Infrastructure FQDNs

Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes.

The following services are included in the built-in rule collection:

  • Compute access to storage Platform Image Repository (PIR)
  • Managed disks status storage access
  • Azure Diagnostics and Logging (MDS)


You can override this built-in infrastructure rule collection by creating a deny all application rule collection that is processed last. It will always be processed before the infrastructure rule collection. Anything not in the infrastructure rule collection is denied by default.

Next steps