Announcing the new draft and deploy feature for Azure Firewall policy changes.
In today’s cloud-centric digital landscape, maintaining secure and scalable network infrastructure is essential for enterprises navigating dynamic workloads and compliance demands. Azure Firewall, Microsoft’s fully managed, cloud-native service, offers robust security capabilities including stateful packet inspection, advanced threat prevention, autoscaling, and centralized policy enforcement across distributed Azure environments. To further simplify policy administration, the recently introduced draft and deploy feature enables security teams to safely edit firewall policies in a staging environment and apply those changes atomically. This structured workflow supports collaborative review cycles, minimizes configuration risks, and streamlines updates—especially for organizations with formal governance and change-management requirements.
Challenges before draft and deploy:
Before draft and deploy, firewall policy updates faced several operational hurdles:
- Every change, however small, can take several minutes to deploy
- Organizations with strict change-management frameworks struggled to integrate policy updates into existing approval workflows.
- Direct application of rule changes increases the chance of errors that could block critical traffic or expose workloads.
How draft and deploy works:
Draft and deploy introduces a two-phase model that decouples editing from deployment:
Draft phase
- Clone the active policy into a temporary draft.
- Make and review multiple changes—add, modify, or remove rules—without affecting live traffic.
- Collaborate with peers, assign reviewers, and iterate until the draft meets requirements.
Deploy phase
- Validate the draft to catch unsupported or invalid configurations.
- Deploy the draft in a single, atomic operation that replaces the active policy.
This approach ensures policy consistency, minimizes deploy time, and reduces repetitive deployments.
Supported scenarios and limitations:
Azure Firewall draft and deploy is currently in preview and designed exclusively for Azure Firewall policies. Key points include:
|
Aspect |
Details |
|
Availability |
Preview feature for Azure Firewall policy only |
|
Supported configurations |
Standard and Premium SKUs; policies with classic rules are not supported |
|
Draft persistence |
Drafts are snapshots of the applied policy at the time of draft creation; changes to the live policy afterward are not auto reflected |
|
Rule collection group (RCG) |
Creating new RCGs within a draft is not supported; add RCGs directly to the live policy first |
|
Concurrent drafts |
Only one draft per policy at a time |
Using draft and deploy via the Azure portal:
- Navigate to your Firewall policy resource.
- Under “Policy management,” select Draft + Deployment.
- Click Create draft to clone the current policy.
- Edit rules and collections as needed, saving frequently. The below image shows that a new network rule named “Microsoft” has been added.
- After review, select Deploy draft to apply all changes atomically. The rule changes will be highlighted as shown in below image.
- Once successfully deployed, this process can be repeated to make further updates to your policy as needed. As we can see in the below image the newly added rule has been successfully deployed and is now part of the policy.
Azure CLI:
The following CLI commands could be used to update the policy draft. More information on CLI commands can be found here: Draft + Deployment CLI
|
Action |
Command |
|
Create a draft |
az network firewall policy draft create --name <policyName> --resource-group <rgName> |
|
List existing draft |
az network firewall policy draft list --name <policyName> --resource-group <rgName> |
|
Update draft |
az network firewall policy update --name <policyName> --resource-group <rgName> --rules <ruleFile> |
|
Deploy the draft |
az network firewall policy draft deploy --name <policyName> --resource-group <rgName> |
|
Delete a draft |
az network firewall policy draft delete --name <policyName> --resource-group <rgName> |
Troubleshooting scenarios:
Here are some of the common troubleshooting scenarios and their respective causes and resolutions.
|
Scenario |
Possible cause |
Resolution |
|
No changes in draft after edits |
Draft was created before policy updates |
Compare draft timestamp with change log; recreate or manually apply missing edits to the draft |
|
Commit validation errors |
Unsupported or invalid rule types |
Review draft for nested RCGs or invalid protocols; correct or remove unsupported configurations |
|
Draft creation fails |
Existing draft already present |
Deploy or delete the existing draft, then retry creation |
|
CLI error: “RGCA creation failed” |
Outdated or misconfigured CLI extension |
Update extension to v1.2.3 or higher; verify CLI configuration |
|
Deployment succeeds but no visible changes |
Draft missing latest edits |
Ensure all intended changes are included in the draft before deployment |
|
PowerShell/REST API draft creation fails |
Invalid API parameters |
Validate request schema against the Azure REST API documentation |
Conclusion:
Draft and deploy transforms Azure Firewall policy management by separating editing from deployment and enabling atomic policy updates. Organizations can now collaborate on complex rule changes, enforce governance, and maintain continuous security without sacrificing agility.
References:
Azure Firewall Draft + Deployment (preview) | Microsoft Learn
Microsoft