Azure Firewall configuration issue

Question

Hi,

I'm new to Azure and I have couple of queries regarding Azure Firewall,

1. Is it ok to use a NSG at Azure Firewall subnet level in a Virtual Network?
2. I have made some changes to my Firewall and all of sudden, it is showing provisioning state failed. I don't know what went wrong.

Please help me with the above queries. Thanks

Answer 1

Hi @Martinmajestic-3285,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Adding to the points provided by Marcin Policht, I am adding some reference documents so that you can get a better understanding.

For your reference: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq?source=recommendations#are-network-security-groups--nsgs--supported-on-the-azurefirewallsubnet

For your reference: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq?source=recommendations#what-does--provisioning-state--failed--mean-

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" if the information provided helps you, as this can be beneficial to other community members.

Thanks,

Sai.

Answer 2

1. Using an NSG at the Azure Firewall Subnet Level:

No, it is not recommended to associate a Network Security Group (NSG) with the Azure Firewall subnet in a Virtual Network. Azure Firewall is a fully managed service that enforces network traffic rules. Adding an NSG to the Azure Firewall subnet can interfere with its operation because the NSG might block or filter traffic that Azure Firewall requires to function properly.

Key Considerations:

• Azure Firewall manages traffic filtering and rules, so NSGs are unnecessary on its subnet.
• If you apply an NSG, it could unintentionally block outbound traffic that Azure Firewall needs to access, such as:
  • Connectivity to the Azure platform for updates.
  • Logs sent to Azure Monitor.
  • Access to the Azure Key Vault for certificate management (if configured).

Best Practice:

• Avoid applying NSGs to the Azure Firewall subnet.
• Let Azure Firewall handle traffic management as it is designed to do so comprehensively.

---

The Provisioning State: Failed indicates an issue occurred during a configuration change. This could be due to several reasons:

Common causes:

1. Incorrect Configuration:
   • Misconfigured firewall rules, routes, or policies.
   • Invalid IP addresses or ranges in rules.
2. NSG Applied to the Firewall Subnet:
   • If an NSG is blocking required Azure Firewall traffic, it may cause provisioning or operational issues.
3. Conflicting Route Tables:
   • Incorrect routing in the associated route table might disrupt traffic flow needed for Azure Firewall's operation.
4. Platform Issues:
   • A temporary Azure platform issue can sometimes cause provisioning to fail.

How to Resolve:

1. Verify Firewall Configuration:
   • Check the changes you made before the failure occurred.
   • Validate the firewall rules and routes for correctness.
2. Remove the NSG:
   • If you applied an NSG to the Azure Firewall subnet, remove it.
3. Route Table Check:
   • Ensure that the route table associated with the Azure Firewall subnet directs all traffic to the Firewall (0.0.0.0/0 next hop to Firewall).
4. View Activity Log:
   • In the Azure portal, navigate to the Activity Log for the Firewall to identify any specific errors or failed operations.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth Marcin