Azure Firewall Classic Rules - rule processing order

Question

What is the rule processing logic for Azure Firewall when using classic rules (i.e., without a policy)?

I have three rule collections configured, and I assume the processing logic follows the same order as with the policy-based approach—where natRuleCollections are evaluated first, followed by networkRuleCollections, and finally applicationRuleCollections.

What I’d like to clarify is this: within a specific rule collection (for example, an application rule collection), there doesn’t seem to be an option to reorder the individual rules

And since individual rules within a rule collection don't have a priority setting, I assume the firewall processes them from top to bottom, as described in the official documentation.

So if its top-to-bottom, why does the bottom rule appear first in the API response? Below is a snippet from the API output

        "applicationRuleCollections": [
            {
                "name": "app-rule-collection-1",
                "id": "",
                "etag": "",
                "properties": {
                    "provisioningState": "Succeeded",
                    "priority": 201,
                    "action": {
                        "type": "Allow"
                    },
                    "rules": [
                        {
                            "name": "rule-1",
                            "priority": 0,
                            "direction": "Inbound",
                            "protocols": [
                                {
                                    "protocolType": "Https",
                                    "port": 4234
                                }
                            ],
                            "fqdnTags": [],
                            "targetFqdns": [
                                "www.search.com"
                            ],
                            "actions": [],
                            "sourceAddresses": [
                                "192.160.8.2"
                            ],
                            "sourceIpGroups": []
                        },
                        {
                            "name": "Rule-1",
                            "priority": 0,
                            "direction": "Inbound",
                            "protocols": [
                                {
                                    "protocolType": "Https",
                                    "port": 443
                                }
                            ],
                            "fqdnTags": [
                                "HDInsight"
                            ],
                            "targetFqdns": [],
                            "actions": [],
                            "sourceAddresses": [
                                "192.160.8.2"
                            ],
                            "sourceIpGroups": []
                        }
                    ]
                },
                "type": "Microsoft.Network/azureFirewalls/applicationRuleCollections"
            }
        ],

Answer 1

hi Peter Stieber! thanks for posting this on q&a, its a solid question....

yes, u got it right, it works kinda like the policy based approach. first comes nat rule collections, then network rule collections, and finally application rule collections. microsoft docs confirm this here Azure Firewall rule processing.

about the rules inside a single collection. u noticed there's no priority setting for individual rules, and that's by design. the firewall processes them top to bottom in the order they're listed. but wait, why does the api show the bottom rule first? good catch!

the api response flips the order for some reason, but dont let that confuse u. the actual processing still goes from top to bottom as u see them in the azure portal. so if u have rule 1 and rule 2 in that order, rule 1 runs first, no matter how the api displays it. if u wanna double check, just look at the portal, it shows the real order. If u ever switch to firewall policy later, u’ll get more control with explicit priorities. but for classic rules, top to bottom is the way.

sometimes reordering rules in the portal can help u debug faster. just drag and drop them to test different scenarios. this might help in other tools too, not just azure firewall.

worth looking into how other firewalls handle rule order. for example, aws network firewall and palo alto also process rules sequentially, but their apis might display things differently. the key takeaway? always trust the management interface over raw api output when checking order ))

hope this clears things up! let me know if u hit any snags.

rgds,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment

Answer 2

Hello,

Welcome to Microsoft Q&A,

Azure Firewall evaluates rule collections in the following order:

NAT rule collections

Network rule collections

Application rule collections

Within each type (e.g., application rule collections), they are evaluated in ascending order of the priority number (lower numbers have higher precedence).

Individual rules inside a collection do not have their priority setting. The processing is done top-to-bottom as displayed in the Azure Portal UI, not based on the order in the API JSON response.

The Azure REST API or ARM template responses do not guarantee UI visual order in the rules[] array. The ordering in the API is purely a result of how the backend serializes the rule list and may not reflect the actual evaluation sequence.

This doesn’t affect rule behavior because:

• All rules inside a rule collection are evaluated top-down in the order shown in the Azure Portal UI.
• Since individual rules don’t have explicit priorities, you manage precedence by ordering them manually in the UI (or programmatically using ARM templates, though not directly via rule priority).

Please Upvote and accept the answer if it helps!!