points
2024-08-15T02:14:47.78+00:00

Hello,

I have Firewall policy like this :

User's image

In the application rule, i have rule to allowing all VMs to windows update

User's image

In the network rule, i have rule to allowing some VMs access to the internet (example host 10.10.10.10 can access to internet, and all other hosts is blocked)

User's image

As i know Azure Firewall will process the rule following order :

  1. Network Rule
  2. Application Rule

So in my scenario, Network Rule 'ALLOW-TO-INTERNET' will proceeded first then Application Rule 'ALLOW-TO-MICROSOFT'.

My question is :

In every Rule Collection there will be default deny policy, so this mean on Network Rule 'ALLOW-TO-INTERNET' only host 10.10.10.10 can access to the internet, and all other host will be blocked. Am i right?

If I'm right, how Application Rule will be processed since all traffic will be blocked by default deny policy on the network rule?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
780 questions
0 comments No comments
{count} votes

Accepted answer
  1. TP 125.7K Reputation points Volunteer Moderator
    2024-08-15T02:54:01.4566667+00:00

    Hi,

    There is no default deny policy in every rule collection. The way it works is, if a packet doesn't match ANY rule (regardless of if it is DNAT, Network, Application), then it is Denied by default.

    So in your scenario, if an outbound packet doesn't match your 'ALLOW-TO-INTERNET' network rule then Azure Firewall will check if it matches your 'ALLOW-TO-MICROSOFT' application rule and if it doesn't match either one it will be denied.

    Configure Azure Firewall rules

    https://learn.microsoft.com/en-us/azure/firewall/rule-processing

    Key excerpt from above article:

    You can configure NAT rules, network rules, and applications rules on Azure Firewall using either classic rules or Firewall Policy. Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. The rules are terminating, so rule processing stops on a match.

    Key excerpt from Outbound connectivity section of above article:

    If still no match is found within application rules, then the packet is evaluated against the infrastructure rule collection. If there's still no match, then the packet is denied by default.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.