This chapter covers Azure Firewall Policy and Rule Collections, a critical component for centrally managing network security across Azure environments. For the AZ-104 exam, this topic is part of Objective 4.5 (Configure and manage Azure Firewall) and typically appears in 10-15% of networking questions. Understanding how policies, rule collections, and rules work together is essential for designing secure, scalable hub-and-spoke topologies. We will dive deep into the architecture, priority logic, rule types, and integration with Azure Firewall Manager.
Jump to a section
Imagine a corporate office building with a single main entrance staffed by a security guard. The guard has a policy book (Azure Firewall Policy) with rules organized into sections (Rule Collections). Each section is labeled with a priority number. When a visitor arrives, the guard checks the policy book from the lowest priority number upward. The first rule that matches the visitor's identity and purpose determines what happens: allow entry, deny entry, or inspect their bag (application filtering). The guard can also rewrite the visitor's name badge (NAT) to hide internal employee names. The policy book can be shared across multiple buildings (child firewalls) but each building can have its own local annotations. If the guard finds no matching rule, the visitor is denied entry by default. This ensures that every decision is explicit and logged.
What is Azure Firewall Policy?
Azure Firewall Policy is a resource that defines a set of rules governing traffic flow through one or more Azure Firewall instances. It replaces the older approach of configuring rules directly on each firewall. With policy, you create a single policy and associate it with multiple firewalls, ensuring consistent security rules across your environment. The policy is versioned and can be deployed to multiple regions. It supports three rule collection types: DNAT (Destination Network Address Translation), Network, and Application. Each rule collection has a priority (100–65000) and a collection action (Allow or Deny). Rules within a collection are evaluated in priority order, and the first matching rule determines the action.
How It Works Internally
When a packet arrives at an Azure Firewall, the firewall performs the following steps in order: 1. DNAT rule processing: Check DNAT rule collections first (lowest priority number first). If a match is found, the destination address/port is translated, and the packet is forwarded to the internal target. No further rule processing occurs for that packet. 2. Network rule processing: If no DNAT match, check Network rule collections (lowest priority first). Network rules filter based on source IP, destination IP, protocol (TCP/UDP/ICMP), and port. The first match determines the action (Allow/Deny). If Deny, the packet is dropped. 3. Application rule processing: If no Network rule match, check Application rule collections (lowest priority first). Application rules filter based on fully qualified domain names (FQDNs), HTTP/HTTPS headers, and TLS Server Name Indication (SNI). The first match determines the action. Application rules only apply to outbound traffic destined for the internet or Azure services. 4. Default deny: If no rule in any collection matches, the packet is denied by default.
Key Components, Values, Defaults, and Timers
Policy inheritance: A parent policy can be assigned to child firewalls. Child policies can override parent rules by adding local rule collections with higher priority (lower number). The parent policy is always evaluated before child additions.
Rule collection priority: Ranges from 100 to 65000. Lower numbers are evaluated first. It is best practice to group rules logically and leave gaps (e.g., 100, 200, 300) for future insertions.
Rule collection group: A logical grouping of rule collections within a policy. Each group has its own priority. The default group is "DefaultRuleCollectionGroup". You can create custom groups for better organization.
Threat intelligence: Can be enabled in policy to allow or alert on traffic from/to known malicious IPs and domains. It is evaluated after DNAT but before Network and Application rules.
IDPS (Intrusion Detection and Prevention): When enabled, it inspects traffic for malicious patterns. It can be configured in the policy to alert, deny, or allow based on signatures.
TLS inspection: Terminates inbound TLS connections, inspects the traffic, and re-encrypts before forwarding. Requires a certificate.
Default timeouts: Idle timeout for TCP connections is 4 minutes; for UDP it is 4 minutes. These are not configurable per policy.
Configuration and Verification Commands
Policies are managed via Azure Portal, Azure CLI, PowerShell, or ARM templates. Common CLI commands:
# Create a firewall policy
az network firewall policy create --name MyPolicy --resource-group MyRG --location eastus
# Add a rule collection group
az network firewall policy rule-collection-group create --name MyGroup --priority 200 --policy-name MyPolicy --resource-group MyRG
# Add a network rule collection
az network firewall policy rule-collection-group collection add-filter-collection \
--resource-group MyRG --policy-name MyPolicy --rcg-name MyGroup \
--name AllowWeb --priority 100 --action Allow \
--rule-name AllowHTTP --rule-type Network --source-addresses '*' \
--destination-addresses '10.0.0.4' --destination-ports 80 --protocols TCP
# Show effective rules for a firewall
az network firewall show --name MyFirewall --resource-group MyRG --query 'ipConfigurations[0].privateIPAddress'To verify policy application, use Azure Firewall Manager's "Effective Rules" view or run diagnostic logs. The firewall logs all rule matches (allow/deny) to Azure Monitor.
Interaction with Related Technologies
Azure Firewall Manager: Central management plane for deploying policies to multiple firewalls. It also manages Virtual WAN secured hubs.
Azure Virtual WAN: Firewall policies can be associated with secured virtual hubs, providing a global transit network with centralized security.
Azure Policy: Can be used to enforce that all firewalls use a specific parent policy (e.g., deny creation of policies without parent).
Network Security Groups (NSGs): NSGs operate at subnet or NIC level and are stateless. Azure Firewall is stateful and operates at the network perimeter. They complement each other: NSGs provide micro-segmentation, firewall provides centralized filtering.
Azure DDoS Protection: Can be enabled on the virtual network where the firewall is deployed, but the firewall itself is not a DDoS mitigation device.
Rule Processing Order Details
When a packet enters the firewall, the processing order is strict: 1. DNAT rules (lowest priority first) 2. Threat intelligence (if enabled) – if threat found, action taken (alert/deny) and packet is not processed further 3. Network rules (lowest priority first) 4. Application rules (lowest priority first) 5. Default deny
Important: DNAT rules are evaluated before any other rules. This means that even if a Network rule denies traffic to a public IP, a DNAT rule with higher priority (lower number) will still translate and forward the packet. Also, Network rules can override Application rules if a match occurs earlier in the chain.
Rule Collection Group Priority
Each rule collection group has a priority (100–65000). Within a group, rule collections are evaluated by their priority. Groups are evaluated in priority order. This allows you to organize rules into categories (e.g., infrastructure, internet, DMZ) and control the order of evaluation across groups.
Policy Analytics and Insights
Azure Firewall Manager provides Policy Analytics, which shows how many times each rule has been hit, allowing you to identify unused or overpermissive rules. This is critical for hardening.
Performance Considerations
Policy size: A single policy can have up to 50 rule collection groups, each with up to 100 rule collections, and each collection up to 1000 rules. Total rules per policy: 50,000 (Network + Application). Exceeding limits causes deployment failures.
Latency: Additional rules increase processing time slightly, but Azure Firewall is designed for line-rate performance up to 100 Gbps (depending on SKU).
SNAT ports: For outbound traffic, the firewall uses SNAT. Each flow consumes a port. Default port range is 2496 per firewall public IP. For large-scale outbound, use multiple public IPs or a NAT gateway.
Summary of Rule Types
DNAT Rule: Filters inbound traffic to a public IP. Translates destination IP/port to an internal resource. Action is always "DNAT" (not Allow/Deny).
Network Rule: Filters based on Layer 3/4 parameters (source, destination, protocol, port). Action: Allow or Deny.
Application Rule: Filters outbound traffic based on FQDN. Supports HTTP/HTTPS/TLS inspection. Action: Allow or Deny.
Each rule collection has an action (Allow/Deny) that applies to all matching rules within it. However, individual rules within a collection can have different actions? No – the collection action is applied to all rules in that collection. To have different actions, use separate rule collections.
Policy Inheritance and Override
When you assign a parent policy to a firewall, the firewall inherits all rule collections from the parent. You can then add local rule collections that are evaluated according to their priority relative to parent collections. The parent policy's rule collections are always evaluated first (they have lower priority numbers by design). Local rule collections with a lower priority number (higher priority) can override parent rules. This is a common exam scenario: a child firewall needs to allow a specific IP that the parent denies – create a local rule collection with priority lower than the parent's deny rule.
Security Baseline
By default, all traffic is denied. You must explicitly create allow rules. The firewall logs all denied traffic (if logging is enabled). Use diagnostic logs to troubleshoot.
Exam-Relevant Defaults
Default rule action: Deny
DNAT rule processing: Before all others
Rule collection priority range: 100–65000
Maximum rule collections per policy: 50,000 total (Network + Application)
Maximum rule collection groups per policy: 50
Maximum rules per collection: 1000
Threat intelligence mode: Off by default
IDPS: Off by default
TLS inspection: Requires certificate upload
Common Misconfiguration
Placing a Deny rule with high priority (low number) that accidentally blocks all traffic. Always test with a small scope first.
Forgetting that DNAT rules are processed before Network rules – a Network deny for the public IP will not block DNAT traffic.
Not leaving gaps in priority numbers – makes it hard to insert new rules later.
Verification with Logs
Enable diagnostic logs for Azure Firewall (AzureFirewallNetworkRule, AzureFirewallApplicationRule, AzureFirewallDnsProxy). Query Log Analytics:
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where OperationName == "Deny"
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Protocol, ActionThis helps identify blocked traffic and adjust rules.
Summary of Processing Order
DNAT
Threat Intelligence (if enabled)
Network (by priority)
Application (by priority)
Default deny
Understanding this order is crucial for designing effective policies.
Create a Firewall Policy
Navigate to Azure Firewall Manager or use CLI to create a policy. Provide a name, region, and optionally a parent policy for inheritance. The policy resource is created with a default rule collection group called 'DefaultRuleCollectionGroup' with priority 1000 (or higher if you specify). At this point, no rules exist, so all traffic is denied by default. The policy is not yet associated with any firewall.
Add Rule Collection Groups
Create rule collection groups to organize rules logically. Each group has a priority (e.g., 100, 200). Groups with lower priority numbers are evaluated first. You can have up to 50 groups per policy. For example, create a group for 'Infrastructure' with priority 100, and one for 'Internet' with priority 200. Rules within these groups will be evaluated in the order of their collection priorities.
Add DNAT Rule Collections
In the appropriate group, add a DNAT rule collection with a priority (e.g., 100). Define rules with source IP (or *), destination public IP and port, translated IP and port, and protocol (TCP/UDP). The action is implicitly 'DNAT'. These rules are evaluated first when inbound traffic arrives. If a match is found, the packet is translated and forwarded to the internal target without further rule processing.
Add Network Rule Collections
Add a Network rule collection in the desired group. Set priority and action (Allow/Deny). Define rules with source addresses, destination addresses (IPs or CIDRs), protocols, and ports. The first matching rule's action is applied. Network rules are evaluated after DNAT but before Application rules. Use Network rules for non-HTTP/HTTPS traffic like SSH, RDP, or custom ports.
Add Application Rule Collections
Add an Application rule collection with priority and action. Define rules with source addresses, FQDNs (e.g., *.microsoft.com), protocols (HTTP, HTTPS, or both). Application rules apply to outbound traffic only. They evaluate after Network rules. If a Network rule already allows traffic to a specific IP, the Application rule is not evaluated for that flow. Use Application rules for internet-bound traffic to control which domains are accessible.
Associate Policy with Firewall
In Azure Firewall Manager, assign the policy to one or more firewalls. The firewall will immediately start using the policy. Any existing rules directly on the firewall are overwritten. The association can be done at firewall creation or later. The policy can be shared across firewalls in different regions, ensuring consistent rules. After association, test connectivity and review logs to verify expected behavior.
Enterprise Scenario 1: Hub-and-Spoke Topology with Centralized Security
A multinational company uses Azure Virtual WAN with a secured hub in each region. They create a single parent firewall policy named 'Global-Policy' that contains baseline Network rules (allow RDP from admin IPs, deny all other inbound) and Application rules (allow *.office.com, deny all other internet). Each regional hub has a child firewall that inherits the parent policy. The regional security team adds local rule collections to allow specific SaaS applications required locally (e.g., a local CRM). They use rule collection priorities to ensure local rules are evaluated before parent rules where needed. This setup ensures consistent security baseline while allowing regional flexibility. Performance is monitored via Azure Firewall metrics (throughput, SNAT port utilization). Common issue: SNAT port exhaustion due to many outbound connections. Mitigation: add multiple public IPs to the firewall or use a NAT gateway for outbound.
Enterprise Scenario 2: E-Commerce Platform with DNAT and WAF
An e-commerce company hosts a web application on Azure VMs behind an Azure Firewall. They configure DNAT rules to translate public IP traffic to the web server's private IP on port 443. They also enable TLS inspection to decrypt and inspect HTTPS traffic for SQL injection attempts. A parent policy defines strict Application rules to allow only traffic to the specific web server FQDN and deny all other outbound. They use IDPS to detect and block exploit attempts. Misconfiguration: initially, they placed a Network rule that denied all inbound traffic from the internet, forgetting that DNAT rules are processed first. The DNAT still worked, but they thought the deny was effective. After logs showed traffic flowing, they corrected by removing the Network deny. They also learned to use threat intelligence to block known malicious IPs.
Enterprise Scenario 3: Mergers and Acquisitions
After an acquisition, two companies need to connect their Azure environments. They use Azure Firewall Manager to create a policy that allows cross-connectivity between the two VNets via forced tunneling. The policy includes Network rules to allow traffic between specific IP ranges on necessary ports. They also add Application rules to allow access to common SaaS tools. The challenge is overlapping IP ranges. They use Azure Firewall's DNAT to translate overlapping addresses. This requires careful planning of NAT rules. A common mistake is to use Network rules with the same priority for both allow and deny, causing unpredictable behavior. They learned to use separate rule collections with distinct priorities.
What Goes Wrong When Misconfigured
Overly permissive rules: Allowing all outbound traffic defeats the purpose of a firewall. Use application rules to whitelist only necessary FQDNs.
Priority conflicts: Two rules with the same priority cause deployment failure. Always use unique priorities.
Forgetting default deny: If no rules match, traffic is denied. This can cause unexpected outages. Always test with a temporary allow rule.
Ignoring SNAT port limits: For high outbound traffic, monitor SNAT port usage and scale out with additional public IPs.
Misunderstanding rule processing order: A DNAT rule can allow inbound traffic even if a Network rule denies it. Always consider the order.
AZ-104 Objective 4.5: Configure and manage Azure Firewall
The exam tests your ability to create, configure, and manage Azure Firewall policies and rule collections. Key areas:
Understand the difference between classic rules and policy-based rules.
Know the order of rule processing: DNAT → Threat Intelligence → Network → Application → Default deny.
Be able to configure a firewall policy with rule collection groups.
Understand inheritance: parent policy vs. local rule collections.
Know default values: priority range 100–65000, maximum 50 rule collection groups, 50,000 total rules.
Common Wrong Answers on Exam Questions
"Network rules are evaluated before DNAT rules." – Wrong. DNAT is always first. Candidates confuse the order because they think of outbound traffic. Remember: inbound DNAT comes first.
"Application rules apply to inbound traffic." – Wrong. Application rules are only for outbound traffic (to internet or Azure services). Inbound traffic is handled by DNAT and Network rules.
"You can have two rule collections with the same priority." – Wrong. Priorities must be unique within a rule collection group. Duplicate priorities cause deployment errors.
"A child firewall can override any parent rule by creating a local rule with any priority." – Wrong. The local rule must have a lower priority number (higher priority) than the parent rule it wants to override. Parent rules are evaluated first only if they have lower priority numbers.
"Threat intelligence is evaluated after Application rules." – Wrong. It is evaluated after DNAT but before Network and Application rules.
Specific Numbers and Terms That Appear Verbatim
Priority range: 100 to 65000
Maximum rule collection groups per policy: 50
Maximum rule collections per group: 100
Maximum rules per collection: 1000
Total rules per policy: 50,000
Default action: Deny
DNAT action: Always "DNAT" (not Allow/Deny)
Rule collection group default name: "DefaultRuleCollectionGroup"
Parent policy vs. local: Local rules with lower priority override parent rules.
Edge Cases and Exceptions
DNAT and Network rule interaction: A DNAT rule that translates to an internal IP will bypass any Network rule that denies traffic to the public IP. However, after translation, the internal traffic is subject to Network rules on the internal network (if there are rules for the internal IP range).
Application rules with wildcards: Use FQDNs like *.contoso.com. The exam may test that you cannot use IP addresses in Application rules (they are for FQDNs only).
Threat intelligence modes: Alert, Deny, or Off. If set to Alert, traffic is allowed but logged. If Deny, traffic is blocked.
IDPS: Can be set to Alert or Deny. It inspects both inbound and outbound traffic.
Forced tunneling: When enabled, all internet-bound traffic from the firewall is routed to on-premises via VPN/ExpressRoute. This affects how Application rules work – they still apply to traffic that is forced-tunneled.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about rule processing order, mentally trace the packet: first DNAT, then threat intelligence, then Network, then Application, then deny. If the question involves a child firewall overriding a parent rule, remember that lower priority number = higher priority. So a local rule with priority 100 overrides a parent rule with priority 200. If the question asks about Application rules, remember they only apply to outbound traffic. If the question mentions two rules with the same priority, the answer is always that it's invalid. Use these heuristics to eliminate distractors.
Azure Firewall Policy is a separate resource from the firewall; it centralizes rule management and supports inheritance.
Rule processing order: DNAT → Threat Intelligence → Network → Application → Default deny.
Rule collection priorities range from 100 to 65000; lower numbers are evaluated first.
A child firewall can override parent rules by creating local rule collections with lower priority numbers (higher priority).
Application rules only apply to outbound traffic; inbound is handled by DNAT and Network rules.
Maximum 50 rule collection groups per policy, 100 rule collections per group, 1000 rules per collection, and 50,000 total rules.
Default action is Deny; all traffic is denied unless an explicit Allow rule matches.
DNAT rules are processed before any other rules, including Network deny rules for the same public IP.
Threat intelligence and IDPS are optional features that can alert or deny traffic based on known threats.
Use Azure Firewall Manager to deploy and manage policies across multiple regions and firewalls.
These come up on the exam all the time. Here's how to tell them apart.
Classic Rules (Direct on Firewall)
Rules are configured directly on each firewall instance.
No central management; each firewall must be updated individually.
No inheritance; each firewall has its own independent rule set.
Limited to 10,000 rules per firewall.
Cannot be used with Azure Firewall Manager or Virtual WAN.
Policy-Based Rules (Firewall Policy)
Rules are defined in a policy resource that can be shared across multiple firewalls.
Central management via Azure Firewall Manager; update once, apply to many.
Supports inheritance: parent policy with child overrides.
Up to 50,000 rules per policy (Network + Application).
Required for Azure Firewall Manager and Virtual WAN secured hubs.
Mistake
Azure Firewall Policy and Azure Firewall are the same thing.
Correct
Azure Firewall is the actual firewall service that processes traffic. Azure Firewall Policy is a separate resource that defines rules and can be shared across multiple firewalls. A firewall can have either a classic rule configuration (directly on the firewall) or a policy-based configuration. Policy is the modern approach and is required for Azure Firewall Manager.
Mistake
Application rules can be used for inbound traffic.
Correct
Application rules are only for outbound traffic (from the virtual network to the internet or Azure services). Inbound traffic is controlled by DNAT rules (for port forwarding) and Network rules (for filtering). The exam tests this distinction frequently.
Mistake
Rule collections within a group are evaluated in the order they are created.
Correct
Rule collections are evaluated based on their priority number (lower number first), not creation order. You can reorder them by changing priority. This is a common point of confusion.
Mistake
A child firewall can override any parent rule by creating a local rule with any priority.
Correct
To override a parent rule, the local rule must have a lower priority number (higher priority) than the parent rule. Parent rules are evaluated first only if they have lower priority numbers. If the local rule has a higher priority number (lower priority), the parent rule will be evaluated first and may deny the traffic before the local rule is reached.
Mistake
Threat intelligence rules are evaluated after all other rules.
Correct
Threat intelligence is evaluated after DNAT rules but before Network and Application rules. If a threat is detected, the configured action (alert/deny) is taken, and no further rule processing occurs for that packet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Firewall Policy is a separate resource that contains rules and can be shared across multiple firewalls. Classic rules are configured directly on each firewall instance. Policy supports central management, inheritance, and is required for Azure Firewall Manager and Virtual WAN. Classic rules are limited to 10,000 per firewall, while policy supports up to 50,000 rules. The exam focuses on policy-based configuration.
Create a local rule collection on the child firewall with a priority number lower than the parent rule's priority. Since lower numbers are evaluated first, the local rule will be processed before the parent rule. For example, if the parent has a deny rule at priority 200, create a local allow rule at priority 100 to allow the traffic. The local rule will match first and allow the traffic, bypassing the parent's deny.
No. Application rules are only for outbound traffic (from the virtual network to the internet or Azure services). For inbound traffic, use DNAT rules to forward ports to internal resources and Network rules to filter traffic. Application rules inspect HTTP/HTTPS headers and FQDNs, which are only relevant for outbound connections.
Deployment will fail. Priorities must be unique within a rule collection group. Azure validates this and returns an error if duplicates are detected. Always ensure each rule collection has a unique priority number. It's best practice to leave gaps (e.g., 100, 200, 300) to allow for future insertions.
Enable diagnostic logs for the firewall (AzureFirewallNetworkRule, AzureFirewallApplicationRule). Send logs to a Log Analytics workspace. Query logs to see denied flows with source IP, destination, port, and protocol. Check if any rule is matching. Also, use Azure Firewall Manager's 'Effective Rules' view to see which rules are applied. Remember that default deny applies if no rule matches.
The default action is Deny. If no rule in any rule collection matches the traffic, the packet is dropped. This is a key security principle: you must explicitly create Allow rules for legitimate traffic. The exam tests this concept often.
Yes, Azure Firewall Policy is required for securing Virtual WAN hubs. You associate the policy with the secured virtual hub, and the firewall in the hub uses that policy. This allows centralized management of security policies across multiple hubs and regions.
You've just covered Azure Firewall Policy and Rule Collections — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?