![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 92%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Hello Peter Stieber
Q. So my understanding is that when FW receives something on public IP, app rules are not evaluated. - is this correct? Or what is considered inbound? because its matter of perspective.
- You're correct that application rules in Azure Firewall don't apply to inbound connections. Inbound traffic is generally considered anything that is directed towards the firewall's public IP (or private IP, depending on internal routing).
- This means that when traffic is directed to the firewall’s public IP, application rules are not triggered. Instead, network rules or NAT rules are used to handle such traffic.
Q. Is traffic coming from expressRoute hitting FW private IP considered inbound? Is traffic coming from peered VNET hitting FW private IP considered inbound?
- Yes, traffic coming from ExpressRoute or peered VNETs that reach the firewall's private IP is still considered inbound.
Q. Or are app rules evaluated only when traffic hits FW private IP and route with next hop type "internet" is matched?
- Application rules are evaluated when the firewall receives traffic on its public IP and that traffic is routed through the firewall based on a routing table that indicates next hop type "Internet".
Q. Is this example applicable only for return traffic or can I use firewall public IP as next Hop ?
- If you consider return traffic, utilizing the public IP as a next hop on the UDR might not be feasible solution. If you want inbound traffic from internet to reach the Azure VM private ips, consider using DNAT inbound rule to translate the azure firewall public ip to private ip of the VM.
Q. What I am trying to understand ... is there a case where FW receives something on public IP and app rules are evaluated ?
- DNAT rules are used to receive the firewall traffic using public IP, whereas application rules are designed for only outbound internet traffic for the azure VMs.
I hope this has been helpful!
If the above is unclear or you are unsure about something, please add a comment below.
please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.