How does rule processing order work in Azure Firewall?

Rules are processed in this order: NAT rules first, then network rules, then application rules. Within each type, rule collection groups are processed by priority (lowest number first), and rule collections within a group are also processed by priority. If a network rule matches, application rules are not evaluated for that flow. DNAT rules are applied before network and application rules. For inherited policies (child policies), the parent policy rules are always processed first, regardless of child policy priority values.

What does TLS inspection do and when should I enable it?

TLS inspection decrypts outbound HTTPS traffic at the firewall, inspects it against application rules and IDPS signatures, then re-encrypts it before forwarding. This allows the firewall to inspect encrypted traffic that would otherwise bypass L7 filtering. You should enable it for regulated environments that require full traffic inspection, when using IDPS to detect threats in encrypted traffic, or when you need URL-path-level filtering (not just FQDN). TLS inspection requires an intermediate CA certificate and adds latency, so exclude trusted first-party services (Azure management traffic, Windows Update) from inspection.

Azure Firewall Policy Rule Builder

NetworkingAzure

Build Azure Firewall Premium policy rules with IDPS, DNS proxy, and TLS inspection.

Azure Firewall Policy Configuration

Policy Name

SKU

Rule Collection 1

Name

Priority (100-65000)

Action

Rule Name

Rule Type

Source Addresses (comma-separated)

Target FQDNs (comma-separated)

Generated Firewall Policy

Output will appear here...

About This Tool

Azure Firewall Premium is a cloud-native, managed network security service that protects Azure VNet resources with built-in high availability, unlimited scalability, and advanced threat protection features. Firewall policies organize rules into rule collection groups containing network rules (L3/L4), application rules (L7 with FQDN and URL filtering), NAT rules (DNAT), and Premium features including TLS inspection, IDPS (intrusion detection and prevention), URL filtering by category, and web categories. The Firewall Policy Rule Builder helps you construct rule collections with proper priority ordering, action types, and Premium-specific configurations.

When to Use This Tool

•Building application rule collections that allow outbound HTTPS to approved FQDNs while blocking all other internet traffic
•Creating network rule collections that permit specific IP ranges and port combinations between hub and spoke VNets
•Configuring IDPS rules in alert-and-deny mode for detecting and blocking known exploit signatures
•Defining TLS inspection rules that decrypt and inspect outbound traffic to specific URL categories

Frequently Asked Questions

How does rule processing order work in Azure Firewall?: Rules are processed in this order: NAT rules first, then network rules, then application rules. Within each type, rule collection groups are processed by priority (lowest number first), and rule collections within a group are also processed by priority. If a network rule matches, application rules are not evaluated for that flow. DNAT rules are applied before network and application rules. For inherited policies (child policies), the parent policy rules are always processed first, regardless of child policy priority values.
What does TLS inspection do and when should I enable it?: TLS inspection decrypts outbound HTTPS traffic at the firewall, inspects it against application rules and IDPS signatures, then re-encrypts it before forwarding. This allows the firewall to inspect encrypted traffic that would otherwise bypass L7 filtering. You should enable it for regulated environments that require full traffic inspection, when using IDPS to detect threats in encrypted traffic, or when you need URL-path-level filtering (not just FQDN). TLS inspection requires an intermediate CA certificate and adds latency, so exclude trusted first-party services (Azure management traffic, Windows Update) from inspection.

Related Learning Guides

Azure Networking Deep Dive30 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.