LW.

Glorified Notepad

A Smarter Way to Manage Azure Firewall Policy Changes

2025-03-19 Azure Firewall Management Infrastructure as Code Cloud Security

I prefer to manage infrastructure through Infrastructure as Code (IaC), particularly with Terraform, because it provides consistency, scalability, and automation. However, I understand that not every organisation has the skills, resources, or appetite to adopt IaC. Some teams rely on the Azure Portal and need ways to make governance changes efficiently without introducing unnecessary risk. Draft + Deployment (Preview) is designed for those scenarios.

But if you’ve ever tried making changes in the portal, you know how tedious it can be. Managing Azure Firewall Policies at scale has always had a problem: each change needs to be deployed individually. If you’re rolling out a policy update across multiple Rule Collections (RCs) or Rule Collection Groups (RCGs), that means multiple deployments, each one requiring a fairly lengthy wait.

The new Draft + Deployment feature streamlines this. Instead of deploying every small change immediately, you can batch changes together, review them in a draft, and push them all at once. Less overhead, fewer deployments, and a cleaner way to manage policy updates.

How It Works – Step by Step

Step 1: Create a Draft

The draft feature is designed for bulk updates and staged deployments. Instead of applying changes one at a time, you create a draft that will hold onto modifications until you’re ready to deploy them. This reduces deployment overhead and prevents partially applied configurations across environments.

If you’re making several related changes (updating multiple rules to allow access to a new service), you can consolidate them into one controlled release rather than deploying them in isolation.

Step 2: Making Changes in Draft

The draft acts as a safe workspace where you can adjust policies before they go live. This is useful for workflows that require collaboration or approvals.

High-impact changes stay isolated until approved – no accidental enforcement of an incomplete ruleset Easier collaboration – teams can review and finetune changes before rolling them out Better testing – see all updates together, reducing the risk of misconfigurations

Any changes you make won’t take effect until you the draft is deployed. This is especially useful in environments with strict governance policies where changes need thorough validation.

Step 3: Deploy All Changes at Once

Once everything is reviewed and ready, you can deploy the draft in one go. This replaces the current policy immediately.

Eliminating the need for multiple incremental deployments Reduces policy drift by ensuring all updates go live simultaneously Makes compliance processes faster and more predictable

Once deployed, the new version fully replaces the old one, ensuring there’s always a single active policy in effect.

A Game Changer?

Maybe not but having seen this problem out in the wild, I think for those using it this could be a real time saver! Fewer deployments, more control: Instead of pushing each update separately, bundle them and deploy when ready. This saves time and reduces operational noise.

Better governance: In rule rich environments, approvals can be done before rules take effect, improving stability and compliance.

Immediate effect, no confusion: Once deployed, the changes are applied instantly and replace the existing policy version, no more tracking which policies are active and which need updates.

Best Practices for Using Draft + Deployment

Use drafts for planned, large-scale changes. If you’re making multiple policy updates across different rule collections or collection groups, a draft ensures they all roll out in sync.

Get approvals early. Since a draft keeps changes isolated before deployment, involve security and compliance teams early to reduce last minute blockers.

Keep an eye on what’s active. Since there’s only one draft at a time, don’t leave unfinished changes sitting for too long.

Final Thoughts

Azure’s Draft + Deployment feature is a much needed improvement for managing firewall policies at scale. It reduces deployment overhead, ensures policies are fully updated before being deployed, and allows for more structured governance workflows. If you’re regularly updating Azure Firewall Policy, this feature could make your life a lot easier.

Before you go and because it wouldn’t be a LinkedIn post by me without it, there’s a CLI version too…..

az network firewall policy draft | Microsoft Learn

az network firewall policy draft create --policy-name
                                        [--auto-learn-private-ranges {Disabled, Enabled}]
                                        [--base-policy]
                                        [--dns-servers]
                                        [--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--explicit-proxy]
                                        [--fqdns]
                                        [--idps-mode {Alert, Deny, Off}]
                                        [--ip-addresses]
                                        [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--private-ranges]
                                        [--sql {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--tags]
                                        [--threat-intel-mode {Alert, Deny, Off}]

I’m not entirely sure who this is meant for because if you’re managing infra with CLI already there are far better ways of achieving this like ARM, Bicep, Terraform….. 😃

See you out there!

Azure Firewall Policy Management Draft Deployment Automation Governance Security
© 2025 LW - Powered by Azure CDN 🌌