![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 43%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
731 questions
Dear sidhrane ,
Thank you for reaching out with your query regarding Azure Firewall configuration. I understand the issue you're facing, and I’ll guide you through resolving it.
The core of the problem lies in the way Azure Firewall prioritizes network rules over application rules. Since your network rule (priority 3600) is blocking all traffic to ports 80 and 443, the application rule in GRP2 is not being evaluated. To address this, you can achieve your goal by using application rules exclusively, as they are better suited for allowing specific URLs while blocking all other traffic.
Here’s how you can resolve the issue:
Remove the Network Rule: Delete the network rule (priority 3600) that blocks traffic to ports 80 and 443. This rule is causing all traffic to be blocked before the application rule is evaluated.
Configure Application Rules in GRP2: In GRP2 (priority 450), create an application rule to allow the 3 specific URLs. Then, add another application rule to explicitly block all other internet traffic. For example:
Application Rule 1 (Allow):
Priority: 1000
Source: Set of VMs IPs
Protocol: HTTP/HTTPS
Target FQDNs: `example.com`, `example2.com`, `example3.com`
**Application Rule 2 (Deny)**:
Priority: 2000
Source: Set of VMs IPs
Protocol: HTTP/HTTPS
Target FQDNs: `*` (wildcard to block all other traffic)
**Ensure GRP2 Has Higher Priority**: Since GRP2 has a priority of 450 (higher than GRP1's priority of 500), its rules will be evaluated first. This ensures that the application rules are processed before any network rules in GRP1.
By using application rules only, you can explicitly allow the 3 specific URLs and block all other traffic. This approach avoids the issue of network rules taking precedence over application rules. Additionally, the wildcard application rule (*) ensures that all traffic not explicitly allowed by the first rule is blocked.
If you must use network rules for some reason, you can leverage FQDN tags in network rules. However, this approach is less flexible and may not fully meet your requirements. For example, you could create a network rule to allow traffic to the 3 specific URLs using FQDN tags and another network rule to block all other traffic.
In summary, the recommended solution is to use application rules exclusively to allow the 3 URLs and block all other traffic. This ensures that your configuration works as intended without conflicts between network and application rules.
Please let me know if you need further assistance or clarification.
Best regards,
Alex
p.s. If you found the answer helpful, please click on Upvote and Accept Answer. This will help other community members.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)