Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
731 questions
Unexpected Behavior with Azure Firewall Draft Rules – Existing Rule Collections Deleted
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 71%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Aleksandr
0
Reputation points
Hi Everyone,
I recently started using the new Draft mode feature in Azure Firewall for staging access rules. However, I’ve encountered an unexpected issue and wanted to check if others have experienced the same.
Steps to Reproduce:
Enable Draft mode in an Azure Firewall policy.
Create or edit a rule collection (e.g., "Allow-Web") within the draft.
While the draft is active, attempt to add a new rule collection (e.g., "Allow-DB") in the same rule group.
Observed Behavior:
After saving the new rule collection, all other existing rule collections in the group are deleted, leaving only the newly created one. This occurs even if no deletions were manually triggered.
Expected Behavior:
Adding a new rule collection in draft mode should preserve existing collections until the draft is finalized.
Has anyone else faced this issue? If so, were you able to identify a workaround or root cause? Any insights or guidance would be greatly appreciated!
Browser: [Chrome \ MS Edge]
Thank you!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 4,320 Reputation points Microsoft External Staff2025-03-12T19:12:27.0266667+00:00 Hi Aleksandr
NOTE: Azure Firewall Draft + Deploy is currently in Preview and is provided without a service-level agreement. so, it shouldn't be used for production workloads. Certain features might not be supported, might have constrained capabilities, or might not be available in all Azure locations.
As a work around you can try the below steps which may help.
To preserve existing rule collections while adding new ones in Draft mode:
- Before adding a new rule collection (e.g., "Allow-DB"), first clone the existing rule collections (e.g., "Allow-Web") into the draft. This ensures the draft includes both old and new configurations.
- Add the new rule collection to the draft. This way, the draft contains all desired rule collections (existing + new rules).
- then, finalize the draft to apply changes. Now all rule collections (old and new) will now coexist in the rule group.
Can you please update us if the action plan provided by was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Sign in to comment
Sign in to answer