5.4 Azure Firewall and Firewall Manager
📘Microsoft Azure Networking Solutions (AZ-700)
Overview
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Networks (VNets). To control traffic through the firewall, we use Firewall rules. These rules define what traffic is allowed or denied based on IP addresses, protocols, ports, and fully qualified domain names (FQDNs).
There are three main types of Azure Firewall rules:
- Application rules
- Network rules
- NAT rules
1. Application Rules
Purpose: Control HTTP/HTTPS traffic based on domain names.
- Example scenario: Allow access to
microsoft.combut blockexample.com. - Works for Layer 7 traffic (application layer).
- Can also allow specific URLs or FQDNs.
Key properties of Application Rules:
| Property | Explanation |
|---|---|
| Name | Unique name for the rule |
| Source IP address | IPs or IP ranges where traffic originates |
| Protocol | Only supports HTTP and HTTPS |
| Target FQDNs | Domains you want to allow or block |
| Action | Allow or Deny |
Exam tip: Remember, Application Rules cannot filter non-HTTP traffic.
2. Network Rules
Purpose: Control TCP/UDP traffic based on IP addresses and ports.
- Example scenario: Allow database servers (port 1433) only from specific subnets.
- Works for Layer 4 traffic (transport layer).
Key properties of Network Rules:
| Property | Explanation |
|---|---|
| Name | Unique rule name |
| Source IP address | Can be single IP or range (CIDR notation) |
| Destination IP address | IP or subnet for the server you want to reach |
| Protocol | TCP, UDP, or Any |
| Destination port | Port number(s) to allow/deny |
| Action | Allow or Deny |
Exam tip: Use Network Rules for non-HTTP/S traffic, like SQL, SSH, or custom apps.
3. NAT Rules
Purpose: Handle Port Forwarding / Traffic Translation.
- Example scenario: Incoming traffic on port 80 goes to an internal web server on port 8080.
- Useful for publishing internal services to the internet while keeping internal IPs hidden.
Key properties of NAT Rules:
| Property | Explanation |
|---|---|
| Name | Unique rule name |
| Source IP address | Where the traffic originates (internet or internal) |
| Destination IP address | Azure Firewall’s public IP (frontend) |
| Protocol | TCP or UDP |
| Destination port | Port on Azure Firewall public IP |
| Translated address | Internal VM or resource IP |
| Translated port | Internal port |
Exam tip: NAT Rules are the only type that changes the destination address or port.
Configuring Firewall Rules – Step by Step
- Go to your Azure Firewall in the portal
- Navigate to Rules → Add Rules Collection.
- Choose Rule Collection Type
Application,Network, orNAT.
- Define Rule Collection Properties
- Name, Priority (lower number = higher priority), Action (
Allow/Deny).
- Name, Priority (lower number = higher priority), Action (
- Add Rules
- Add individual rules with source/destination/protocol/port or FQDN.
- Save
- Rules are applied immediately; Firewall evaluates priority order.
Important points:
- Priority matters: Rules with lower priority numbers are evaluated first.
- Default action: If no rules match, Azure Firewall denies the traffic.
- Rule collections: You can group multiple rules under one collection.
Best Practices
- Use separate collections for different purposes
- Example: One for internet access, one for database servers, one for NAT.
- Use Application Rules for web traffic
- Easier to allow/deny by domains instead of IPs.
- Use Network Rules for internal services
- SQL, SSH, RDP, or custom TCP/UDP apps.
- Be careful with priority numbers
- Higher-priority (lower number) rules override lower-priority rules.
- Document your rules
- Helps with audits and troubleshooting.
Exam Tips for AZ-700
- Know the three types of rules and their differences.
- Be able to match rule types to traffic requirements:
- HTTP/S → Application Rule
- TCP/UDP → Network Rule
- Port forwarding → NAT Rule
- Understand priority order and default deny behavior.
- Know how to configure rules via the portal or PowerShell (exam may ask conceptually, not necessarily hands-on).
✅ Summary Table
| Rule Type | Layer | Traffic Type | Key Use Case | Can Change Destination? |
|---|---|---|---|---|
| Application | 7 | HTTP/HTTPS | Allow/deny websites | No |
| Network | 4 | TCP/UDP | Internal apps, DBs | No |
| NAT | 4 | TCP/UDP | Port forwarding / external access | Yes |
