Azure Firewall Rule Processing
This document explains the processing order of Azure Firewall rules, which is crucial for understanding how traffic is allowed or denied through your network.
Rule Processing Order
Azure Firewall processes rules in a specific order to determine the fate of network traffic. The order is as follows:
- Network Rules: These rules are evaluated first and apply to Layer 3 and Layer 4 traffic (IP addresses, ports, protocols).
- Application Rules: If a network rule doesn't match, Azure Firewall then evaluates application rules. These rules apply to Layer 7 traffic (FQDNs, HTTP/S, SQL).
- Network Security Groups (NSGs): While not directly part of Azure Firewall rule processing, NSGs associated with your subnets are also evaluated. Firewall rules and NSG rules are complementary, and both must allow traffic for it to pass.
Detailed Breakdown of Network Rule Processing
Network rules are processed in the following sequence:
- Network Rules Collection Priority: Rules within a collection are processed based on their priority, with lower numbers indicating higher priority.
- Network Rule Priority within Collection: The first matching network rule in a collection determines the action (Allow or Deny).
- Default Deny: If no network rule explicitly allows the traffic, it is denied by default.
Detailed Breakdown of Application Rule Processing
Application rules are processed in a similar manner:
- Application Rules Collection Priority: Rules within a collection are processed based on their priority, with lower numbers indicating higher priority.
- Application Rule Priority within Collection: The first matching application rule in a collection determines the action (Allow or Deny).
- Default Deny: If no application rule explicitly allows the traffic, it is denied by default.
Important Note: Azure Firewall processes network rules before application rules. If a network rule matches and allows or denies traffic, the application rules are not evaluated for that specific flow.
Rule Types and Their Scope
Network Rules
Network rules are ideal for controlling traffic based on:
- Source IP address/range
- Destination IP address/range
- Destination port
- Protocol (TCP, UDP, ICMP, Any)
Application Rules
Application rules extend the capabilities to control traffic based on:
- Fully Qualified Domain Names (FQDNs)
- FQDN tags (e.g.,
WindowsUpdate, AppServiceCertificate)
- HTTP/S headers and methods
- SQL FQDNs
Tip: Use FQDN tags whenever possible for easier management and to automatically include Azure service endpoints.
Example Scenario
Consider the following rules configured in Azure Firewall:
Network Rules
Rule Collection Name: AllowWebTraffic
Priority: 100
Rules:
- Name: AllowHTTP
Protocol: TCP
Source Addresses: '*'
Destination Addresses: '*'
Destination Ports: 80
Action: Allow
Rule Collection Name: DenyInternal
Priority: 110
Rules:
- Name: BlockSpecificInternalIP
Protocol: Any
Source Addresses: 10.0.1.0/24
Destination Addresses: 10.0.0.5
Destination Ports: Any
Action: Deny
Application Rules
Rule Collection Name: AllowAzureServices
Priority: 200
Rules:
- Name: AllowWindowsUpdate
Source Addresses: 10.0.1.0/24
Target FQDNs:
- *.windowsupdate.com
- *.update.microsoft.com
Protocol: Http, Https
Action: Allow
Rule Collection Name: AllowAllOther
Priority: 210
Rules:
- Name: AllowAll
Source Addresses: '*'
Target FQDNs: '*'
Protocol: Http, Https
Action: Allow
Let's trace the processing of a request from an internal client (10.0.1.10) to www.example.com on port 80:
- Network Rules Evaluation:
- The request first checks the
AllowWebTraffic collection (priority 100).
- The
AllowHTTP rule within this collection matches (TCP, port 80).
- The action is Allow.
- Application Rules Evaluation:
- Since a network rule already matched and allowed the traffic, the application rules are not evaluated for this request.
Now, consider a request from the same client (10.0.1.10) to www.microsoft.com on port 443 (HTTPS):
- Network Rules Evaluation:
- The
AllowWebTraffic collection (priority 100) is checked. No rule matches port 443.
- The
DenyInternal collection (priority 110) is checked. No rule matches the destination.
- No network rule matches the traffic. The firewall proceeds to application rules.
- Application Rules Evaluation:
- The request checks the
AllowAzureServices collection (priority 200).
- The
AllowWindowsUpdate rule does not match www.microsoft.com.
- The request checks the
AllowAllOther collection (priority 210).
- The
AllowAll rule matches all FQDNs and protocols (HTTP, HTTPS).
- The action is Allow.
Best Practices
- Organize rules into rule collections for clarity and easier management.
- Assign priorities logically to ensure the correct rules are evaluated first.
- Use the most specific rules possible at higher priorities (lower priority numbers).
- Use a "catch-all" deny rule at the end of your rule collections for security best practices.
- Leverage FQDN tags for common Azure services.
- Regularly review and audit your firewall rules.