470 Request Denied
The HTTP 470 Request Denied status code is an unofficial client error returned by Azure Firewall when an HTTP request is denied by the firewall's application rule engine. The response indicates no configured rule matched the request and the default deny action was applied.
Usage
Azure Firewall denies all traffic by default until rules are manually configured to allow traffic. When an outbound HTTP or HTTPS request from an Azure resource (virtual machine, AKS pod, App Service) passes through Azure Firewall and no application rule matches, the firewall returns 470 with a response body describing the denial.
The response body contains a diagnostic message:
Action: Deny. Reason: No rule matched.
Proceeding with default action.
Azure Firewall processes rules in a fixed order: DNAT rules first, then network rules, then application rules. Application rules evaluate HTTP and HTTPS traffic by inspecting the Host header (for HTTP) or SNI (for HTTPS). A 470 response means the request passed network-level checks but failed at the application rule stage.
Common scenarios producing 470 include:
- Missing application rules. The firewall has network rules allowing TCP port 443 but no application rule permitting the target FQDN. Network rules pass the connection, but the application rule engine blocks the request.
- FQDN mismatch. An application rule allows
api.example.rebut the request targetsapi-v2.example.re. The rule does not match and the default deny applies. - Wildcard gaps. A wildcard rule for
*.example.redoes not match the bare domainexample.re. Both forms require explicit entries. - Rule priority conflicts. A higher-priority deny rule in a parent policy overrides a lower-priority allow rule in a child policy.
Note
Azure Firewall returns 470 only for application rule denials (HTTP/HTTPS traffic evaluated by FQDN). Network rule denials at the TCP/UDP level drop packets silently without returning an HTTP response.
Example
An application running on an Azure virtual machine makes an HTTPS request to an external API. Azure Firewall has no application rule allowing the target FQDN and returns 470.
Request
GET /v1/data HTTP/1.1
Host: api.example.re
Accept: application/json
Response
HTTP/1.1 470
Content-Type: text/plain
Content-Length: 70
Action: Deny. Reason: No rule matched.
Proceeding with default action.
How to fix
Open the Azure portal and navigate to the Azure Firewall instance handling the traffic.
Check application rules. Verify an application rule exists permitting the target FQDN. Application rules match on FQDN, not IP address. A network rule allowing the IP does not substitute for an application rule when the firewall inspects HTTP/HTTPS traffic.
Verify FQDN entries. Confirm the rule's target
FQDN list matches the exact hostname in the request's
Host header or TLS SNI. Wildcard rules
(*.example.re) do not match the apex domain
(example.re).
Review rule priority. Azure Firewall processes rule collection groups by priority number (lowest first). A deny rule in a parent policy always takes precedence over child policy rules regardless of priority values. Check inherited policies for conflicting deny rules.
Inspect firewall logs. Enable diagnostic logging
to a Log Analytics workspace. Query the
AzureDiagnostics table filtering on
Category == "AzureFirewallApplicationRule" to see
denied requests with the target FQDN, source IP,
and matched rule collection.
Use FQDN tags for Azure services. Azure Firewall
provides built-in FQDN tags (e.g.,
AzureKubernetesService, WindowsUpdate) bundling
the FQDNs required by common Azure services.
Using tags avoids maintaining long FQDN lists
manually.
Takeaway
The 470 Request Denied status code is an unofficial error returned by Azure Firewall when an HTTP or HTTPS request does not match any configured application rule. The firewall's default-deny posture blocks the request and returns a diagnostic message identifying the denial reason.