Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Azure firewall application rule doesn't work
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 68%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVH%3C/text%3E%3C/svg%3E)
Van Huy Tuyen
40
Reputation points
Dear team,
I have Azure policy as below:
- Rule collection group 1: Priority = 9999
- Application rule: Allow access google, priority = 11003
- Rule collection group 2: Priority = 50000
- Network rule: Allow full https, priority = 50002
- Diagnostic settings on Azure, send logs to Log Analytics workspace
I expect that when I access to google, traffic will match with application rule with lower priority
When I query the logs, no any logs match with Rule collection group 1
Please tell me why.
Thank you!
Azure Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Thanmayi Godithi 1,885 Reputation points Microsoft External Staff Moderator2025-10-17T09:43:04.1166667+00:00 Hello @Van Huy Tuyen,
Thank you for reaching out on Microsoft Q&A forum.
I understand your question regarding the issue where your Azure Firewall application rule for Google is not appearing in diagnostic logs.
So basically, Azure Firewall processes rules in a fixed order by rule type, not by numeric priority across types:
- DNAT rules
- Network rules
- Application rules
Reference: https://learn.microsoft.com/en-us/azure/firewall/rule-processing
Even if your application rule has a lower numeric priority (e.g., 11003), network rules always take precedence. In your case:
- Network rule allowing full HTTPS (priority 50002) matches first.
- Therefore, traffic to Google is processed by the network rule, and the application rule is never evaluated.
This is expected behaviour per Azure Firewall design.
Logs reflect the rule that processed the traffic. Since the network rule matched first, diagnostic logs show hits for the network rule only.
To ensure Google traffic matches the Application rule:
1.Restrict the Network Rule:
- Modify the Network rule in Group 2 to exclude Google destinations (e.g., limit to specific IP ranges or exclude Google’s resolved IPs).
- Alternatively, add a higher-priority Network rule to deny Google IPs, forcing traffic to fall through to Application rules.
- Note: Network rules use IPs, not FQDNs, unless you’re using Azure Firewall Premium with FQDN filtering in Network rules.
2.Remove Broad HTTPS Rule:
- If the allow-all-HTTPS rule isn’t critical, remove or disable it to let Application rules handle Google traffic.
3.Verify Diagnostic Settings:
- In the Azure portal, go to Firewall → Diagnostic settings → Ensure both AzureFirewallNetworkRule and AzureFirewallApplicationRule categories are enabled and sent to your Log Analytics workspace.
If the above information is helpful kindly upvote it. If you have extra questions about this answer, please click "Comment".
-
Van Huy Tuyen 40 Reputation points
2025-10-17T09:59:30.18+00:00 I remove allow-all-HTTPS rule, but application rule still doesn't work. Please help to check.
Thanks!
-
Thanmayi Godithi 1,885 Reputation points Microsoft External Staff Moderator
2025-10-21T01:25:44.07+00:00 Hi @Van Huy Tuyen,
Thank you for sharing the details.
Could you please share the below information via "Private message" feature.
Email ID:
Time zone:
Subscription ID:
Tenand ID:
Thanks
Sign in to comment
Sign in to answer