Share via

Alternatives for IP groups while creating firewall policy rules.

Yashas Manjunath 186 Reputation points
2025-07-17T21:33:40.65+00:00

I have a bunch of network and application rules in Azure Firewall Policy. While creating the groups I can either specify source and destination IP ranges or IP groups.

I am implementing the Hub and spoke architecture in my tenant which means I will have a lot of subscriptions and Vnets potentially in the future. Is there a recommended way of creating the rules and policies as I find it gets harder to maintain a list of Ip ranges in groups as the spokes increase. Is there a way to directly select Vnet and subnets of my spokes when creating these firewall rules and policies? How do I make it so that its easily maintainable? Is there any other resource that can be used that can help with maintainability and scalability?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Accepted answer
  1. G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator
    2025-07-17T23:57:30.5566667+00:00

    Hello Yashas Manjunath

    We understand that you're looking for a more efficient way to manage Azure Firewall rules as you implement a Hub and Spoke architecture.

    Here are a few suggestions to help improve maintainability and scalability:

    Azure Firewall does not currently support directly selecting VNets or subnets in rules. You must use IP Groups or manually specify address ranges. To mitigate this, it's helpful to maintain a well-documented IP address plan using CIDR notation to avoid overlaps and simplify IP Group updates. Hub-and-Spoke TopologyUser's image

    1.We recommend you use IP Groups Extensively:

    • Create IP Groups for each spoke or logical group of VNets.
    • Update IP Groups as new VNets are added.
    • IP Groups can be reused across multiple rules and policies.
    • rather than maintaining separate lists of IP addresses for each rule, create IP Groups for common sources and destinations. These groups can be reused across your firewall rules. You can manage IP Groups using the Azure portal, https://learn.microsoft.com/en-us/azure/firewall/ip-groups

    2.Configure Firewall Policy and create a base policy with rules referencing IP Groups for common scenarios (e.g., allow DNS traffic from all spokes to 8.8.8.8).

    • Create child policies for specific subscriptions or workloads, referencing the same IP Groups for consistency.

    3.For application rules, use FQDNs instead of IPs where possible. This avoids hardcoding IPs and supports dynamic resolution.

    I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

    If the above is unclear or you are unsure about something, please add a comment below.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.