How to Create Network Rules in Azure Firewall
Note – you do not need to create network rules when you create NAT rules – the Azure Firewall will automatically create a hidden network rule to match the NAT rule.
The purpose of a network rule is to allow non-HTTP/S traffic between a source and destination. A network rule has 5 properties to define allowed or denied traffic:
- Name: A human-friendly label.
- Protocol: This can be TCP, UDP, ICMP (traceroute or ping) or any.
- Source Addresses: The source of the packet, which can be a wildcard (*) for everything, a specific IP address, or a CIDR block. Note that many sources can be listed, separated by a comma.
- Destination Addresses: The destination of the packet, which can be a wildcard (*) for everything, a specific IP address, or a CIDR block. Note that many destinations can be listed, separated by a comma.
- Destination Ports: What port(s) or services are listening for this traffic at the destination(s). You can specify everything (*) or a port number. Note that you can use a comma to separate multiple entries.
Network Rule Collections
A network rule collection is a set of network rules that are grouped together and share a common priority, a number from 100 to 65000. If you have multiple network rule collections, you can use this priority to order their processing as a packet is inspected. The highest priority (lowest number) is first. Once a packet is matched against a network rule – in other words the packet matches the properties of a network rule in a network rule collection – then processing is stopped. Depending on the network rule collection’s action, the packet is either allowed or denied.
A useful tip is to stagger rule numbers. For example, you might have rule collections with priorities of 100,200, and 300. If you need to put something between 100 and 200 you create a new rule collection with a priority of 150.
Creating Network Rules
In this set of instructions, I will assume that you have a brand-new Azure Firewall and have no network rule collections and therefore, you have no network rules.
In the Azure Portal, open the Azure Firewall resource and click Rules. Browse to Network Rule Collection and click + Add Network Rule Collection. A pop-up blade called Add Network Rule Collection will appear.
You must configure the network rule collection:
- Name: A human-friendly label to describe the new collection of network rules.
- Priority: Order the processing of network rule collections.
- Action: Allow or deny the traffic that is pattern matched by the rules in this collection.
You then will add one or more network rules, with each rule specifying the pattern to be matched. Any traffic matching this pattern will be allowed or denied based on the Action property of the network rule collection.
I have not seen any best practices from Microsoft, but my approach at the moment is to group common functions together into a Network Rule Collection. My above example has 3 network rules to allow management from a central “jump box” virtual machine to other virtual machines that are protected by this Azure Firewall.
As you might figure out from the above screenshot, this is a hub-and-spoke scenario where the Azure Firewall resides alone in a hub virtual network (VNet), and all other services are deployed into spoke VNets. Creating the above rules will allow routing by the Azure Firewall assuming that peering between the VNets and routing on the application subnets has been done correctly.
More in Microsoft Azure
Microsoft Now Lets IT Admins Review & Remove Inactive Azure AD Users
May 27, 2022 | Rabia Noureen
Build 2022: Microsoft's Intelligent Data Platform Combines Data and Analytics
May 25, 2022 | Rabia Noureen
Microsoft Revises Restrictive Cloud Licensing Policies to Avoid EU Antitrust Probe
May 19, 2022 | Rabia Noureen
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Addresses Cross-Tenant Database Vulnerability in Azure PostgreSQL
Apr 29, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
Most popular on petri