Blog Post

Azure Network Security Blog
3 MIN READ

Draft and deploy - Azure Firewall policy changes [Preview]

ShabazShaik's avatar
ShabazShaik
Icon for Microsoft rankMicrosoft
Jul 25, 2025

Announcing the new draft and deploy feature for Azure Firewall policy changes.

In today’s cloud-centric digital landscape, maintaining secure and scalable network infrastructure is essential for enterprises navigating dynamic workloads and compliance demands. Azure Firewall, Microsoft’s fully managed, cloud-native service, offers robust security capabilities including stateful packet inspection, advanced threat prevention, autoscaling, and centralized policy enforcement across distributed Azure environments. To further simplify policy administration, the recently introduced draft and deploy feature enables security teams to safely edit firewall policies in a staging environment and apply those changes atomically. This structured workflow supports collaborative review cycles, minimizes configuration risks, and streamlines updates—especially for organizations with formal governance and change-management requirements. 

Challenges before draft and deploy: 

Before draft and deploy, firewall policy updates faced several operational hurdles: 

  • Every change, however small, can take several minutes to deploy 
  • Organizations with strict change-management frameworks struggled to integrate policy updates into existing approval workflows. 
  • Direct application of rule changes increases the chance of errors that could block critical traffic or expose workloads. 
How draft and deploy works:

Draft and deploy introduces a two-phase model that decouples editing from deployment: 

Draft phase 

  1. Clone the active policy into a temporary draft. 
  2. Make and review multiple changes—add, modify, or remove rules—without affecting live traffic. 
  3. Collaborate with peers, assign reviewers, and iterate until the draft meets requirements. 

Deploy phase 

  1. Validate the draft to catch unsupported or invalid configurations. 
  2. Deploy the draft in a single, atomic operation that replaces the active policy. 

This approach ensures policy consistency, minimizes deploy time, and reduces repetitive deployments. 

Supported scenarios and limitations:

Azure Firewall draft and deploy is currently in preview and designed exclusively for Azure Firewall policies. Key points include: 

Aspect 

Details 

Availability 

Preview feature for Azure Firewall policy only 

Supported configurations 

Standard and Premium SKUs; policies with classic rules are not supported 

Draft persistence 

Drafts are snapshots of the applied policy at the time of draft creation; changes to the live policy afterward are not auto reflected 

Rule collection group (RCG) 

Creating new RCGs within a draft is not supported; add RCGs directly to the live policy first 

Concurrent drafts 

Only one draft per policy at a time 

 

Using draft and deploy via the Azure portal: 
  • Navigate to your Firewall policy resource. 
  • Under “Policy management,” select Draft + Deployment. 
  • Click Create draft to clone the current policy.
  • Edit rules and collections as needed, saving frequently. The below image shows that a new network rule named “Microsoft” has been added.

     

  • After review, select Deploy draft to apply all changes atomically. The rule changes will be highlighted as shown in below image. 

     

     

  • Once successfully deployed, this process can be repeated to make further updates to your policy as needed. As we can see in the below image the newly added rule has been successfully deployed and is now part of the policy. 

     

Azure CLI: 

The following CLI commands could be used to update the policy draft. More information on CLI commands can be found here: Draft + Deployment CLI 

Action 

Command 

Create a draft 

az network firewall policy draft create --name <policyName> --resource-group <rgName> 

List existing draft 

az network firewall policy draft list --name <policyName> --resource-group <rgName> 

Update draft 

az network firewall policy update --name <policyName> --resource-group <rgName> --rules <ruleFile> 

Deploy the draft 

az network firewall policy draft deploy --name <policyName> --resource-group <rgName> 

Delete a draft 

az network firewall policy draft delete --name <policyName> --resource-group <rgName> 

 

Troubleshooting scenarios: 

Here are some of the common troubleshooting scenarios and their respective causes and resolutions. 

Scenario 

Possible cause 

Resolution 

No changes in draft after edits 

Draft was created before policy updates 

Compare draft timestamp with change log; recreate or manually apply missing edits to the draft 

Commit validation errors 

Unsupported or invalid rule types 

Review draft for nested RCGs or invalid protocols; correct or remove unsupported configurations 

Draft creation fails 

Existing draft already present 

Deploy or delete the existing draft, then retry creation 

CLI error: “RGCA creation failed” 

Outdated or misconfigured CLI extension 

Update extension to v1.2.3 or higher; verify CLI configuration 

Deployment succeeds but no visible changes 

Draft missing latest edits 

Ensure all intended changes are included in the draft before deployment 

PowerShell/REST API draft creation fails 

Invalid API parameters 

Validate request schema against the Azure REST API documentation 

 

Conclusion: 

Draft and deploy transforms Azure Firewall policy management by separating editing from deployment and enabling atomic policy updates. Organizations can now collaborate on complex rule changes, enforce governance, and maintain continuous security without sacrificing agility. 

References: 

Azure Firewall Draft + Deployment (preview) | Microsoft Learn 

az network firewall policy draft | Microsoft Learn 

Updated Jul 25, 2025
Version 8.0
No CommentsBe the first to comment