Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
707 questions
How to allow outbound web traffic only
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 16%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
ADM Stawik, Lukas
0
Reputation points
Hello,
I have setup an Azure Firewall and routes to control all traffic via the Azure Firewall. The firewall is deploy in the Hub and attached to an Express route circuit (Hub/Spoke)
Additionally I have setup a rule collection group with the priority of 64800 and it has 3 collections:
- NetworkRule: Deny all (Source: Any, Destination: Any, Protocol: Any, Port: Any) with priority 65000
- NetworkRule: Allow access to on-premise (Source: my Azure ranges, Destination: On-prem ranges) with priority 100
- ApplicationRule: Allow web traffic to the Internet (Source: my Azure ranges, Destination FQDNs: Any, Port/protocol: https/443, http/80) with priority 200
However, the application rule is ignored and traffic is blocked by the "Deny all" rule and I am not able to access any webpages via port 443.
Is there any other way to just allow web traffic (http/https) via the firewall or what I am doing wrong?
Thank you and best regards
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 2,825 Reputation points Microsoft Vendor2025-01-10T12:48:57.15+00:00 Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
NOTE: Application rules are always processed after Network rules, which are processed after DNAT rules regardless of Rule collection group or Rule collection priority and policy inheritance.
So, to summarize:
Parent policy always takes precedence.
- Rule collection groups are processed in priority order.
- Rule collections are processed in priority order.
- DNAT rules, then Network rules, then Application rules are processed.
Reorder the Rules: Please prioritize the "Allow web traffic to the Internet" rule above the "Deny all" rule. Given that the "Deny all" rule has a priority of 65000, set the priority of the "Allow web traffic" rule to a value lower than 65000 but higher than 100. For instance, you may set it to 150.
- First, change the network priority to 200 and the application priority rule to 100. This will allow access to web pages because network rules are processed before application rules.
- Ensure the application rule has a higher priority than the deny rule. With the deny rule set to 65000, your application rule at priority 200 should be processed first.
- If there are other conflicting rules, adjust their priorities accordingly
If above is unclear and/or you are unsure about something add a comment below.
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Regards,
Ganesh
Sign in to comment
Sign in to answer