How to allow outbound web traffic only

Question

Hello,

I have setup an Azure Firewall and routes to control all traffic via the Azure Firewall. The firewall is deploy in the Hub and attached to an Express route circuit (Hub/Spoke)

Additionally I have setup a rule collection group with the priority of 64800 and it has 3 collections:

1. NetworkRule: Deny all (Source: Any, Destination: Any, Protocol: Any, Port: Any) with priority 65000
2. NetworkRule: Allow access to on-premise (Source: my Azure ranges, Destination: On-prem ranges) with priority 100
3. ApplicationRule: Allow web traffic to the Internet (Source: my Azure ranges, Destination FQDNs: Any, Port/protocol: https/443, http/80) with priority 200

However, the application rule is ignored and traffic is blocked by the "Deny all" rule and I am not able to access any webpages via port 443.

Is there any other way to just allow web traffic (http/https) via the firewall or what I am doing wrong?

Thank you and best regards

Answer 1

@ADM Stawik, Lukas

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

NOTE: Application rules are always processed after Network rules, which are processed after DNAT rules regardless of Rule collection group or Rule collection priority and policy inheritance.

So, to summarize:

Parent policy always takes precedence.

1. Rule collection groups are processed in priority order.
2. Rule collections are processed in priority order.
3. DNAT rules, then Network rules, then Application rules are processed.

Reorder the Rules: Please prioritize the "Allow web traffic to the Internet" rule above the "Deny all" rule. Given that the "Deny all" rule has a priority of 65000, set the priority of the "Allow web traffic" rule to a value lower than 65000 but higher than 100. For instance, you may set it to 150.

1. First, change the network priority to 200 and the application priority rule to 100. This will allow access to web pages because network rules are processed before application rules.
2. Ensure the application rule has a higher priority than the deny rule. With the deny rule set to 65000, your application rule at priority 200 should be processed first.
3. If there are other conflicting rules, adjust their priorities accordingly

Refer: https://learn.microsoft.com/en-us/azure/firewall/rule-processing#rule-processing-using-firewall-policy

Please try to analyse the below example steps and configure rules:

Try to adjust the rule collection groups and Priorities:

 Rule Collection Group 1 (Priority: 100)     

1. Application Rule Collection (Priority: 100):

Allow web traffic:

• Source: Azure ranges         
• Destination FQDNs: *         
• Protocol/Ports: HTTPS/443, HTTP/80         
• Action: Allow  

1. Rule Collection Group 2 (Priority: 200): (Higher priority than the Application Rule Collection Group)     

• Network Rule Collection (Priority: 100):       
• Allow Web Traffic to On-Premises:
• Source: Azure ranges         
• Destination: On-prem ranges         
• Protocol: Any         
• Action: Allow

Rule Collection Group 3 (Priority: 64800): (Lower priority than the above)    

• Network Rule Collection (Priority: 65000):       
• Deny All:         
• Source: Any         
• Destination: Any         
• Protocol: Any         
• Action: Deny

---

1. The Application Rule Collection Group now has the highest priority. Which means it will be evaluated first.
2. If traffic matches the Allow web traffic rule (HTTPS/HTTP traffic), it will be allowed at the application rule level.
3. If traffic is destined for your on-premises network, the Allow Web Traffic to On-Premises will permit it.
4. Only traffic that doesn't match the above rules will fall through to the Deny All rule.

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Ganesh