You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/policy-rule-sets.md
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: article
8
-
ms.date: 01/04/2023
8
+
ms.date: 05/09/2024
9
9
ms.author: victorh
10
10
---
11
11
@@ -17,7 +17,7 @@ Firewall Policy is a top-level resource that contains security and operational s
17
17
18
18
## Rule collection groups
19
19
20
-
A rule collection group is used to group rule collections. They're the first unit to be processed by the Azure Firewall and they follow a priority order based on values. There are three default rule collection groups, and their priority values are preset by design. They're processed in the following order:
20
+
A rule collection group is used to group rule collections. They're the first unit that the firewall processes, and they follow a priority order based on values. There are three default rule collection groups, and their priority values are preset by design. They're processed in the following order:
21
21
22
22
23
23
|Rule collection group name |Priority |
@@ -28,7 +28,7 @@ A rule collection group is used to group rule collections. They're the first uni
28
28
29
29
Even though you can't delete the default rule collection groups nor modify their priority values, you can manipulate their processing order in a different way. If you need to define a priority order that is different than the default design, you can create custom rule collection groups with your wanted priority values. In this scenario, you don't use the default rule collection groups at all and use only the ones you create to customize the processing logic.
30
30
31
-
Rule collection groups contain one or multiple rule collections, which can be of type DNAT, network, or application. For example, you can group rules belonging to the same workloads or a VNet in a rule collection group.
31
+
Rule collection groups contain one or multiple rule collections, which can be of type DNAT, network, or application. For example, you can group rules belonging to the same workloads or a virtual in a rule collection group.
32
32
33
33
For rule collection group size limits, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
34
34
@@ -47,10 +47,9 @@ Rule types must match their parent rule collection category. For example, a DNAT
47
47
48
48
## Rules
49
49
50
-
A rule belongs to a rule collection, and it specifies which traffic is allowed or denied in your network. They're the third unit to be processed by the firewall and they don't follow a priority order based on values. The processing logic for rules follows a top-down approach. All traffic that passes through the firewall is evaluated by the defined rules for an allow or deny match. If there's no rule that allows the traffic, then the traffic is denied by default.
51
-
52
-
For application rules, the traffic is processed by our built-in [infrastructure rule collection](infrastructure-fqdns.md) before it's denied by default.
50
+
A rule belongs to a rule collection, and it specifies which traffic is allowed or denied in your network. They're the third unit that the firewall processes and they don't follow a priority order based on values. The processing logic for rules follows a top-down approach. The firewall uses defined rules to evaluate all traffic passing through the firewall to determine whether it matches an allow or deny condition. If there's no rule that allows the traffic, then the traffic is denied by default.
53
51
52
+
Our built-in [infrastructure rule collection](infrastructure-fqdns.md) processes traffic for application rules before denying it by default.
54
53
### Inbound vs. outbound
55
54
56
55
An **inbound** firewall rule protects your network from threats that originate from outside your network (traffic sourced from the Internet) and attempts to infiltrate your network inwardly.
@@ -67,7 +66,7 @@ There are three types of rules:
67
66
68
67
#### DNAT rules
69
68
70
-
DNAT rules allow or deny inbound traffic through the firewall public IP address(es).
69
+
DNAT rules allow or deny inbound traffic through one or more firewall public IP addresses.
71
70
You can use a DNAT rule when you want a public IP address to be translated into a private IP address. The Azure Firewall public IP addresses can be used to listen to inbound traffic from the Internet, filter the traffic and translate this traffic to internal resources in Azure.
0 commit comments