![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 71%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
681 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
I understand you have a question about Azure Firewall Rules limitation and what options you can explore to add additional rules.
As correctly mentioned by Andreas above creating IP groups is recommended solution here, but you already mentioned that you will exceed this limitation as well.
Another approach I can suggest is maybe you can leverage Application Rules here in order to reduce number of Network rules you have for outbound connectivity. Azure by design evaluates the network rules first and if not match is found then evaluates the Application Rules you can use this logic to reduce the number of network rules. More on this logic here
Creating another firewall will also help in this case as it will allow you to create additional rules. Every new firewall you create will give you addition 20k rules but this will depend on how you have implemented the policy assignment; I have explained this scenario in your follow-up question below.
Based on your question above
When you said the limitations are per Azure Firewall, does this means that if i provisioned new Azure Firewall this will allow for additional 20,000 unique IPs even if am following the parent-child policies model?
This is not exactly true, because when you are using a parent-child policy. The child policy inherits the rules present in the parent policy and this adds up in total number of unique source/destinations in network rules.
So, to answer your question above, the unique source/destinations IPs from your parent policy will also contribute to 20K limitation
You can see this reflected in the Policy Limits counter in Policy Analytics Page in your firewall policy.
In the Rules you can also see the Inherited rules by the Child Policy from the parent policy.
As correctly mentioned by you and as documented here the 20k limit for unique source/destination combinations in rules is a soft limit and is related to the latency and performance of Azure Firewall. And as the rules inherited from the parent policy are processed by the Azure Firewall it is included in the count of unique source/destination combinations.
If you deploy additional firewall in this case, then you can have Parent policy which applies the Organization wide rules and have child policies for your Firewalls with rules specific to their environment.
Additional reference:
https://learn.microsoft.com/en-us/azure/firewall/firewall-best-practices#recommendations
Hope this answers your query! Please let me know if you have any additional questions. Thank you!
