You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/policy-rule-sets.md
+21-26Lines changed: 21 additions & 26 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,56 +5,56 @@ services: firewall
5
5
author: duongau
6
6
ms.service: azure-firewall
7
7
ms.topic: concept-article
8
-
ms.date: 05/09/2024
8
+
ms.date: 03/17/2025
9
9
ms.author: duau
10
10
---
11
11
12
12
# Azure Firewall Policy rule sets
13
13
14
-
Firewall Policy is a top-level resource that contains security and operational settings for Azure Firewall. You can use Firewall Policy to manage rule sets that the Azure Firewall uses to filter traffic. Firewall policy organizes, prioritizes, and processes the rule sets based on a hierarchy with the following components: rule collection groups, rule collections, and rules.
14
+
Firewall Policy is a top-level resource that contains security and operational settings for Azure Firewall. It allows you to manage rule sets that Azure Firewall uses to filter traffic. Firewall Policy organizes, prioritizes, and processes rule sets based on a hierarchy with the following components: rule collection groups, rule collections, and rules.
15
15
16
16
:::image type="content" source="media/policy-rule-sets/policy-rule-sets.png" alt-text="Azure Policy rule set hierarchy":::
17
17
18
18
## Rule collection groups
19
19
20
-
A rule collection group is used to group rule collections. They're the first unit that the firewall processes, and they follow a priority order based on values. There are three default rule collection groups, and their priority values are preset by design. They're processed in the following order:
20
+
A rule collection group is used to group rule collections. It is the first unit processed by the firewall and follows a priority order based on values. There are three default rule collection groups with preset priority values, processed in the following order:
| Default Application rule collection group | 300 |
22
27
23
-
|Rule collection group name |Priority |
24
-
|---------|---------|
25
-
|Default DNAT (Destination Network Address Translation) rule collection group |100|
26
-
|Default Network rule collection group |200|
27
-
|Default Application rule collection group |300|
28
+
Although you cannot delete the default rule collection groups or modify their priority values, you can change the processing order by creating custom rule collection groups with your desired priority values. In this case, you would not use the default rule collection groups and instead use only the custom ones to define the processing logic.
28
29
29
-
Even though you can't delete the default rule collection groups nor modify their priority values, you can manipulate their processing order in a different way. If you need to define a priority order that is different than the default design, you can create custom rule collection groups with your wanted priority values. In this scenario, you don't use the default rule collection groups at all and use only the ones you create to customize the processing logic.
30
-
31
-
Rule collection groups contain one or multiple rule collections, which can be of type DNAT, network, or application. For example, you can group rules belonging to the same workloads or a virtual in a rule collection group.
30
+
Rule collection groups contain one or multiple rule collections, which can be of type DNAT, network, or application. For example, you can group rules belonging to the same workloads or a virtual network in a rule collection group.
32
31
33
32
For rule collection group size limits, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
34
33
35
34
36
35
## Rule collections
37
36
38
-
A rule collection belongs to a rule collection group, and it contains one or multiple rules. They're the second unit processed by the firewall and they follow a priority order based on values. Rule collections must have a defined action (allow or deny) and a priority value. The defined action applies to all the rules within the rule collection. The priority value determines order the rule collections are processed.
39
-
37
+
A rule collection belongs to a rule collection group and contains one or more rules. It is the second unit processed by the firewall and follows a priority order based on values. Each rule collection must have a defined action (allow or deny) and a priority value. The action applies to all rules within the collection, and the priority value determines the order in which the rule collections are processed.
38
+
40
39
There are three types of rule collections:
41
40
42
41
- DNAT
43
42
- Network
44
43
- Application
45
44
46
-
Rule types must match their parent rule collection category. For example, a DNAT rule can only be part of a DNAT rule collection.
45
+
The rule types must match their parent rule collection category. For example, a DNAT rule can only be part of a DNAT rule collection.
47
46
48
47
## Rules
49
48
50
-
A rule belongs to a rule collection, and it specifies which traffic is allowed or denied in your network. They're the third unit that the firewall processes and they don't follow a priority order based on values. The processing logic for rules follows a top-down approach. The firewall uses defined rules to evaluate all traffic passing through the firewall to determine whether it matches an allow or deny condition. If there's no rule that allows the traffic, then the traffic is denied by default.
49
+
A rule belongs to a rule collection and specifies which traffic is allowed or denied in your network. It is the third unit processed by the firewall and does not follow a priority order based on values. The firewall processes rules in a top-down approach, evaluating all traffic against the defined rules to determine if it matches an allow or deny condition. If no rule allows the traffic, it is denied by default.
51
50
52
51
Our built-in [infrastructure rule collection](infrastructure-fqdns.md) processes traffic for application rules before denying it by default.
52
+
53
53
### Inbound vs. outbound
54
54
55
-
An **inbound** firewall rule protects your network from threats that originate from outside your network (traffic sourced from the Internet) and attempts to infiltrate your network inwardly.
55
+
An **inbound** firewall rule protects your network from threats originating outside your network (traffic sourced from the Internet) attempting to infiltrate inwardly.
56
56
57
-
An **outbound** firewall rule protects against nefarious traffic that originates internally (traffic sourced from a private IP address within Azure) and travels outwardly. This is usually traffic from within Azure resources being redirected via the Firewall before reaching a destination.
57
+
An **outbound** firewall rule protects against malicious traffic originating internally (traffic sourced from a private IP address within Azure) and traveling outwardly. This typically involves traffic from within Azure resources being redirected via the Firewall before reaching a destination.
58
58
59
59
### Rule types
60
60
@@ -66,21 +66,16 @@ There are three types of rules:
66
66
67
67
#### DNAT rules
68
68
69
-
DNAT rules allow or deny inbound traffic through one or more firewall public IP addresses.
70
-
You can use a DNAT rule when you want a public IP address to be translated into a private IP address. The Azure Firewall public IP addresses can be used to listen to inbound traffic from the Internet, filter the traffic and translate this traffic to internal resources in Azure.
69
+
DNAT rules manage inbound traffic through one or more firewall public IP addresses. Use a DNAT rule to translate a public IP address into a private IP address. Azure Firewall public IP addresses can listen to inbound traffic from the Internet, filter it, and translate it to internal Azure resources.
71
70
72
71
#### Network rules
73
72
74
-
Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4).
75
-
You can use a network rule when you want to filter traffic based on IP addresses, any ports, and any protocols.
76
-
73
+
Network rules control inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4). Use a network rule to filter traffic based on IP addresses, ports, and protocols.
77
74
78
75
#### Application rules
79
76
80
-
Application rules allow or deny outbound and east-west traffic based on the application layer (L7).
81
-
You can use an application rule when you want to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.
82
-
77
+
Application rules manage outbound and east-west traffic based on the application layer (L7). Use an application rule to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.
83
78
84
79
## Next steps
85
80
86
-
-Learn more about Azure Firewall rule processing:[Configure Azure Firewall rules](rule-processing.md).
81
+
-To learn more about how Azure Firewall processes rules, see[Configure Azure Firewall rules](rule-processing.md).
0 commit comments