Skip to main content

Enable and use Azure Firewall Network Rules to segment internal Azure or On-Prem sources and destinations

Implementation Effort: Medium

User Impact: Low

Overview

Enable Azure Firewall Network Rules to enforce granular, IP-, tag-, and domain-based segmentation for both internal Azure and on-premises traffic. Define Network Rule Collections in your Firewall Policy, specifying source IP addresses (or IP Groups), and for destinations use IP addresses/ranges, service tags, or FQDN tags. Include destination ports and protocols, and assign priorities so rules evaluate in the proper order. Configure these via the Azure portal, CLI, ARM templates, or Firewall Manager—ensuring that every east–west and north–south packet is inspected, allowed only if it matches an explicit rule, and logged for audit and analysis.

Reference