IP Groups in Azure Firewall

If you are planning on using Azure Firewall you will definitely need to start using IP Groups. This will make your life so much easier and save you a lot of time in future changes because it will allow you to group and manage IP addresses for Azure Firewall rules.

IP groups can be used in the following places:

  • Source address in network rules
  • Source address in DNAT rules
  • Source address in application rules
  • Destination address in network rules

An IP Group can have the following as a source:

  • Single IP address (example:
  • Multiple IP addresses
  • IP Address ranges (example: or
  • Multiple IP ranges
  • Combinations of the above

IP Groups can be reused in Azure Firewall DNAT, network, and application rules for multiple firewalls across regions and subscriptions in Azure. Group names must be unique. You can configure an IP Group in the Azure portal, Azure CLI, or REST API.

Create IP Group (Azure Portal)

Go to the Azure Portal and go to IP Groups (Use the search bar if not in your last used icons)

On the IP Groups page click on Create

Fill in the name of your desired IP Group

Now fill in the IP Addresses that you want to assign to this group

Review the ranges that you’ve entered

Now that is finished, you can go to your Azure Firewall and select the just created IP Group

Create IP Group (PowerShell)

If you want to automate the creation of IP Groups, you can use the following command to create an IP Group:

$ipGroup = @{
    Name              = '2Azure Demo IP Group'
    ResourceGroupName = 'Firewall'
    Location          = 'West Europe'
    IpAddress         = @('', '') 

New-AzIpGroup @ipGroup

IP address limits

You can have a maximum of 200 IP Groups per firewall with a maximum 5000 individual IP addresses or IP prefixes per each IP Group.

Add a Comment

Your email address will not be published. Required fields are marked *