"az network firewall policy rule-collection-group collection rule add" command does not properly set translatedFqdn

[paolosalvatori]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

When you use the following Azure CLI command and you don't explicitly specify a value for the translatedFqdn property using the --translated-fqdn optional parameter, a NAT rule gets successfully created, but the Azure Firewall and Azure Firewall Policy do not properly route the traffic to the translated address:

az network firewall policy rule-collection-group collection rule add
--policy-name $firewallPolicyName
--resource-group $resourceGroupName
--rule-collection-group-name $ruleCollectionGroupName
--collection-name $dnatRuleCollectionName
--name $dnatRuleName
--rule-type NatRule
--destination-addresses $firewallPublicIpAddress
--destination-ports $destinationPort
--ip-protocols TCP
--source-addresses '*'
--translated-port $translatedPort
--translated-address $serviceExternalIpAddress 1>/dev/null

To Reproduce

Try to use the above command to create a NAT rule in a NAT rule collection: the rule will be created, but it won't work properly. If you instead create the same rule using the Azure portal, with the same data, it works as expected.

I used the following command to compare and contrast the rule created by the above Azure CLI command and the rule created by the Azure Portal:

az network firewall policy rule-collection-group collection list
--policy-name BabosbirdFirewallPolicy
--rule-collection-group-name DefaultDnatRuleCollectionGroup
--resource-group BabosbirdRG

The two rules are almost identical, apart from the value of the translatedFqdn property:

• the Azure CLI command sets its value to ""
• the Azure Portal sets its value to null

[
  {
    "action": {
      "type": "Dnat"
    },
    "name": "DnatRules",
    "priority": 100,
    "ruleCollectionType": "FirewallPolicyNatRuleCollection",
    "rules": [
      {
        "description": null,
        "destinationAddresses": [
          "51.124.64.22"
        ],
        "destinationPorts": [
          "80"
        ],
        "ipProtocols": [
          "TCP"
        ],
        "name": "CreatedViaAzureCLI",
        "ruleType": "NatRule",
        "sourceAddresses": [
          "*"
        ],
        "sourceIpGroups": [],
        "translatedAddress": "51.137.8.127",
        "translatedFqdn": null,
        "translatedPort": "80"
      },
      {
        "description": null,
        "destinationAddresses": [
          "51.124.64.22"
        ],
        "destinationPorts": [
          "80"
        ],
        "ipProtocols": [
          "TCP"
        ],
        "name": "CreatedViaThePortal",
        "ruleType": "NatRule",
        "sourceAddresses": [
          "*"
        ],
        "sourceIpGroups": [],
        "translatedAddress": "51.137.8.127",
        "translatedFqdn": "",
        "translatedPort": "80"
      }
    ]
  }
]

Expected behavior

Please fix the Azure CLI so that the NAT rule properly routes the incoming traffic on the destination address to the translated address.

Environment summary

Tested using bash scripts in Azure DevOps and locally on WSL.

Additional context

[yonzhan]

network

[paolosalvatori]

Any news on this? The problem is still there and it's very painful as it prevents automating the creation and deletion of a DNAT rule

[kairu-ms]

@necusjz Please help with this issue.

[paolosalvatori]

@kairu-ms @yonzhan I'm a principal system engineer in Microsoft. I can't determine your names from your GitHub accounts. Do you mind sending me an email to my Microsoft email? This fix is quite urgent as it disrupts my sample: https://github.com/Azure-Samples/private-aks-cluster-terraform-devops. I also have other feedbacks. Please contact me asap. You find my name in clear under my GitHub account. Thanks!