Azure Firewall Not Working, Connectivity, Rules, and Routing Fixes
Why This Is Happening
I've seen this scenario play out dozens of times: you spend hours carefully setting up Azure Firewall, get the green checkmark in the portal, and then nothing works. Traffic still drops. Your VMs can't reach the internet. Application rules silently fail. Your routing table looks fine on paper but packets never make it through. It's maddening, especially when the Azure portal gives you exactly zero actionable error messages.
Here's the honest truth: Azure Firewall not working is almost never one single problem. It's almost always a combination of issues stacked on top of each other. A misconfigured User Defined Route here, a missing application rule there, and suddenly your entire subnet is dark.
The most common root causes I see in the field break down like this:
- Routing black holes. The UDR on your workload subnet points to the firewall's private IP, but that IP shifted after a deallocation/reallocation cycle. This is a documented Azure Firewall known issue, the firewall can get assigned a brand-new private IP after it restarts, and your old UDR now routes packets into a void.
- Wrong rule type for the protocol. People try to filter ICMP or other non-TCP/UDP traffic using network rules and SNAT to a public IP. That doesn't work today, it's a confirmed limitation. The Standard Load Balancer behind Azure Firewall doesn't support SNAT for non-TCP/UDP protocols on internet-bound traffic.
- DNAT misconfiguration on Basic SKU. If you're running Azure Firewall Basic and trying to configure DNAT rules on a private IP address, it simply won't work. That capability is only available in Standard and Premium tiers.
- Capacity zone issues during deployment. Several Azure regions have documented capacity constraints right now. If you're deploying into East US 2 EUAP zone 1 or zone 4, North Europe zone 2, South East Asia zone 3, or a handful of other constrained zones, your deployment will fail or your existing firewall might not restart after being stopped.
- Child policy DNS inheritance failure. You set DNS settings on a parent firewall policy and expected child policies to pick them up automatically. They don't, that's a known bug being actively worked on by the product team.
- Threat intelligence alerts getting masked. You're running outbound network filtering rules on port 80/443 in alert-only mode and wondering why your threat intelligence feed has gone quiet. Those broad network rules suppress the threat intel alerts entirely.
I know how frustrating this is, especially when Azure Firewall connectivity issues block actual production workloads. Let's work through this systematically. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before going deep on Azure Firewall rule troubleshooting, do this one check first. It fixes a surprising number of "Azure Firewall not working" reports in under five minutes.
Go to your Azure Firewall resource in the portal. Under Settings, click Overview and look at the private IP address listed there. Now go to Virtual Networks → [Your Hub VNet] → Subnets → AzureFirewallSubnet and check the actual subnet range. Then go to every workload subnet's associated Route Table and verify the next hop IP in your UDR matches the firewall's current private IP exactly.
If there's a mismatch, even by a single digit, that's your problem. When Azure Firewall is deallocated and reallocated (which happens during maintenance, manual restarts, or scale operations), it can get assigned a different private IP from the AzureFirewallSubnet pool. Your UDR still points to the old IP. Traffic routes into nowhere.
To fix it fast:
- In the Azure portal, navigate to your firewall → Overview → copy the current Private IP address.
- Go to each Route Table associated with workload subnets (Route Tables → [Table Name] → Routes).
- Click the route with Next hop type: Virtual appliance and update the Next hop IP address to match the current firewall private IP.
- Click Save. Changes propagate within 1–2 minutes.
Test connectivity immediately after. Nine times out of ten when someone tells me their Azure Firewall stopped working after a weekend, this is why.
Before spending hours debugging rules, confirm your Azure Firewall actually deployed successfully and is running in a healthy state. This sounds obvious, but capacity constraints in specific zones mean your firewall might be in a degraded or failed state before you ever sent a packet through it.
In the Azure portal, go to your firewall resource and check the Status field on the Overview blade. It should read Running. If it says Failed, Stopped, or Updating, that's your first problem.
If you're in one of these regions, pay close attention to which availability zones you selected:
- East US 2 EUAP: Zone 1 and zone 4 are capacity-restricted for Basic, Standard, and Premium SKUs. You cannot deploy new firewalls there.
- North Europe: Physical zone 2 is constrained for Standard and Premium.
- South East Asia: Physical zone 3 is constrained for Standard and Premium. Critically, if you stop an existing firewall in zone 3 here, it may not restart.
- South Central US: Physical zone 3 is blocked, with availability estimated by March 31, 2026.
- West US 2: Physical zone 2 is blocked for all SKUs.
- Qatar Central: All three zones (1, 2, 3) are blocked for new deployments until December 31, 2026.
- Spain Central: Physical zone 2 is blocked until December 31, 2026.
- US Gov Virginia: Physical zone 3 is blocked for Basic and Standard, only zones 1 and 2 are available.
If you stopped a firewall in one of these constrained zones, be aware, you might not be able to start it again. The recommendation is to deploy a new firewall into an unconstrained zone or region instead of attempting to restart the stopped instance. Don't wait on this; plan your migration before you're in an emergency situation.
If everything looks healthy in the portal and your region isn't constrained, move on to step 2.
Application rules are where most Azure Firewall traffic filtering problems hide. If your outbound web traffic is dropping silently, the first thing to check is whether your application rule is configured correctly, specifically the protocol and port definition.
Open your Azure Firewall resource → Rules (classic) or your associated Firewall Policy → Application Rules. For each rule that's supposed to allow traffic:
- Confirm the Protocol:Port field is explicitly set. A common mistake is leaving this blank when using FQDN tags, but that will cause the rule to fail silently in some configurations.
- If you're using FQDN tags (like
WindowsUpdateorMicrosoftActiveProtectionService), set the protocol value tohttps:443explicitly. This is a known workaround while Microsoft works on making the port field optional for FQDN tag rules. - For HTTP traffic, set
http:80explicitly in the same rule or a separate rule.
For SQL FQDN filtering specifically, if you're filtering Azure SQL Database, Azure Synapse Analytics, or Azure SQL Managed Instance traffic, note that FQDN filtering via application rules only works in proxy mode. If your SQL client connects in redirect mode (which is the default for connections originating from within Azure), the application rule won't intercept the traffic correctly. You either need to force proxy mode on your SQL connection string or handle this at the network rule level.
# Check your SQL connection mode via Azure CLI
az sql server show \
--name <your-sql-server> \
--resource-group <your-rg> \
--query "publicNetworkAccess"After adjusting rules, wait 30–60 seconds for the policy to propagate, then retest connectivity. If your test VM still can't reach the target FQDN, move to step 3.
If you're using DNAT (Destination Network Address Translation) to forward inbound traffic to internal resources, there are two important constraints you need to know about.
First: DNAT on private IP addresses is only available on Standard and Premium SKUs. If you're on Basic and trying to set up a private IP DNAT rule, it simply won't work. There's no workaround at the Basic tier, you'll need to upgrade.
Second: If you have private IP DNAT rules configured and you need to deallocate your Azure Firewall for any reason (cost savings, maintenance), you'll hit a snag. The deallocation process itself fails when private DNAT rules are present. Here's the exact sequence to do it safely:
- Go to your firewall → Rules (classic) or Firewall Policy → DNAT Rules.
- Document all your private IP DNAT rules carefully, screenshot them or export to a text file.
- Delete every private IP DNAT rule.
- Deallocate the firewall via the portal or PowerShell:
$azfw = Get-AzFirewall -Name "<FirewallName>" -ResourceGroupName "<RG>" $azfw.Deallocate() Set-AzFirewall -AzureFirewall $azfw - When you allocate it again, wait for the private IP to fully populate in the Overview blade before touching anything.
- Reconfigure your DNAT rules using the newly assigned private IP address.
Also keep in mind: inbound DNAT rules always change the source IP address on return traffic. If you need to preserve the original client IP for web traffic (for logging, WAF rules, or access control), configure your backend servers or proxy layer to extract the original IP from the X-Forwarded-For (XFF) header. Azure Firewall preserves the client IP in the XFF header and appends the firewall's own IP when processing web traffic rules.
This one catches enterprise teams off guard because it looks like it should work, and the portal won't warn you that it doesn't.
If you've set up a parent firewall policy with custom DNS settings (like pointing to Azure Private DNS Resolver or a custom DNS server) and then created child policies linked to it, those child policies will not automatically inherit the parent's DNS configuration. This is a confirmed bug in Azure Firewall Policy DNS inheritance. Your child policy's rules will fail to resolve domain names correctly, which shows up as mysterious application rule failures even when the rule itself looks correct.
The workaround right now is simple but tedious: configure DNS settings directly on each child policy individually. Don't rely on parent policy DNS inheritance until Microsoft ships the fix.
To configure DNS on a child policy:
- Go to Firewall Policies → [Child Policy Name] → DNS Settings.
- Set DNS Proxy to Enabled if you need DNS proxy functionality.
- Add your custom DNS server IP addresses explicitly.
- Click Save.
- Repeat for every child policy in your hierarchy.
While you're in DNS settings, also verify that your VNet's DNS server configuration points to the firewall's private IP (if you're using DNS proxy mode). If VMs in the spoke VNet are still using Azure's default DNS instead of routing through the firewall, FQDN-based rules won't work as expected.
# Verify DNS server config on a VNet via Azure CLI
az network vnet show \
--name <your-vnet> \
--resource-group <your-rg> \
--query "dhcpOptions.dnsServers"If this returns an empty array or the wrong IP, update your VNet DNS settings to point to the firewall's private IP address.
Two more Azure Firewall not working scenarios that are technically "working as designed" but feel completely broken in practice.
Threat intelligence alerts going silent: If you have broad network rules that allow outbound traffic on port 80 and 443 (like Allow-All-Outbound-HTTP) and you have threat intelligence mode set to Alert only, you won't see threat intelligence alerts for matching traffic. The network rule match happens first and the packet gets forwarded before the threat intel engine logs anything. This isn't a bug, it's rule priority working as designed, but it effectively silences your threat detection.
You have two fixes:
- Replace broad outbound network rules on 80/443 with explicit application rules instead. Application rules process through the threat intelligence engine before being allowed.
- Switch threat intelligence mode from Alert only to Alert and Deny, which changes the processing priority and ensures malicious destinations get blocked even when a network rule would otherwise allow the port.
To change threat intelligence mode: go to your Firewall Policy → Threat Intelligence → change the mode dropdown → Save.
ICMP and non-TCP/UDP protocols not working for internet-bound traffic: If you're trying to ping an internet host through Azure Firewall and it's failing, that's expected behavior. Network rules for non-TCP/UDP protocols (ICMP, GRE, etc.) don't work with SNAT to a public IP. The Standard Load Balancer backing Azure Firewall doesn't support SNAT for these protocol types on outbound internet traffic.
These protocols do work between spoke VNets and within private networks, just not for internet-bound traffic. Also note: if you want to configure ICMP in a network rule via PowerShell or CLI, that's another known gap, ICMP as a valid protocol is only supported through the Azure portal and the REST API today. PowerShell and CLI support is coming but not yet available.
Advanced Troubleshooting
If you've worked through all five steps and your Azure Firewall connectivity issues are still happening, it's time to dig into logs and more obscure configuration edge cases.
Enable Azure Firewall diagnostic logging first. Without logs, you're guessing. Go to your Azure Firewall resource → Diagnostic settings → Add diagnostic setting. Send AzureFirewallApplicationRule, AzureFirewallNetworkRule, and AzureFirewallDnsProxy logs to a Log Analytics workspace. Then use these KQL queries to find what's actually happening:
// Show all denied traffic in the last hour
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
| where msg_s contains "Deny"
| project TimeGenerated, msg_s, Resource
| order by TimeGenerated desc
| take 100// Find traffic to a specific destination IP
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where msg_s contains "10.0.0.5" // replace with your target IP
| project TimeGenerated, msg_s
| order by TimeGenerated descAvailability zones after deployment, secured virtual hubs. If you deployed Azure Firewall as part of an Azure Virtual WAN secured hub, you cannot configure or change availability zone assignments after deployment. This is by design. If you need to change zone coverage on a secured hub firewall, you need to delete and redeploy, there's no reconfigure path.
For standard VNet-injected firewalls, changing availability zones post-deployment is also limited. Check the official guidance on availability zone reconfiguration if you need to adjust zone coverage on an existing firewall without full redeployment.
Moving a firewall to a different resource group or subscription. I see this come up regularly when teams reorganize their Azure subscriptions. You cannot move an Azure Firewall to a different resource group or subscription using the normal Azure resource move process. The move will fail. The only supported path is to delete the existing firewall instance and recreate it in the target resource group or subscription. Plan this carefully, especially if you have complex rule sets or if the firewall IP is referenced in BGP routes or on-premises configurations.
Event tracking via Azure Activity Log. For allocation failures and deployment errors, go to your resource group → Activity Log → filter by the firewall resource name. Deployment failures show up here with error codes and operation details that the portal Overview blade doesn't expose. Look for Microsoft.Network/azureFirewalls/write operations with a Failed status.
If your firewall is stuck in a capacity-constrained zone and won't restart after being stopped, if you're seeing consistent packet drops that aren't explained by any rule or routing configuration, or if you've confirmed a private IP assignment issue that won't resolve with UDR updates, it's time to open a support ticket. Document your firewall's resource ID, the region and zone, and include exported diagnostic logs covering the 30 minutes around when the issue started. Go to Microsoft Support and open a Severity B or A ticket depending on production impact.
Prevention & Best Practices
Most Azure Firewall problems I see in production are preventable. They happen because teams deploy quickly, test lightly, and then discover edge cases under real traffic. Here's how to avoid the most painful ones.
Never stop a firewall in a capacity-constrained zone without a restart plan. The official docs are explicit about this: if you stop an existing Azure Firewall in certain capacity-restricted regions (South East Asia zone 3, for example), you might not be able to start it again. Before stopping any firewall for cost savings or maintenance, check the current capacity constraints list and have a fallback deployment ready in an unconstrained zone.
Nail down your private IP at deployment time. When you create the AzureFirewallSubnet, make it small and predictable, a /26 is the minimum, but sizing it correctly means fewer IPs to drift into. More importantly, note the private IP immediately after first deployment and build your UDRs with that IP documented. When you build infrastructure-as-code (ARM templates, Bicep, Terraform), capture the firewall's private IP as an output and feed it directly into your route table configurations so they're always in sync.
Use Firewall Policy over classic rules. If you're still using the classic rules experience, migrate to Azure Firewall Policy. Policy gives you better DNS controls, hierarchical policy structure, and cleaner rule group management. Just remember to configure DNS settings on each child policy individually until the inheritance bug is fixed.
Test your DNAT rules after every planned maintenance window. Because private DNAT rules need to be deleted before deallocation and reconfigured after, build this into your maintenance runbook. A post-maintenance checklist that verifies DNAT rule health prevents 2 a.m. calls about inbound services being unreachable.
- Enable diagnostic logging to Log Analytics from day one, not after something breaks.
- Always use application rules (not network rules) for HTTP/HTTPS outbound traffic so threat intelligence stays active.
- Set availability zones explicitly during deployment; don't rely on zone-redundant defaults in constrained regions.
- Document your firewall's private IP in your team's runbook and audit it every time you run a planned maintenance operation.
Frequently Asked Questions
How do I configure availability zones on an Azure Firewall after it's already deployed?
For standard VNet-injected Azure Firewalls, there is a reconfiguration path for availability zones post-deployment, check the Microsoft documentation on "How can I configure availability zones after deployment?" for the specific steps, which involve updating the firewall resource's zone configuration through the portal or ARM/Bicep. However, if your firewall is deployed as part of an Azure Virtual WAN secured hub, zone configuration is locked at deployment time and cannot be changed afterward, that's by design. Your only option with a secured hub is to delete and redeploy with the correct zone selection.
I stopped my Azure Firewall to save costs and now it won't start again, what do I do?
This is a known issue in capacity-constrained regions and zones. If your firewall is in a region like South East Asia physical zone 3 or Qatar Central, capacity constraints may prevent the firewall from restarting once stopped. The recommended path is to deploy a new Azure Firewall instance in an unconstrained availability zone within the same or a nearby region. Before doing that, export your firewall policy and rule configuration so you can reattach it to the new instance. This is a painful situation, which is exactly why the official guidance says to plan carefully before stopping firewall instances in constrained regions.
Why aren't my child firewall policies inheriting DNS settings from the parent policy?
This is a confirmed bug in Azure Firewall Policy. When you change DNS settings (like enabling DNS proxy or setting custom DNS server IPs) on a parent firewall policy, child policies linked to that parent don't automatically pick up those settings. As a result, rules in child policies may fail to resolve domain names correctly. The workaround is to configure DNS settings directly on each child policy rather than expecting them to flow down from the parent. Microsoft is working on a fix, but there's no ETA as of April 2026.
Can I use ICMP in Azure Firewall network rules via PowerShell or Azure CLI?
Not yet, unfortunately. Azure PowerShell and the Azure CLI don't currently support ICMP as a valid protocol in network rule definitions, if you try to specify ICMP as the protocol, it won't be accepted. The workaround is to configure ICMP rules directly through the Azure portal UI or via the REST API, both of which do support ICMP as a protocol today. Microsoft has acknowledged this gap and is working to add ICMP support in PowerShell and CLI, but it's not available yet. In the meantime, keep a portal or REST-based process for any rules that need ICMP.
Why are my Azure Firewall threat intelligence alerts not showing up?
The most common reason is that broad network rules allowing outbound traffic on port 80 or 443 are masking threat intelligence matches. When Azure Firewall processes traffic, it hits network rules before threat intelligence evaluation kicks in under alert-only mode, so if a matching network rule exists, it allows the packet and no threat intel alert fires. Switch to application rules for HTTP/HTTPS outbound traffic (they process through the threat intel engine properly), or change your threat intelligence mode from "Alert only" to "Alert and Deny." Either change will restore alert visibility.
Can I move an Azure Firewall to a different resource group or subscription in Azure?
No, Azure Firewall does not support the standard Azure resource move operation. If you attempt to move the firewall resource to a different resource group or subscription, it will fail. The only supported method is to delete the existing firewall instance and recreate it in the target location. Before deleting, make sure you've exported your Firewall Policy configuration, documented all public and private IP associations, noted your UDR next-hop IPs, and updated any on-premises or partner configurations that reference the firewall's IP addresses. It's a significant operation, so plan a proper maintenance window.