Build Azure Firewall Premium policy rules with IDPS, DNS proxy, and TLS inspection.
Last verified: May 2026
Output will appear here...The builder constructs Azure Firewall Policy rule collection configurations with: rule collection groups (by priority), rule collections within groups (network/application/NAT, with action: Allow/Deny/Dnat), individual rules (source/destination addresses, ports, protocols, FQDNs for application rules), TLS inspection settings, and IDPS configuration (Alert / Alert-and-Deny / Off). Output is generated as az network firewall policy commands and Terraform azurerm_firewall_policy_rule_collection_group resources.
Azure Firewall Premium is a cloud-native, managed network security service that protects Azure VNet resources with built-in high availability, unlimited scalability, and advanced threat protection features. Firewall policies organize rules into rule collection groups containing network rules (L3/L4), application rules (L7 with FQDN and URL filtering), NAT rules (DNAT), and Premium features including TLS inspection, IDPS (intrusion detection and prevention), URL filtering by category, and web categories. The Firewall Policy Rule Builder helps you construct rule collections with proper priority ordering, action types, and Premium-specific configurations.
Your team is deploying Azure Firewall Premium for centralized internet egress filtering across 30 spoke VNets. The builder generates a firewall policy with: NAT rule collection (DNAT for inbound services), network rule collection (allow internal VCN-to-VCN traffic on specific ports), application rule collection (allow outbound HTTPS only to approved FQDNs like *.github.com, *.npmjs.org, AWS APIs, monitoring endpoints), IDPS in Alert mode initially. After 2 weeks of validation, IDPS flips to Alert-and-Deny. Outbound malicious traffic is blocked at the firewall — preventing the entire class of 'compromised workload calls home' attacks across all 30 spokes.
Always start IDPS in Alert mode (not Alert and Deny). IDPS signatures catch real threats but also trigger false positives on legitimate traffic. Run in Alert-only for at least 2 weeks, review the alerts to identify FP patterns, build exceptions, then flip to Alert and Deny. Going straight to deny will block a legitimate workflow you didn't know existed.
TLS inspection is powerful but expensive (CPU and latency). Don't enable it globally — exclude trusted Microsoft endpoints (Azure management, Windows Update, M365), exclude your own internal HTTPS APIs that don't need inspection, then enable inspection only for traffic to/from external untrusted destinations.
Application rule collections process AFTER network rules, so a network rule that allows a destination prevents application rules from filtering more granularly on that destination. Always design network rules narrowly (allow specific protocols/ports) and let application rules do FQDN-level filtering.
Rules are processed in this order: NAT rules first, then network rules, then application rules. Within each type, rule collection groups are processed by priority (lowest number first), and rule collections within a group are also processed by priority. If a network rule matches, application rules are not evaluated for that flow. DNAT rules are applied before network and application rules. For inherited policies (child policies), the parent policy rules are always processed first, regardless of child policy priority values.
TLS inspection decrypts outbound HTTPS traffic at the firewall, inspects it against application rules and IDPS signatures, then re-encrypts it before forwarding. This allows the firewall to inspect encrypted traffic that would otherwise bypass L7 filtering. You should enable it for regulated environments that require full traffic inspection, when using IDPS to detect threats in encrypted traffic, or when you need URL-path-level filtering (not just FQDN). TLS inspection requires an intermediate CA certificate and adds latency, so exclude trusted first-party services (Azure management traffic, Windows Update) from inspection.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.