You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/fqdn-filtering-network-rules.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,27 +5,27 @@ services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: article
8
-
ms.date: 10/28/2022
8
+
ms.date: 05/10/2024
9
9
ms.author: victorh
10
10
ms.custom: engagement-fy23
11
11
---
12
12
13
13
# Use FQDN filtering in network rules
14
14
15
-
A fully qualified domain name (FQDN) represents a domain name of a host or IP address(es). You can use FQDNs in network rules based on DNS resolution in Azure Firewall and Firewall policy. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable DNS Proxy to use FQDNs in your network rules. For more information see [Azure Firewall DNS settings](dns-settings.md).
15
+
A fully qualified domain name (FQDN) represents a domain name of a host or one or more IP addresses. You can use FQDNs in network rules based on DNS resolution in Azure Firewall and Firewall policy. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable DNS Proxy to use FQDNs in your network rules. For more information, see [Azure Firewall DNS settings](dns-settings.md).
16
16
17
17
> [!NOTE]
18
18
> By design, FQDN filtering in network rules doesn’t support wildcards
19
19
20
20
## How it works
21
21
22
-
Once you define which DNS server your organization needs (Azure DNS or your own custom DNS), Azure Firewall translates the FQDN to an IP address(es) based on the selected DNS server. This translation happens for both application and network rule processing.
22
+
Once you define which DNS server your organization needs (Azure DNS or your own custom DNS), Azure Firewall translates the FQDN to an IP address or addresses based on the selected DNS server. This translation happens for both application and network rule processing.
23
23
24
-
When a new DNS resolution takes place, new IP addresses are added to firewall rules. Old IP addresses that are no longer returned by the DNS server expire in 15 minutes. Azure Firewall rules are updated every 15 seconds from DNS resolution of the FQDNs in network rules.
24
+
When a new DNS resolution takes place, new IP addresses are added to firewall rules. Old IP addresses expire in 15 minutes when the DNS server no longer returns them. Azure Firewall rules are updated every 15 seconds from DNS resolution of the FQDNs in network rules.
25
25
26
26
### Differences in application rules vs. network rules
27
27
28
-
- FQDN filtering in application rules for HTTP/S and MSSQL is based on an application level transparent proxy and the SNI header. As such, it can discern between two FQDNs that are resolved to the same IP address. This is not the case with FQDN filtering in network rules.
28
+
- FQDN filtering in application rules for HTTP/S and MSSQL is based on an application level transparent proxy and the SNI header. As such, it can discern between two FQDNs that are resolved to the same IP address. This isn't the case with FQDN filtering in network rules.
29
29
30
30
Always use application rules when possible:
31
31
- If the protocol is HTTP/S or MSSQL, use application rules for FQDN filtering.
0 commit comments