Azure 防火墙规则处理逻辑Azure Firewall rule processing logic

Azure 防火墙具有 NAT 规则、网络规则和应用程序规则。Azure Firewall has NAT rules, network rules, and applications rules. 规则是根据规则类型进行处理的。The rules are processed according to the rule type.

网络规则和应用程序规则Network rules and applications rules

首先将应用网络规则,然后应用应用程序规则。Network rules are applied first, then application rules. 规则将终止。The rules are terminating. 因此,如果在网络规则中找到匹配项,则不会处理应用程序规则。So if a match is found in network rules, then application rules aren't processed. 如果没有网络规则匹配项,并且数据包协议是 HTTP/HTTPS,则会按应用程序规则评估数据包。If no network rule matches, and if the packet protocol is HTTP/HTTPS, the packet is then evaluated by the application rules. 如果仍未找到匹配项,则会根据基础结构规则集合评估数据包。If still no match is found, then the packet is evaluated against the infrastructure rule collection. 如果仍然没有匹配项,则默认情况下会拒绝该数据包。If there's still no match, then the packet is denied by default.

NAT 规则NAT rules

可以通过配置目标网络地址转换 (DNAT) 来启用入站连接,如教程:使用 Azure 门户通过 Azure Firewall DNAT 筛选入站流量中所述。Inbound connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in Tutorial: Filter inbound traffic with Azure Firewall DNAT using the Azure portal. 首先将应用 DNAT 规则。DNAT rules are applied first. 如果找到匹配项,则会添加一个隐式的对应网络规则来允许转换后的流量。If a match is found, an implicit corresponding network rule to allow the translated traffic is added. 可以通过以下方法替代此行为:显式添加一个网络规则集合并在其中包含将匹配转换后流量的拒绝规则。You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic. 对于这些连接,不会应用应用程序规则。No application rules are applied for these connections.

继承的规则Inherited rules

继承自父策略的网络规则集合始终优先于定义为新策略的一部分的网络规则集合。Network rule collections inherited from a parent policy are always prioritized above network rule collections that are defined as part of your new policy. 相同的逻辑也适用于应用程序规则集合。The same logic also applies to application rule collections. 但是,不管是否继承,网络规则集合始终在应用程序规则集合之前进行处理。However, network rule collections are always processed before application rule collections regardless of inheritance.

默认情况下,策略会继承其父策略的威胁情报模式。By default, your policy inherits its parent policy threat intelligence mode. 可以通过在策略设置页中将威胁情报模式设置为其他值来替代此设置。You can override this by setting your threat Intelligence mode to a different value in the policy settings page. 只能使用更严格的值替代行为。It's only possible to override with a stricter value. 例如,如果父策略设置为“仅警报”,则可将此本地策略配置为“发出警报并拒绝”,但无法将其关闭。 For example, if you parent policy is set to Alert only, you can configure this local policy to Alert and deny, but you can't turn it off.

后续步骤Next steps