Rule processing in Azure Firewall

NAT rules (DNAT)
Network rules (L3 / L4)
Application rules (L7)
Quick comparison
Rule processing order (strict)
Links and references

Azure Firewall enforces a prioritized set of rules that control how traffic is filtered, translated, and forwarded. These rules operate at different OSI layers—network (L3/L4), and application (L7)—and allow you to implement fine-grained access control for inbound and outbound flows.

NAT rules (DNAT)

NAT (DNAT) rules publish internal services by mapping a public IP address and port on the firewall to a private IP address and port inside your virtual network. Common use case: expose an internal web server by translating traffic destined for the firewall’s public IP on port 80 to the server’s private IP on port 80. Key points:

DNAT performs destination translation (public IP:port -> private IP:port).
NAT rules are evaluated before any other rule type.

Example (Azure CLI) — create a DNAT rule that publishes a backend web server:

az network firewall nat-rule create \
  --resource-group MyResourceGroup \
  --firewall-name MyFirewall \
  --collection-name DNAT-Collection \
  --name Publish-WebServer \
  --priority 100 \
  --action Dnat \
  --ip-protocols TCP \
  --source-addresses '*' \
  --destination-addresses 40.40.40.40 \
  --destination-ports 80 \
  --translated-address 10.0.1.4 \
  --translated-port 80

This behavior is similar to load balancer NAT: the firewall’s public IP and port are translated to a backend VM’s private IP and port.

Network rules (L3 / L4)

Network rules apply at layers 3 and 4 to control transport-level access between endpoints. Use network rules to allow or deny connections based on protocol (TCP/UDP/Any), source IP ranges, destination IP ranges, and ports. Common scenarios:

Allowing TCP/UDP access between subnets
Restricting access to specific IP ranges and ports (e.g., SQL, RDP)

Example (Azure CLI) — allow outbound SQL traffic to a subnet:

az network firewall network-rule create \
  --resource-group MyResourceGroup \
  --firewall-name MyFirewall \
  --collection-name Network-Collection \
  --name Allow-SQL \
  --priority 200 \
  --action Allow \
  --protocols TCP \
  --source-addresses 10.0.0.0/24 \
  --destination-addresses 10.1.0.0/24 \
  --destination-ports 1433

A slide titled "Rule processing in Azure Firewall" showing the Azure Firewall Rules settings and three labeled boxes that describe NAT Rules, Network Rules, and Application Rules. Each box gives a brief explanation of what that rule type controls (DNAT, protocol/IP/port rules, and FQDN/web-category based application-level controls).

Application rules (L7)

Application rules operate at the application layer and control traffic based on fully qualified domain names (FQDNs) or web categories—ideal for HTTP/S filtering and URL-based access control. Key characteristics:

Used mainly for outbound HTTP/S traffic.
Filter by FQDNs (e.g., *.microsoft.com) or by web categories (e.g., Social Networking).
Application rules do not apply to inbound DNAT flows.

Example (Azure CLI) — allow access to Microsoft domains only:

az network firewall application-rule create \
  --resource-group MyResourceGroup \
  --firewall-name MyFirewall \
  --collection-name App-Collection \
  --name Allow-Microsoft \
  --priority 300 \
  --action Allow \
  --protocols "Http=80" "Https=443" \
  --source-addresses 10.0.0.0/24 \
  --target-fqdns "*.microsoft.com"

Quick comparison

Rule Type	OSI Layer	Use Case	Example
NAT (DNAT)	L3/L4 (destination translation)	Publish internal services (inbound)	Map publicIP:80 → 10.0.1.4:80
Network rule	L3/L4	Transport-level allow/deny by IP and port	Allow TCP 1433 between subnets
Application rule	L7	Domain/URL-based filtering for HTTP/S (outbound)	Allow *.microsoft.com only

Rule processing order (strict)

Azure Firewall evaluates rules in this strict sequence for each flow:

NAT rules — evaluated first. A matched DNAT rule translates the destination IP/port and forwards the flow according to that mapping.
Network rules — evaluated next if no NAT rule matched. Enforce protocol, source/destination IPs, and ports.
Application rules — evaluated last if neither NAT nor network rules matched. Apply FQDN/web-category controls for HTTP/S.

This order guarantees that destination translation happens before transport- or application-level filtering, preventing unintended blocking of translated flows.

Remember: NAT (DNAT) rules are always processed before network and application rules. If a DNAT rule matches a flow, the firewall translates and forwards that traffic without further evaluation by network or application rules for that flow.

Next steps Now that you’ve seen how Azure Firewall processes NAT, network, and application rules, the next task is deploying Azure Firewall and configuring rule collections. The deployment steps will show how to create the firewall resource, attach public IPs, and add rule collections in the correct order.

Links and references

Watch Video

Deploying Azure Firewall

Introduction

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​NAT rules (DNAT)

​Network rules (L3 / L4)

​Application rules (L7)

​Quick comparison

​Rule processing order (strict)

​Links and references

Watch Video

NAT rules (DNAT)

Network rules (L3 / L4)

Application rules (L7)

Quick comparison

Rule processing order (strict)

Links and references