Unable to add/update Azure firewall policy application rule with a valid FQDN

Hello **Mr K
I understand that you're attempting to create an application rule in the Azure firewall to permit your subdomains, but it's failing due to an invalid FQDN error message.

There is a known issue with this format, which is why implementing the rule is not working my backend team is actively working on to fix the issue.

The problem occurs with FQDNs when there are exactly two characters after the dot (.), causing our validation to fail. For instance, FQDNs like www.cam.ac.uk or similar will not be accepted. Any domain with .XX, test.XX.contoso.com, or xx.test.contoso will also fail validation.

You can set up rules using scripting, such as CLI or PowerShell commands.

If the answer is helpful, please 'Accept the answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Hi Mr K,

actually this is not about Cambridge being invalid, it is about how Azure Firewall validates FQDNs in application rules. In Firewall Policy application rules u cant use a plain apex or certain formats the way you expect and sometimes the portal validation is stricter than normal DNS logic.

Try removing the scheme and make sure u are not adding http or https in the FQDN field, it must be just the hostname. Try using a wildcard like *.cam.ac.uk instead of www.cam.ac.uk because Azure Firewall application rules are really designed to match domains rather than single hostnames in some cases.

Another thing to check is that u are not accidentally including spaces or invisible characters when pasting. The field must contain only the FQDN, no protocol no port no trailing slash.

If it still fails in the portal but the format is clearly correct, this can be a portal validation bug. In that case the only real workaround is to try Azure CLI or Powershell because sometimes the backend accepts it even when the portal UI blocks it.

So first try *.cam.ac.uk, then carefully retype www.cam.ac.uk manually and if it still says invalid I would try CLI because the domain itself is absolutely valid.

rgds,

Alex

Hi @Mr K,

Thank you for reaching out on Microsoft Q&A forum.

I understand that you want to add an Application rule only via portal. As per the screenshot provided the error encountered was invalid FQDN.

When you specify an exact FQDN like www.PII.PII.uk, the Azure portal validation can sometimes fail because Azure Firewall application rules rely on SNI/Host header inspection, and Microsoft recommends using left‑most wildcards for domain-based matching in application rules. Using *.PII.PII.uk aligns with the supported pattern and therefore passes validation successfully. [learn.microsoft.com]

Using *.PII.PII.uk does not automatically mean all subdomains are being actively used or exposed. It simply allows traffic to any subdomain if and only if such a subdomain actually exists and is requested by the client. In your case, since only www.PII.PII.uk is in use, effectively only that hostname is matched at runtime. Azure Firewall does not create or assume additional subdomains—it only evaluates outbound traffic against the rule based on the requested FQDN.

Microsoft documentation also clarifies that wildcards are supported only in application rules (HTTP/HTTPS, MSSQL) and must be placed on the left-most label (for example, *.contoso.com). This is the recommended and supported approach when exact FQDN validation fails in the portal.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please 'Accept the answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".