Azure Firewall - RuleCollection with no rules

Question

Azure Firewall - RuleCollection with no rules

Peter Stieber 180

What happens if a rule collection (network, NAT, or application) is defined but contains no rules?
- Will the configured action (e.g., Allow or Deny) still be applied?
- Does it effectively act as an implicit "Allow All" or "Deny All"?
What is the behavior of an empty rule collection group (i.e., one that contains no rule collections at all)?
- Is it completely ignored?
- Does it have any implicit effect on traffic processing?

G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-21T18:02:09.4933333+00:00

Hello Peter Stieber

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-22T18:20:25.6266667+00:00

Hi Peter Stieber

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

Your answer

G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-21T18:02:09.4933333+00:00

Hello Peter Stieber

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-22T18:20:25.6266667+00:00

Hi Peter Stieber

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello Peter Stieber

Please check below details:

What happens if a rule collection (network, NAT, or application) is defined but contains no rules?

If a rule collection (whether it's a network, NAT, or application rule collection) has no rules, the configured action (like Allow or Deny) does not get applied to any traffic. An empty rule collection acts as if it doesn't exist, so it doesn't effectively create an implicit 'Allow All' or 'Deny All' scenario. Traffic won't be affected by that rule collection at all, since there's nothing in it to enforce."

Rule collections only apply their action (Allow/Deny) when at least one rule matches.
If there are no rules, then no match is possible, and the collection is skipped.
Azure Firewall has an implicit deny at the end of rule processing, so unmatched traffic is denied by default.
This behavior is consistent across network, NAT, and application rule collections.

What is the behavior of an empty rule collection group (i.e., one that contains no rule collections at all)?

A rule collection group is a container for multiple rule collections. If a group contains no rule collections at all:

It is completely ignored by Azure Firewall.
It has no implicit effect on traffic and It does not override or interfere with other rule collection groups.

Summary: An empty rule collection group is non-functional and has no impact on traffic.

Refer: https://learn.microsoft.com/en-us/azure/firewall/policy-rule-sets

I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

If the above is unclear or you are unsure about something, please add a comment below.

Share via

Azure Firewall - RuleCollection with no rules

1 answer

Your answer