Azure Firewall Network Rules

Network rules allow you to filter traffic to and from your Azure resources. They are processed based on Layer 3 and Layer 4 information (IP addresses, ports, and protocols).

Understanding Network Rules

Network rules are a fundamental part of securing your Azure Virtual Network. They provide fine-grained control over what traffic is allowed into or out of your protected network.

Rule Structure

A network rule consists of the following components:

  • Name: A unique identifier for the rule.
  • Priority: A number that determines the order of rule processing. Lower numbers are processed first.
  • Source Type: Can be an IP Address, Network URL, or Service Tag.
  • Source: The IP address, CIDR block, or service tag to match.
  • Protocol: The protocol to match (e.g., TCP, UDP, ICMP, Any).
  • Destination Type: Can be an IP Address, Network URL, or Service Tag.
  • Destination: The IP address, CIDR block, or service tag to match.
  • Destination Ports: The ports to match (e.g., 80, 443, 1000-2000, * for any).
  • Action: Whether to Allow or Deny the traffic.

Rule Processing Order

Azure Firewall processes rules in the following order:

  1. Network rules from the highest priority (lowest number) to the lowest priority.
  2. If no network rule matches, then application rules are processed.
  3. If no rule matches, the traffic is denied by default.
Important: Network rules and application rules are processed independently. Network rules are evaluated first.

Example Network Rule Configuration

Here's an example of how you might configure a network rule to allow outbound HTTPS traffic to a specific set of web servers:

{
    "name": "AllowOutboundHTTPS",
    "priority": 150,
    "ruleType": "NetworkRule",
    "sourceAddresses": [
        "10.0.1.0/24"
    ],
    "destinationAddresses": [
        "203.0.113.10/32",
        "203.0.113.11/32"
    ],
    "destinationPorts": [
        "443"
    ],
    "protocols": [
        "TCP"
    ],
    "action": "Allow"
}

Network Rule Collections

Network rules are grouped into Network Rule Collections. Each rule collection has a priority and a rule type (Network or Application). The priority of a rule collection determines the order in which rule collections are evaluated.

Field Description
ruleCollectionType Specifies whether the collection contains network rules or application rules.
priority Determines the order of rule collection processing. Lower numbers indicate higher priority. Must be unique within a firewall policy.
action The default action for the rule collection (Allow or Deny).
rules An array of individual network or application rules.
Pro Tip: Use service tags in your source and destination fields to simplify management and ensure you're always targeting the correct Microsoft Azure services.

Using Service Tags

Service tags represent a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes included in service tags and automatically updates the service tag as addresses change, reducing the complexity of frequent updates.

Examples of service tags include:

  • AzureCloud
  • Storage
  • Sql.WestUS
  • Microsoft.Storage/storageAccounts

You can configure network rules to allow or deny traffic to entire categories of Azure services, such as allowing outbound access to Azure Storage or denying access to specific public IP ranges.

Best Practices

  • Principle of Least Privilege: Only allow the traffic that is absolutely necessary.
  • Use Specific Destinations: Avoid using Any for destinations unless absolutely required.
  • Order Your Rules Carefully: Ensure your critical deny rules have higher priority (lower numbers) than your allow rules.
  • Leverage Service Tags: Simplify rule management and reduce the chance of errors.
  • Regularly Review Rules: Audit your firewall rules periodically to ensure they align with your security policies.