Firewall policy - allow only application rules deny NAT rules and Network rules in Azure firewall

Question

Is it possible to create a custom azure policy to only allow application rules and deny NAT rules and Network rules in Azure firewall?

Answer 1

Is it possible to create a custom azure policy to only allow application rules and deny NAT rules and Network rules in Azure firewall?

Yes, it is possible. A rule collection group is a container for rule sets. They're the first thing the Azure Firewall looks at, and they're prioritized based on their values. There are three default rule collection groups, each with its own priority values.

Although you can't delete or change the priority values of the default rule collection groups, you can change their processing order in other ways. You can establish custom rule collection groups with your desired priority values if you need to define a different priority order than the default design. You don't utilize the default rule collecting groups in this case; instead, you design your own to personalize the processing logic.

You can add custom rules that are assessed for each request that passes through the WAF. These rules take precedence over the rest of the managed rule sets' rules. A rule name, rule priority, and an array of matching conditions are all included in the custom rules. If these criteria are met, a decision is made (to allow or block).

You can, for example, block all requests from the IP address range 192.168.5.0/24. The operator in this rule is IP Match, the match Values is the IP address range (192.168.5.0/24), and the action is traffic blocking. You can also name and prioritize the rule.

References

• Rule Collection Group
• Custom Rules