πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 5
Domain 5 β€” Module 4 of 5 80%
25 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 5: Network Security Services Premium ⏱ ~11 min read

Azure Firewall Manager and Policies

Centralise firewall management with Azure Firewall Manager β€” policy hierarchy, parent/child inheritance, secure virtual hubs, and routing intent.

Azure Firewall Manager and Policies

When you manage Azure Firewall at scale β€” multiple firewalls, multiple regions, different teams β€” you need centralised policy management. Azure Firewall Manager and firewall policies solve this.

🎬 Video coming soon

Firewall Manager and Policies

Firewall Manager and Policies

~11:00
β˜• Simple explanation

Firewall Manager is your firewall’s control tower β€” instead of configuring each firewall individually, you create policies centrally and apply them across multiple firewalls. It also lets you create secure hubs β€” Virtual WAN hubs with Azure Firewall built in.

Azure Firewall Manager provides central management for firewall policies and secure virtual hubs. Features: reusable policies with inheritance (parent/child), secure virtual hubs (VWAN hubs with Firewall), and security partner provider integration for third-party SECaaS.

Firewall Policies

Firewall policies replaced the older β€œclassic rules” model. A policy is a standalone Azure resource that contains all your firewall rules and settings, and can be associated with one or more firewalls.

Parent/child inheritance:

Parent Policy (Global)
β”œβ”€β”€ Base rules: Deny known-bad IPs, Allow Azure management
β”œβ”€β”€ Threat intel settings: Alert and Deny
β”œβ”€β”€ DNS settings: Custom DNS servers
β”‚
β”œβ”€β”€ Child Policy (Production)
β”‚     β”œβ”€β”€ Inherits all parent rules
β”‚     β”œβ”€β”€ Additional rules: Allow prod workloads
β”‚     └── Cannot delete or modify parent rules
β”‚
└── Child Policy (Development)
      β”œβ”€β”€ Inherits all parent rules
      β”œβ”€β”€ Additional rules: Allow broader internet (less restrictive)
      └── Cannot delete or modify parent rules

Key inheritance rules:

  • Child policies inherit all rules from the parent
  • Child policies can add rules but cannot remove or override parent rules
  • Parent rules are processed before child rules (lower priority numbers)
  • A policy can have only one parent but a parent can have multiple children
  • You can change a policy’s parent, but rules from the old parent are removed

Rule Collection Group Hierarchy

Within a policy, rules are organised in a three-level hierarchy:

Firewall Policy
└── Rule Collection Group (priority: 100-65000)
    └── Rule Collection (priority within group)
        └── Individual Rules

Rule collection groups contain multiple rule collections and are processed by priority. Within each group, rule collections are processed by their priority. Within each collection, individual rules are processed.

Rule type processing still applies: DNAT collections process first, then Network collections, then Application collections β€” regardless of rule collection group priority.

πŸ”’ Aisha’s policy design:

Rule Collection GroupPriorityContents
Platform (parent policy)100Deny known-bad IPs, Allow Azure management
Infrastructure200Allow DNS, NTP, Windows Update
Workload - Finance300Allow Finance app traffic patterns
Workload - HR400Allow HR app traffic patterns
Internet500Allow approved internet destinations

Secure Virtual Hubs

A secure virtual hub is a Virtual WAN hub with Azure Firewall (or a partner security provider) deployed in it, managed through Firewall Manager.

Hub VNet Firewall vs Secure Virtual Hub
FeatureHub VNet with FirewallSecure Virtual Hub (VWAN)
Hub locationYour own VNet that you create and manageVirtual WAN managed hub infrastructure
RoutingManual UDRs on every spoke subnetRouting intent automates traffic through firewall
ManagementDirect policy association with firewallFirewall Manager associates policies per hub
Multi-regionManual VNet peering between hubsAutomatic inter-hub connectivity via VWAN
Third-party NVA supportDeploy NVAs in the hub VNet manuallyPartner security providers (Zscaler, iBoss, Check Point)
Best forSmall deployments (under 10 VNets), full routing controlLarge-scale or multi-region with VWAN, automated routing

Routing intent (covered in Module 12) works with secure virtual hubs to automatically route:

  • Internet traffic: All VNet-to-internet routes through the hub’s firewall
  • Private traffic: All VNet-to-VNet and VNet-to-branch routes through the hub’s firewall

This eliminates manual UDR management β€” Firewall Manager and routing intent handle it automatically.

ℹ️ Hub VNet vs Secure Virtual Hub β€” When to Choose

Choose Hub VNet + Firewall when:

  • You have a small number of VNets (under 10)
  • You need full control over routing and VNet configuration
  • You don’t use Virtual WAN
  • You want to manage everything manually for maximum customisation

Choose Secure Virtual Hub when:

  • You use Virtual WAN for multi-site, multi-region connectivity
  • You want automated routing (routing intent)
  • You need centralised policy management across multiple hubs
  • You want to integrate third-party security providers
  • You have 10+ VNets or multiple regions

Exam context: If the scenario mentions Virtual WAN, the answer likely involves a secure virtual hub. If it’s a custom hub-and-spoke without VWAN, it’s a hub VNet with firewall.

Key Takeaways

  • Firewall policies are standalone resources with parent/child inheritance
  • Child policies inherit and cannot override parent rules
  • Rule collection groups organise rules with priority-based processing
  • DNAT rules always process before Network, which process before Application
  • Secure virtual hubs combine VWAN + Firewall Manager with routing intent

Test Your Knowledge

Question

Can a child firewall policy override rules from the parent?

Click or press Enter to reveal answer

Answer

No. Child policies inherit all parent rules and cannot remove or modify them. Child policies can only add additional rules. Parent rules are processed before child rules.

Click to flip back
Question

What is a secure virtual hub?

Click or press Enter to reveal answer

Answer

A Virtual WAN hub with Azure Firewall (or a partner security provider like Zscaler) deployed in it, managed through Azure Firewall Manager. Supports routing intent for automatic traffic routing through the firewall.

Click to flip back
Question

What is the rule hierarchy within a firewall policy?

Click or press Enter to reveal answer

Answer

Policy contains Rule Collection Groups (prioritised). Each group contains Rule Collections (prioritised). Each collection contains individual rules. DNAT collections always process before Network, which process before Application.

Click to flip back
Knowledge Check

Aisha wants a base set of deny rules that all firewalls must follow, with teams adding their own workload-specific rules. What should she configure?
Knowledge Check

Elena uses Virtual WAN with multiple regional hubs and wants all traffic routed through Azure Firewall in each hub without manual UDRs. What should she deploy?

Next up: Web Application Firewall (WAF) β€” Protect web applications from OWASP attacks with WAF on Application Gateway and Front Door.

← Previous

Azure Firewall: SKUs and Deployment

Next β†’

Web Application Firewall (WAF)

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.