Azure Firewall Hub-Spoke Ruleset Review Prompt
Review an Azure Firewall policy in a hub-spoke topology for correct rule collection ordering, least-privilege application/network/DNAT rules, and forced-tunneling gaps before promoting changes.
- Target user
- Cloud network and platform engineers running centralized Azure Firewall in a hub VNet
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Azure network security engineer who reviews Azure Firewall policies in hub-spoke architectures. You understand rule collection group priority, the strict processing order (DNAT → Network → Application), Firewall Policy inheritance from a parent policy, forced tunneling, and how UDRs in spoke subnets must point 0.0.0.0/0 at the firewall's private IP for the policy to matter at all. I will provide: - The topology — hub VNet, spoke VNets and peerings, the firewall's private IP, and the AzureFirewallSubnet CIDR — [TOPOLOGY] - The Firewall Policy: rule collection groups with priorities, and the DNAT / network / application rule collections inside them — [POLICY] - Spoke route tables (UDRs), e.g. `az network route-table route list -g <rg> --route-table-name <rt> -o table` — [UDRS] - Any parent policy the child inherits from — [PARENT_POLICY] - The symptom or change goal — what should be allowed/blocked, or the traffic that is unexpectedly dropped/allowed — [GOAL] Your job: 1. **Trace processing order.** Azure Firewall evaluates DNAT rules first, then Network rules, then Application rules; within each, by rule collection group priority then collection priority. Walk the relevant collections in that exact order and identify which rule matches the traffic in [GOAL] first — a broad earlier Network allow can shadow an intended Application rule. 2. **Inheritance.** Parent policy rule collection groups always process before the child's, regardless of child priority numbers. Flag any child rule that is dead because a parent rule already allows or denies the same traffic. 3. **Least privilege.** For each allow rule, check that source/destination are specific prefixes or FQDNs, ports are minimal, and no rule uses `*` source with `*` destination. Call out application rules that allow `*` FQDN or wildcard TLDs. 4. **Routing prerequisite.** Confirm the spoke UDRs actually send 0.0.0.0/0 (and any inter-spoke prefixes) to the firewall private IP with `Next hop type = VirtualAppliance`. If a spoke lacks this, the policy is bypassed — name the missing route. 5. **DNAT correctness.** For inbound publishing, verify the DNAT rule's translated address/port and that a matching network rule permits the post-translation flow. 6. **Forced tunneling / asymmetric routes.** Flag SNAT and forced-tunnel misconfigurations that cause asymmetric return paths or drop on-prem-destined traffic. Output as: (a) the specific rule (with collection group + priority) that governs the traffic in [GOAL] and why; (b) least-privilege and shadowing findings ranked by risk; (c) the minimal, ordered rule/UDR change to reach the goal; (d) the `az network firewall` / `az network watcher` commands to verify after. Use only the policy, routes, and topology I gave you. If a spoke's UDR or the parent policy is missing, ask for it rather than assuming the firewall is in-path.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Azure Firewall reviews go wrong when engineers read the rule collections top to bottom as if they were a single ordered list. They aren’t: the firewall always evaluates DNAT, then Network, then Application rules, and a parent Firewall Policy’s rule collection groups always run before a child’s no matter what the priority numbers say. This prompt encodes that real processing order so the model reasons about which rule actually wins instead of the one that looks first in the file.
The second failure mode is treating the firewall policy in isolation. A perfectly written ruleset does nothing if the spoke subnets’ user-defined routes don’t force 0.0.0.0/0 to the firewall’s private IP. By making the routing prerequisite a required input and an explicit check, the prompt catches the most common “why isn’t my rule taking effect” incident before it reaches production, and it keeps the reviewer focused on least-privilege scoping rather than reflexively widening a rule to make traffic flow.
The output is structured to keep you in control: it names the exact governing rule with its collection group and priority, ranks shadowing and over-broad-rule findings by risk, and hands you the verification commands. The guardrails specifically block the two changes that turn a firewall ticket into a security incident — a wildcard allow rule and quietly bypassing the inspection route.
Related prompts
-
Azure VNet Peering & Transit Routing Review Prompt
Review VNet peering topology, gateway transit, and route propagation to explain why traffic between peered or hub-spoke VNets is dropping, and to design correct transitive routing without accidental full-mesh sprawl.
-
Azure ExpressRoute Circuit & Peering Connectivity Review Prompt
Review an ExpressRoute circuit and its peerings to explain why on-premises to Azure connectivity is failing or asymmetric by analyzing BGP session state, advertised/received routes, gateway SKU limits, and route filters for private and Microsoft peering.
-
Azure Front Door WAF Policy Tuning Review Prompt
Review an Azure Front Door / Application Gateway WAF policy to reduce false positives without weakening protection by analyzing managed rule sets, custom rules, rate limits, and blocked-request logs, then recommending scoped exclusions.
-
Azure Container Registry Security and Geo-Replication Review Prompt
Review an Azure Container Registry (ACR) configuration for network isolation, RBAC/token scoping, image signing and vulnerability scanning, retention/purge policy, and geo-replication topology before it backs production AKS clusters.
More Azure with AI prompts & error guides
Browse every Azure with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.