Azure firewall rule processing question

Difan Zhao 61 Reputation points
2021-06-28T23:44:17.597+00:00

Hi experts,

I am playing with the Azure firewall and I have a confusion about the order of the rule processing. Based on my study, the DNAT rule will be processed first, then the Network rule, then the App rule. I have the priority value set accordingly too for these collections.. My scenario is pretty simple that I only have one RCG and there is no parent policy.

So at first, I tested with a Network rule to permit HTTP traffic and a App rule to deny the HTTP. The result is still "Permit". It makes sense.

However, now I have a DNAT rule to permit inbound SSH to a VM, and a Network rule to block the SSH, the result is "Deny". I took out the Network rule, the SSH works. Why is it happening? Shouldn't the DNAT rule prevail the Network rule?

Also, every time I make a rule change, it takes like 3 to 5 minutes to deploy. It is kind of frustrating especially when doing the studying... Is there anyway to speed up the deployment? Is the CLI faster?

Thanks,
Difan

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2021-06-29T05:54:11.047+00:00

    Hello @Difan Zhao ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    As per this article, the default behavior is - NAT rules are applied in priority before network rules. However, if a match is found, an implicit corresponding network rule to allow the translated traffic is added. For security reasons, the recommended approach is to add a specific internet source to allow DNAT access to the network and avoid using wildcards.
    Azure firewall is a stateful firewall but we internally install rules in both directions. This is by design.

    In your case, the configured denied Network rule is taking precedence before the implicit allowed Network rule due to the higher priority of the configured Network rule. Hence, the SSH is denied even though allowed in DNAT rule.

    To avoid running into this situation, we recommend you to either not add any Network rule contradicting the DNAT rule or add the network rule with the lowest priority.

    Regarding the rule deployment time, it is a known issue and a fix is being investigated.
    Refer : https://video2.skills-academy.com/en-us/azure/firewall/overview#known-issues
    110048-image.png

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.