Forum Discussion

Kandrik's avatar
Kandrik
Copper Contributor
Feb 28, 2026
Solved

Priority between CIDR and FQDN rules in Microsoft Entra Private Access (GSA)

Hello   Question about prioritization between CIDR and FQDN rules in Microsoft Entra Private Access (GSA) Question: Hello everyone, I have a question about how rules are prioritized in Microsoft En...
Identity Management
microsoft entra
  • Josimar-Hedler's avatar
    Josimar-Hedler
    Mar 02, 2026

    Kandrik​ 

    Hello

    Hello,

    Excellent question.

    Based on the current product behavior and the configuration model exposed in the Forwarding Profile Priority field, rule evaluation follows the configured priority order. The client processes traffic according to this priority model.

    The client performs both DNS interception and IP-based traffic forwarding. However, the official documentation does not define a formal architectural precedence between FQDN-based rules and CIDR-based rules when overlaps exist.

    In scenarios where there is overlap between:

    A broad CIDR range, for example 10.10.0.0/16

    A specific FQDN that resolves to an IP within that same range

    The recommended architectural approach is to rely on explicit priority configuration rather than implicit rule-type assumptions.

    Best practice:

    Assign higher priority to specific FQDN-based rules

    Use broad CIDR ranges as fallback rules

    Avoid relying on assumed internal evaluation order between rule types

    From an architectural standpoint, explicitly controlling priority ensures predictable behavior and prevents unintended traffic capture in overlapping scenarios

Josimar-Hedler's avatar
Josimar-Hedler
MCT
Mar 02, 2026

Kandrik​ 

Hello

Hello,

Excellent question.

Based on the current product behavior and the configuration model exposed in the Forwarding Profile Priority field, rule evaluation follows the configured priority order. The client processes traffic according to this priority model.

The client performs both DNS interception and IP-based traffic forwarding. However, the official documentation does not define a formal architectural precedence between FQDN-based rules and CIDR-based rules when overlaps exist.

In scenarios where there is overlap between:

A broad CIDR range, for example 10.10.0.0/16

A specific FQDN that resolves to an IP within that same range

The recommended architectural approach is to rely on explicit priority configuration rather than implicit rule-type assumptions.

Best practice:

Assign higher priority to specific FQDN-based rules

Use broad CIDR ranges as fallback rules

Avoid relying on assumed internal evaluation order between rule types

From an architectural standpoint, explicitly controlling priority ensures predictable behavior and prevents unintended traffic capture in overlapping scenarios