What does "Ensure all updates to the IP Groups and policies have an implicit firewall update that is run afterwards." mean ?

[andyjballgit]

[Enter feedback here]

as per subject, reading through this doc and i dont quite understand what this statement means .

If we say add a new IP Address (cidr/range) to an existing IP Group , used in a firewall , is there an extra step to make it live / effected ? If so what is it ?

From memory a Firewall Policy update triggers an Update operation on the Firewall automatically , is this the same for an IP Group change ?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 215d0a3c-ef5b-7581-dbdf-e418b4891276
• Version Independent ID: 3647b4bf-6a85-8257-5792-39c5eae6785f
• Content: Azure Well-Architected Framework review of Azure Firewall - Azure Architecture Center
• Content Source: docs/networking/guide/well-architected-framework-azure-firewall.md
• Service: architecture-center
• Sub-service: azure-guide
• GitHub Login: @rohilla-shweta
• Microsoft Alias: rosanto

[mike-urnun-msft]

Thank you for your feedback! We have assigned this issue to the author to review further and take the next course of action.

[rohilla-shweta]

@mike-urnun-msft I am not the author for this. But I can get someone to review this. Please share what changes you suggest to make. Thanks!

[andyjballgit]

@rohilla-shweta @mike-urnun-msft I'm not sure if that question is for me ? If it is the statement in the subject doesnt really make sense to me - what is "an implicit firewall update that is run afterwards" mean ?

Its a minor thing , but its suggesting that when you update an IP Group, theres an additional step ?

[RobBagby]

@andyjballgit - I am unable to find the reference to "an implicit firewall update that is run afterwards" in the article. Can you please let us know the lines that are causing an issue?

[ckittel]

Any Azure Firewall that is references an IP Group will end up essentially getting an HTTP PUT against it to refresh the rules that involve that IP Group. Think of it this way, an IP Group is a "list of IPs" and Azure Firewall only knows about the IPs, not the group itself (meaning the IPs are "copied into the rules" instead of being referenced from the rules). So a change to an IP group requires the rules in the consuming firewalls to update their static copy of the list.

[RobBagby]

I am still unable to find any reference to the question: "Ensure all updates to the IP Groups and policies have an implicit firewall update that is run afterwards." in the article. I am going to close the bug. @andyjballgit - please feel free to open another issue if you feel I closed this in error.