The following table describes how Azure Firewall manages the various configured rules to filter inbound and outbound traffic.
| Direction | Rule types | Description |
|---|---|---|
| Outbound connectivity | Network rules and applications rules | If you configure both network rules and application rules, network rules are applied in priority order before application rules. The rules are terminating; If a match is found in a network rule, no other rules are processed. If there is no network rule match, and if the protocol is HTTP, HTTPS, or MSSQL, then the packet is evaluated by the application rules in priority order. If still no match is found, then the packet is evaluated against the infrastructure rule collection. If there is still no match, then the packet is denied by default. |
| Inbound connectivity | Network address translation (NAT) rules | You can enable inbound internet connectivity by configuring Destination Network Address Translation (DNAT). NAT rules are applied in priority before the network rules. If a match is found, an implicit corresponding network rule that allows the translated traffic is added. You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic. |
- 2 views