Azure Firewall — geo (country/region) filtering support & maintaining IP allow/deny lists

Question

Azure Firewall — geo (country/region) filtering support & maintaining IP allow/deny lists

Paul 20

Hi Team, Could you please confirm the current stance and best practices around geo filtering with Azure Firewall?

Geo filtering support

I don’t see a geolocation/country operator in Azure Firewall rule docs (NAT/Network/Application). Can you confirm whether Azure Firewall supports geo-based (country/region) filtering today? If not, is there a roadmap item you can share?

Official IP lists
- Does Microsoft provide official country-level CIDR lists that can be consumed in IP Groups for Azure Firewall?
- I know Microsoft publishes Azure IP Ranges & Service Tags (service/region lists) and a Service Tag Discovery API, but that appears to be service/region, not country. Please confirm.

1 answer

Your answer

Answer 1

Praveen Bandaru 9,245 Microsoft External Staff Moderator

Hello Paul
I understand that you would like clarification about geo-filtering features in Azure Firewall and whether Microsoft offers official country-level CIDR lists for use with IP Groups.

At present, Azure Firewall does not provide built-in geo-based (country or region) filtering within its NAT, Network, or Application rule configurations. Since there is no geolocation or country operator available in the rule documentation, native geo filtering is not supported in Azure Firewall. In contrast, Azure Web Application Firewall (WAF) on Azure Front Door and Application Gateway does offer this feature, allowing rules based on client IP addresses.

The web application firewall offers geo-filtering by letting you set up policies that restrict access using country codes. You can create custom rules with a match variable such as RemoteAddr or SocketAddr and use a geo-match operator.

For more details, refer to the Azure documentation

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-geo-filtering

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules

Regarding official country-level CIDR lists for use in IP Groups with Azure Firewall, Microsoft does not offer CIDR lists organized by country. Azure does publish Azure IP Ranges & Service Tags and provides a Service Tag Discovery API, but these resources are defined at the service or region level rather than by country.

If geo-filtering is essential for your requirements, you may want to use Azure Front Door with WAF, as it fully supports these capabilities. For country-level IP allow/deny list management, you might need to explore custom approaches or use public resources to maintain your CIDR blocks when enforcing access via Azure Firewall.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Paul 20 Reputation points

2025-10-28T03:04:35.8633333+00:00

Thank you for the comprehensive explanation. I am interested in understanding how the IP Group feature can indirectly facilitate Geo-Filtering through Azure Firewall.
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-10-28T19:07:04.3466667+00:00
Hello Paul
Azure Firewall does not include a built-in “Geo-Filtering” feature like some web application firewalls.

However, you can use IP Groups to achieve similar functionality by organizing IP ranges from certain geographic regions and applying those groups within your firewall rules.

IP Groups are reusable entities that include several IP addresses or CIDR ranges. They make rule management easier by allowing you to reference the group, rather than specifying each IP address individually in every rule.

First, get the IP ranges for the countries or regions you want to permit or block. Microsoft provides IP ranges for Azure regions, and you can find country-based IP ranges from third-party sources.

Next, set up an IP Group for each region (such as US-IPs, EU-IPs, or APAC-IPs) and add the relevant CIDR blocks to each group.

Then, in Azure Firewall Network Rules or Application Rules, select these IP Groups in the source or destination fields as needed.

Benefits: You can update IP ranges in a single location instead of modifying multiple rules. This approach is easier to manage than handling hundreds of separate IP entries.

Limitations:
IP ranges can change or may not always be precise, so it's important to update them regularly to ensure accuracy. You need to provide the current ranges.

Check the reference document for more understanding:

IP Groups in Azure Firewall

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "accept answer "and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-10-30T08:02:41.12+00:00

Hello Paul

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "accept answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Azure Firewall — geo (country/region) filtering support & maintaining IP allow/deny lists

1 answer

Your answer