Hello @Difan Zhao ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
As per this article, the default behavior is - NAT rules are applied in priority before network rules. However, if a match is found, an implicit corresponding network rule to allow the translated traffic is added. For security reasons, the recommended approach is to add a specific internet source to allow DNAT access to the network and avoid using wildcards.
Azure firewall is a stateful firewall but we internally install rules in both directions. This is by design.
In your case, the configured denied Network rule is taking precedence before the implicit allowed Network rule due to the higher priority of the configured Network rule. Hence, the SSH is denied even though allowed in DNAT rule.
To avoid running into this situation, we recommend you to either not add any Network rule contradicting the DNAT rule or add the network rule with the lowest priority.
Regarding the rule deployment time, it is a known issue and a fix is being investigated.
Refer : https://video2.skills-academy.com/en-us/azure/firewall/overview#known-issues
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.