Share via

Alternatives for URL / Path‑based Whitelisting When Azure Firewall Supports Only FQDN Filtering

Ashish Bang 20 Reputation points
2026-04-28T03:48:01.3233333+00:00

Azure Firewall – Alternatives for URL / Path‑Level Outbound Whitelisting

Environment / Current Setup

  • Production workloads hosted in Azure
  • All outbound (egress) traffic routed through Azure Firewall
  • Azure Firewall used as the centralized control point for external access
  • Security policy requires explicit whitelisting of outbound destinations

Problem Statement

Our application requires outbound access to a large number of third‑party URLs, primarily related to Google Maps / geospatial services (e.g., .kml files and specific map endpoints).

During the security review, we confirmed that Azure Firewall supports only FQDN‑based filtering and does not support URL path–based filtering for outbound traffic. As a result:

  • We cannot whitelist fine‑grained URLs (host + path)
  • We are forced to whitelist entire domains (e.g., google.com)
  • This significantly increases the outbound attack surface and triggers security risk concerns
  • Reducing the URL list is not immediately possible, as these endpoints are required by the application at runtime
  • Application code changes or dependency removal are not feasible in the near term

Key Constraints

  • Security teams do not want blanket domain‑level whitelisting
  • Application functionality must remain unchanged
  • Solution must be production‑grade, scalable, and supported in Azure

Questions

  1. Given that Azure Firewall only supports FQDN‑based rules, what Azure‑supported design patterns are recommended for more granular outbound control (closer to URL/path‑level filtering)?

Objective

We are not trying to bypass Azure Firewall limitations. We are looking for a supported Azure architecture that allows required outbound application access without introducing unnecessary security exposure.

Any practical guidance, reference architectures, or Microsoft recommendations would be appreciated.

Best Regards,

Ashish

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 22,925 Reputation points MVP Volunteer Moderator
    2026-04-28T08:39:12.2766667+00:00

    Ashish Bang hello & thx for join me here at Q&A portal,

    yeah the clean answer is Azure Firewall Standard wont do URL/path allowlisting, only FQDN/app rules, so if security needs host + path control then u need Azure Firewall Premium with TLS inspection + URL filtering, because Premium URL filtering extends FQDN filtering to the full URL including path.

    Azure Firewall app rules use FQDN/SNI for HTTP/S, and network FQDN rules resolve names to IPs, so neither gives real path-level control by itself. for production, the normal pattern is: route egress through Azure Firewall Premium, enable TLS inspection, install/trust the firewall CA on workloads, then create URL filtering rules for the exact Google Maps/KML paths u need. If TLS inspection is not allowed, Azure Firewall cannot reliably see HTTPS paths, because the path is inside encrypted HTTP.

    In that case ur options are basically use a proxy/SWG that supports URL allowlists, put an app-level egress proxy/broker that fetches only approved URLs or accept FQDN-level allowlisting and reduce risk with logging, threat intel, IDPS, and tight managed identity/SAS controls where applicable.

    If u use FQDN rules, enable DNS proxy so firewall and clients resolve the same names, otherwise dynamic Google endpoints can behave weirdly. tl dr: for Azure-native path filtering use Azure Firewall Premium URL filtering + TLS inspection; without TLS inspection, path-level HTTPS filtering is not technically possible, only domain-level contro

    rgds, Alex

    & 

    pls if my answer helps pls accept it.

    Was this answer helpful?

    0 comments
  2. Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator
    2026-04-28T04:30:11.7533333+00:00

    Hi Ashish Bang,

    Thanks for reaching out in Microsoft Q&A forum,

    Given that Azure Firewall only supports FQDN‑based rules, what Azure‑supported design patterns are recommended for more granular outbound control (closer to URL/path‑level filtering)?

    According to Microsoft’s official Azure Firewall Premium features documentation, the solution for your need to whitelist outbound URLs at the path level (like specific Google Maps endpoints) is to upgrade to Azure Firewall Premium and enable URL filtering with TLS inspection.

    Azure Firewall Standard only supports FQDN-based rules, which forces you to whitelist entire domains. Premium extends this capability to evaluate the full URL path, so you can allow maps.googleapis.com/maps/api/staticmap/* instead of opening the entire googleapis.com domain.

    For HTTPS traffic (which Google Maps and most third-party APIs use), you must enable TLS inspection at the application rule level. Azure Firewall Premium decrypts the traffic, extracts the URL, validates it against your whitelist rules, and then re-encrypts it before forwarding it to the internet. This feature is generally available (GA), not in preview, and is production-grade with a 99.99% SLA and PCI compliance, making it safe for enterprise workloads.

    Key points about this solution:

    URL filtering works for both HTTP and HTTPS traffic when TLS inspection is enabled

    You whitelist specific paths instead of entire domains, significantly reducing your attack surface

    • Your application requires no code changes it continues calling the same URLs as before
    • Azure Firewall remains your centralized egress control point, maintaining your current architecture
    • This is the only Microsoft-native, GA solution that supports URL/path-level outbound filtering

    Important operational consideration:

    TLS inspection requires deploying Azure Firewall’s CA certificate to all clients making outbound HTTPS calls. This includes VMs, containers, AKS nodes, build agents, and any automation runtimes. While this is a one-time PKI task, it is the main setup effort Microsoft documents. Without this certificate deployed, HTTPS traffic to your whitelisted URLs will fail.

    Other options like Azure Maps with Private Endpoints are not suitable for your immediate needs since Google Maps does not support Private Link, and migrating to Azure Maps would require application code changes.

    Azure Firewall Premium SKU already supports URL/path-level filtering for outbound traffic. The limitation you discovered (only FQDN-based filtering) applies to Azure Firewall Standard, not Premium. Your current setup can whitelist fine-grained URLs like maps.google.com/mapfiles/kml without opening the entire domain.

    What you need to configure correctly:

    Create an Application Rule (never use Network Rules for URL paths)

    Enable TLS inspection on that Application Rule (required for HTTPS URL filtering)

    Set Destination Type = URL (not FQDN)

    In the Destination field, enter the full path without http:// or https://, for example: maps.google.com/mapfiles/kml or *.google.com/mapfiles/kml* User's image

    Once configured this way, Azure Firewall Premium will evaluate the entire URL including the path, not just the domain name.

    Official Microsoft documentation:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.