Skip to content

Commit be7cbe0

Browse files
vhornevhorne
committed
add some info about rule names and priority
1 parent a2cb4c1 commit be7cbe0

File tree

1 file changed

+6
-4
lines changed

1 file changed

+6
-4
lines changed

articles/firewall/rule-processing.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,23 +5,25 @@ services: firewall
55
author: vhorne
66
ms.service: firewall
77
ms.topic: article
8-
ms.date: 03/10/2020
8+
ms.date: 04/10/2020
99
ms.author: victorh
1010
---
1111

1212
# Azure Firewall rule processing logic
13-
You can configure NAT rules, network rules, and applications rules on Azure Firewall. The rules are processed according to the rule type.
13+
You can configure NAT rules, network rules, and applications rules on Azure Firewall. Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. A rule collection name can have only letters, numbers, underscores, periods, or hyphens. It must begin with a letter or number, and end with a letter, number or underscore. The maximum name length is 80 characters.
14+
15+
It's best to initially space your rule collection priority numbers in 100 increments (100, 200, 300, and so on) so you have room to add more rule collections if needed.
1416

1517
> [!NOTE]
1618
> If you enable threat intelligence-based filtering, those rules are highest priority and are always processed first. Threat-intelligence filtering may deny traffic before any configured rules are processed. For more information, see [Azure Firewall threat intelligence-based filtering](threat-intel.md).
1719
18-
## Outbound
20+
## Outbound connectivity
1921

2022
### Network rules and applications rules
2123

2224
If you configure network rules and application rules, then network rules are applied in priority order before application rules. The rules are terminating. So if a match is found in a network rule, no other rules are processed. If there is no network rule match, and if the protocol is HTTP, HTTPS, or MSSQL, then the packet is then evaluated by the application rules in priority order. If still no match is found, then the packet is evaluated against the [infrastructure rule collection](infrastructure-fqdns.md). If there is still no match, then the packet is denied by default.
2325

24-
## Inbound
26+
## Inbound connectivity
2527

2628
### NAT rules
2729

0 commit comments

Comments
 (0)