Merge pull request #119603 from GonzaloMurillo/patch-1

Update rule-processing.md

Author: Jak-MS

articles/firewall/rule-processing.md

@@ -31,6 +31,12 @@ If a Firewall Policy is inherited from a parent policy, Rule Collection Groups i
 
 Here's an example policy:
 
+Assuming BaseRCG1 is a rule collection group priority (200) that contains the rule collections: DNATRC1, DNATRC3,NetworkRC1.\
+BaseRCG2 is a rule collection group priority (300) that contains the rule collections: AppRC2, NetworkRC2.\
+ChildRCG1 is a rule collection group priority (200) that contains the rule collections: ChNetRC1, ChAppRC1.\
+ChildRCG2 is a rule collection group that contains the rule collections: ChNetRC2, ChAppRC2,ChDNATRC3.
+
+As per following table:
 
 |Name  |Type  |Priority  |Rules  |Inherited from
 |---------|---------|---------|---------|-------|
@@ -49,7 +55,32 @@ Here's an example policy:
 |ChAppRC2      |     Application rule collection    |2000         |7         |-|
 |ChDNATRC3     | DNAT rule collection        | 3000        |  2       |-|
 
-The rule processing is in the following order: DNATRC1, DNATRC3, ChDNATRC3, NetworkRC1, NetworkRC2, ChNetRC1, ChNetRC2, AppRC2, ChAppRC1, ChAppRC2.
+Initial Processing:
+
+The process begins by examining the rule collection group (RCG) with the lowest number, which is BaseRCG1 with a priority of 200. Within this group, it searches for DNAT rule collections and evaluates them according to their priorities. In this case, DNATRC1 (priority 600) and DNATRC3 (priority 610) are found and processed accordingly.\
+Next, it moves to the next RCG, BaseRCG2 (priority 200), but finds no DNAT rule collection.\
+Following that, it proceeds to ChildRCG1 (priority 300), also without a DNAT rule collection.\
+Finally, it checks ChildRCG2 (priority 650) and finds the ChDNATRC3 rule collection (priority 3000).
+
+Iteration Within Rule Collection Groups:
+
+Returning to BaseRCG1, the iteration continues, this time for NETWORK rules. Only NetworkRC1 (priority 800) is found.\
+Then, it moves to BaseRCG2, where NetworkRC2 (priority 1300) is located.\
+Moving on to ChildRCG1, it discovers ChNetRC1 (priority 700) as the NETWORK rule.\
+Lastly, in ChildRCG2, it finds ChNetRC2 (priority 1100) as the NETWORK rule collection.
+
+Final Iteration for APPLICATION Rules:
+
+Returning to BaseRCG1, the process iterates for APPLICATION rules, but none are found.\
+In BaseRCG2, it identifies AppRC2 (priority 1200) as the APPLICATION rule.\
+In ChildRCG1, ChAppRC1 (priority 900) is found as the APPLICATION rule.\
+Finally, in ChildRCG2, it locates ChAppRC2 (priority 2000) as the APPLICATION rule.
+
+**In summary, the rule processing sequence is as follows: DNATRC1, DNATRC3, ChDNATRC3, NetworkRC1, NetworkRC2, ChNetRC1, ChNetRC2, AppRC2, ChAppRC1, ChAppRC2.**
+
+This process involves analyzing rule collection groups by priority, and within each group, ordering the rules according to their priorities for each rule type (DNAT, NETWORK, and APPLICATION).
+
+So first all the DNAT rules are processed from all the rule collection groups, analysing the rule collection groups by order of priority and ordering the DNAT rules within each rule collection group by order of priority. Then the same process for NETWORK rules, and finally for APPLICATION rules.
 
 For more information about Firewall Policy rule sets, see [Azure Firewall Policy rule sets](policy-rule-sets.md).