Hello @prasantc ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to group the Firewall rules in a rule collection.
As mentioned in the Azure Firewall FAQ documentation,
A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. DNAT rule collections are higher priority than network rule collections, which are higher priority than application rule collections, and all rules are terminating.
There are three types of rule collections:
- Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a Virtual Network. Application rules allow or deny outbound and east-west traffic based on the application layer (L7).
- Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses. Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4).
- NAT rules: Configure DNAT rules to allow incoming/inbound Internet connections.
A rule collection can contain one or multiple rules and they follow a priority order based on values. Rule collections must have a defined action (allow or deny) and a priority value. The defined action applies to all the rules within the rule collection. The priority value determines order the rule collections are processed.
Rule types must match their parent rule collection category. For example, a DNAT rule can only be part of a DNAT rule collection.
Refer: https://zcusa.951200.xyz/en-us/azure/firewall/policy-rule-sets#rule-collections
Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. Rule Collections with highest priority (lowest number) are processed first. Application rules are always processed after Network rules, which are processed after DNAT rules regardless of Rule collection group or Rule collection priority and policy inheritance.
You can get an understanding of the Rule processing logic with example in the below doc.
Refer: https://zcusa.951200.xyz/en-us/azure/firewall/rule-processing
So, you should plan the rule collection as below:
- First segregate the type of rule i.e. DNAT or Network or Application.
- Then decide the action type i.e. Allow or Deny
- Then decide the priority in which you would like the Firewall to process them.
For example: If you have 4 rules, out of which 3 are DNAT rules and 1 is Network rule, and out of the 3 DNAT rules, 2 of them you would like to allow and the remaining one you would like to deny. And the priority that you want to follow is allowed DNAT rules before the deny. Then your rule collection would be as below:
DNAT rule collection 1:
- Name: Allow-collection <-- It should contain the 2 DNAT rules that you want to allow.
- Priority: 100
- Action: Allow
DNAT rule collection 2:
- Name: Deny-collection <-- It should contain the 1 DNAT rule that you want to deny.
- Priority: 200
- Action: Deny
Network rule collection 1: <-- It should contain the 1 Network rule that you want to deny.
- Name: Deny-collection
- Priority: 300
- Action: Deny
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.