freshness review - March 2025

Author: duongau

articles/firewall/fqdn-filtering-network-rules.md

@@ -5,32 +5,32 @@ services: firewall
 author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 05/10/2024
+ms.date: 03/17/20255
 ms.author: duau
 ms.custom: engagement-fy23
 ---
 
 # Use FQDN filtering in network rules
 
-A fully qualified domain name (FQDN) represents a domain name of a host or one or more IP addresses. You can use FQDNs in network rules based on DNS resolution in Azure Firewall and Firewall policy. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable DNS Proxy to use FQDNs in your network rules. For more information, see [Azure Firewall DNS settings](dns-settings.md).
+A fully qualified domain name (FQDN) represents the complete domain name of a host or one or more IP addresses. In Azure Firewall and Firewall policy, you can use FQDNs in network rules based on DNS resolution. This feature allows you to filter outbound traffic using any TCP/UDP protocol, including NTP, SSH, and RDP. To use FQDNs in your network rules, you must enable DNS Proxy. For more information, see [Azure Firewall DNS settings](dns-settings.md).
 
 > [!NOTE]
-> By design, FQDN filtering in network rules doesn’t support wildcards
+> FQDN filtering in network rules doesn't support wildcards by design.
 
 ## How it works
 
-Once you define which DNS server your organization needs (Azure DNS or your own custom DNS), Azure Firewall translates the FQDN to an IP address or addresses based on the selected DNS server. This translation happens for both application and network rule processing.
+First, define the DNS server your organization uses (either Azure DNS or a custom DNS). Azure Firewall then translates the FQDN to an IP address or addresses based on the chosen DNS server. This translation applies to both application and network rule processing.
 
-When a new DNS resolution takes place, new IP addresses are added to firewall rules. Old IP addresses expire in 15 minutes when the DNS server no longer returns them. Azure Firewall rules are updated every 15 seconds from DNS resolution of the FQDNs in network rules.
+When a new DNS resolution occurs, new IP addresses are added to the firewall rules. Old IP addresses expire after 15 minutes if the DNS server no longer returns them. Azure Firewall updates its rules every 15 seconds based on the DNS resolution of the FQDNs in network rules.
 
-### Differences in application rules vs. network rules
+### Differences between application rules and network rules
 
-- FQDN filtering in application rules for HTTP/S and MSSQL is based on an application level transparent proxy and the SNI header. As such, it can discern between two FQDNs that are resolved to the same IP address. This isn't the case with FQDN filtering in network rules. 
+- FQDN filtering in application rules for HTTP/S and MSSQL relies on an application-level transparent proxy and the SNI header. This allows it to differentiate between two FQDNs that resolve to the same IP address. This capability isn't available with FQDN filtering in network rules.
 
-   Always use application rules when possible:
-  - If the protocol is HTTP/S or MSSQL, use application rules for FQDN filtering.
+  Always use application rules when possible:
+  - For HTTP/S or MSSQL protocols, use application rules for FQDN filtering.
   - For services like AzureBackup and HDInsight, use application rules with FQDN tags.
-  - For any other protocols, you can use network rules for FQDN filtering.
+  - For other protocols, use network rules for FQDN filtering.
 
 ## Next steps