Enable and use Azure Firewall Network Rules to segment internal Azure or On-Prem sources and destinations
Implementation Effort: Medium
User Impact: Low
Overview��
Enable Azure Firewall Network Rules to enforce granular, IP-, tag-, and domain-based segmentation for both internal Azure and on-premises traffic. Define Network Rule Collections in your Firewall Policy, specifying source IP addresses (or IP Groups), and for destinations use IP addresses/ranges, service tags, or FQDN tags. Include destination ports and protocols, and assign priorities so rules evaluate in the proper order. Configure these via the Azure portal, CLI, ARM templates, or Firewall Manager—ensuring that every east–west and north–south packet is inspected, allowed only if it matches an explicit rule, and logged for audit and analysis.