A Smarter Way to Manage Azure Firewall Policy Changes

I prefer to manage infrastructure through Infrastructure as Code (IaC), particularly with Terraform, because it provides consistency, scalability, and automation. However, I understand that not every organisation has the skills, resources, or appetite to adopt IaC. Some teams rely on the Azure Portal and need ways to make governance changes efficiently without introducing unnecessary risk. Draft + Deployment (Preview) is designed for those scenarios.

But if you’ve ever tried making changes in the portal, you know how tedious it can be. Managing Azure Firewall Policies at scale has always had a problem: each change needs to be deployed individually. If you’re rolling out a policy update across multiple Rule Collections (RCs) or Rule Collection Groups (RCGs), that means multiple deployments, each one requiring a fairly lengthy wait.

The new Draft + Deployment feature streamlines this. Instead of deploying every small change immediately, you can batch changes together, review them in a draft, and push them all at once. Less overhead, fewer deployments, and a cleaner way to manage policy updates.

Step 1: Create a Draft

The draft feature is designed for bulk updates and staged deployments. Instead of applying changes one at a time, you create a draft that will hold onto modifications until you’re ready to deploy them. This reduces deployment overhead and prevents partially applied configurations across environments.

If you’re making several related changes (updating multiple rules to allow access to a new service), you can consolidate them into one controlled release rather than deploying them in isolation.

Screenshot of new Draft + Deployment section

Step 2: Making Changes in Draft

The draft acts as a safe workspace where you can adjust policies before they go live. This is useful for workflows that require collaboration or approvals.

• High-impact changes stay isolated until approved – no accidental enforcement of an incomplete ruleset
• Easier collaboration – teams can review and finetune changes before rolling them out
• Better testing – see all updates together, reducing the risk of misconfigurations

Any changes you make won’t take effect until you the draft is deployed. This is especially useful in environments with strict governance policies where changes need thorough validation.

Screenshot updating rules into draft without applying

Step 3: Deploy All Changes at Once

Once everything is reviewed and ready, you can deploy the draft in one go. This replaces the current policy immediately.

• Eliminating the need for multiple incremental deployments
• Reduces policy drift by ensuring all updates go live simultaneously
• Makes compliance processes faster and more predictable

Once deployed, the new version fully replaces the old one, ensuring there’s always a single active policy in effect.

Screenshot reviewing all draft changes before deploying

Screenshot of confirmation that all changes will be pushed to firewall

Maybe not but having seen this problem out in the wild, I think for those using it this could be a real time saver!

Fewer deployments, more control: Instead of pushing each update separately, bundle them and deploy when ready. This saves time and reduces operational noise.

Better governance: In rule rich environments, approvals can be done before rules take effect, improving stability and compliance.

Immediate effect, no confusion: Once deployed, the changes are applied instantly and replace the existing policy version, no more tracking which policies are active and which need updates.

Use drafts for planned, large-scale changes. If you’re making multiple policy updates across different rule collections or collection groups, a draft ensures they all roll out in sync.

Get approvals early. Since a draft keeps changes isolated before deployment, involve security and compliance teams early to reduce last minute blockers.

Keep an eye on what’s active. Since there’s only one draft at a time, don’t leave unfinished changes sitting for too long.

Azure’s Draft + Deployment feature is a much needed improvement for managing firewall policies at scale. It reduces deployment overhead, ensures policies are fully updated before being deployed, and allows for more structured governance workflows. If you’re regularly updating Azure Firewall Policy, this feature could make your life a lot easier.