Share via

Azure Firewall Outbound

Peter Stieber 45 Reputation points
2025-07-12T11:55:10.1933333+00:00

Documentation keeps mentioning that app rules are applied only to outbound traffic. Same applies to network rules where dst is fqdn. They are only applied to outbound traffic - traffic leaving from VNET. Can someone please explain that little more? What if I have HUB and Spoke with fw in HUB. Will app rules be applied to traffic coming from spoke? What if I have UDR associated with fw subnet to route 0.0.0.0/0 via on prem. Will app rules be evaluated in such a case? Or is it that app rules are applied only when route with nexthop type internet is matched in azureFirewallSubnet? Or does Azure Firewall decides whether to evaluate Application Rules based on whether the destination is public or private IP? Is the key factor whether the destination IP is public or private, rather than the routing path or whether forced tunneling is enabled?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Divyesh Govaerdhanan 8,345 Reputation points
    2025-07-13T22:49:31.2966667+00:00

    Hello,

    Welcome to Microsoft Q&A,

    Application Rules are only applied to traffic going to public FQDNs/IPs, not internal/private traffic, because Application Rules in Azure Firewall operate at Layer 7 (HTTP/S) and are designed specifically to filter outbound web traffic (HTTP, HTTPS, MSSQL) based on FQDNs.

    https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#can-i-use-application-rules-to-filter-traffic-to-private-ip-addresses

    https://learn.microsoft.com/en-us/azure/firewall/overview

    What if I have Hub-Spoke, and FW is in the Hub? Will the Application Rules apply to traffic coming from Spoke?

    Yes, if the traffic:

    Is routed through the firewall via UDR (user-defined route),

    • Is going to public endpoints (like *.microsoft.com, github.com, etc.),

    Uses HTTP/HTTPS (or SQL) protocols.

    Then, Application Rules will be evaluated.

    Spoke → Hub FW → Internet

    • If UDR in Spoke routes 0.0.0.0/0 to Firewall → Yes, App Rules apply.

    What if I route 0.0.0.0/0 from the AzureFirewallSubnet to on-prem (forced tunneling)?

    In this case:

    • The default route for Internet traffic points to on-prem via VPN/ExpressRoute,

    The firewall will not evaluate Application Rules for Internet-bound traffic unless special configuration is done.

    To make Application Rules still apply in forced tunneling:

    • You need to enable "Forced Tunneling support" and configure Virtual Route Point (VNet peering and routing table adjustments) using route tables with next hop type Internet for specific traffic.

    Does the evaluation depend on whether the destination is public or private IP?

    Yes. This is the core rule:

    If its Public FQDN/IP, the application rules are used, but if it Private IP (VNet, on-prem) then the application rules are skipped and network rules are used.

    So:

    • App Rules = Only for HTTP/S traffic to public IPs or FQDNs
    • Network Rules = Used for all IP-based traffic, including private IPs, VNET peering, and on-prem.

    Please upvote and accept the answer if it helps!!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.