From c76e5cdf397c5bfee225fbc74db5e13798a22e0e Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 26 Jan 2020 13:28:32 -0800 Subject: [PATCH 1/7] adding support for firewall policy on vnet firewall --- .../AzureFirewall/NewAzureFirewallCommand.cs | 48 ++++++++++++++----- 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs b/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs index 3ceeb6e628e4..76f9f68cfe40 100644 --- a/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs +++ b/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs @@ -255,22 +255,46 @@ private PSAzureFirewall CreateAzureFirewall() } else { + + if (FirewallPolicyId != null && (this.ApplicationRuleCollection != null || this.NetworkRuleCollection != null || this.NatRuleCollection != null)) + { + throw new ArgumentException("Firewall Policy and Rule Collections cannot coexist"); + } + var sku = new PSAzureFirewallSku(); sku.Name = MNM.AzureFirewallSkuName.AZFWVNet; sku.Tier = MNM.AzureFirewallSkuTier.Standard; - firewall = new PSAzureFirewall() + if (FirewallPolicyId != null) { - Name = this.Name, - ResourceGroupName = this.ResourceGroupName, - Location = this.Location, - ApplicationRuleCollections = this.ApplicationRuleCollection?.ToList(), - NatRuleCollections = this.NatRuleCollection?.ToList(), - NetworkRuleCollections = this.NetworkRuleCollection?.ToList(), - ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert, - ThreatIntelWhitelist = this.ThreatIntelWhitelist, - PrivateRange = this.PrivateRange, - Sku = sku - }; + firewall = new PSAzureFirewall() + { + Name = this.Name, + ResourceGroupName = this.ResourceGroupName, + Location = this.Location, + FirewallPolicy = FirewallPolicyId != null ? new MNM.SubResource(FirewallPolicyId) : null, + ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert, + ThreatIntelWhitelist = this.ThreatIntelWhitelist, + PrivateRange = this.PrivateRange, + Sku = sku + }; + } + else + { + firewall = new PSAzureFirewall() + { + Name = this.Name, + ResourceGroupName = this.ResourceGroupName, + Location = this.Location, + ApplicationRuleCollections = this.ApplicationRuleCollection?.ToList(), + NatRuleCollections = this.NatRuleCollection?.ToList(), + NetworkRuleCollections = this.NetworkRuleCollection?.ToList(), + ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert, + ThreatIntelWhitelist = this.ThreatIntelWhitelist, + PrivateRange = this.PrivateRange, + Sku = sku + }; + } + if (this.Zone != null) { From 86084c4759d993cd1c4c4466112f4e6cf91a52cc Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 2 Feb 2020 13:36:49 -0800 Subject: [PATCH 2/7] adding tests --- .../ScenarioTests/AzureFirewallTests.cs | 8 + .../ScenarioTests/AzureFirewallTests.ps1 | 645 +++++++++++++++++- src/Network/Network/ChangeLog.md | 2 + src/Network/Network/help/New-AzFirewall.md | 14 + 4 files changed, 664 insertions(+), 5 deletions(-) diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs index 8460010bdbb0..c8e42a812651 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs @@ -81,5 +81,13 @@ public void TestAzureFirewallPrivateRangeCRUD() { TestRunner.RunTestScript("Test-AzureFirewallPrivateRangeCRUD"); } + + [Fact] + [Trait(Category.AcceptanceType, Category.CheckIn)] + [Trait(Category.Owner, NrpTeamAlias.azurefirewall)] + public void TestAzureFirewallWithFirewallPolicyCRUD() + { + TestRunner.RunTestScript("Test-AzureFirewallWithFirewallPolicyCRUD"); + } } } diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 index 4d4b6fe8bd8c..cbbab162b65e 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 @@ -21,7 +21,7 @@ function Test-AzureFirewallCRUD { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" + $location = Get-ProviderLocation $resourceTypeParent "eastus" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -486,7 +486,7 @@ function Test-AzureFirewallCRUDWithZones { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" + $location = Get-ProviderLocation $resourceTypeParent "eastus" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -848,7 +848,7 @@ function Test-AzureFirewallPIPAndVNETObjectTypeParams { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" + $location = Get-ProviderLocation $resourceTypeParent "eastus" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -1002,7 +1002,7 @@ function Test-AzureFirewallAllocateAndDeallocate { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" + $location = Get-ProviderLocation $resourceTypeParent "eastus" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -1165,7 +1165,7 @@ function Test-AzureFirewallThreatIntelWhitelistCRUD { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" + $location = Get-ProviderLocation $resourceTypeParent "eastus" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -1252,3 +1252,638 @@ function Test-AzureFirewallPrivateRangeCRUD { Clean-ResourceGroup $rgname } } + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.SYNOPSIS +Tests AzureFirewallCRUD. +#> +function Test-AzureFirewallCRUD { + # Setup + $rgname = Get-ResourceGroupName + $azureFirewallName = Get-ResourceName + $resourceTypeParent = "Microsoft.Network/AzureFirewalls" + $location = Get-ProviderLocation $resourceTypeParent "eastus" + + $vnetName = Get-ResourceName + $subnetName = "AzureFirewallSubnet" + $publicIpName = Get-ResourceName + + # AzureFirewallApplicationRuleCollection + $appRcName = "appRc" + $appRcPriority = 100 + $appRcActionType = "Allow" + + # AzureFirewallApplicationRuleCollection 2 + $appRc2Name = "appRc2" + $appRc2Priority = 101 + $appRc2ActionType = "Deny" + + # AzureFirewallApplicationRule 1 + $appRule1Name = "appRule" + $appRule1Desc = "desc1" + $appRule1Fqdn1 = "*google.com" + $appRule1Fqdn2 = "*microsoft.com" + $appRule1Protocol1 = "http:80" + $appRule1Port1 = 80 + $appRule1ProtocolType1 = "http" + $appRule1Protocol2 = "https:443" + $appRule1Port2 = 443 + $appRule1ProtocolType2 = "https" + $appRule1SourceAddress1 = "10.0.0.0" + + # AzureFirewallApplicationRule 2 + $appRule2Name = "appRule2" + $appRule2Fqdn1 = "*bing.com" + $appRule2Protocol1 = "http:8080" + $appRule2Port1 = 8080 + $appRule2ProtocolType1 = "http" + + # AzureFirewallApplicationRule 3 + $appRule3Name = "appRule3" + $appRule3Fqdn1 = "sql1.database.windows.net" + $appRule3Protocol1 = "mssql:1433" + $appRule3Port1 = 1433 + $appRule3ProtocolType1 = "mssql" + + # AzureFirewallNetworkRuleCollection + $networkRcName = "networkRc" + $networkRcPriority = 200 + $networkRcActionType = "Deny" + + # AzureFirewallNetworkRule 1 + $networkRule1Name = "networkRule" + $networkRule1Desc = "desc1" + $networkRule1SourceAddress1 = "10.0.0.0" + $networkRule1SourceAddress2 = "111.1.0.0/24" + $networkRule1DestinationAddress1 = "*" + $networkRule1Protocol1 = "UDP" + $networkRule1Protocol2 = "TCP" + $networkRule1Protocol3 = "ICMP" + $networkRule1DestinationPort1 = "90" + + # AzureFirewallNetworkRule 2 + $networkRule2Name = "networkRule2" + $networkRule2Desc = "desc2" + $networkRule2SourceAddress1 = "10.0.0.0" + $networkRule2SourceAddress2 = "111.1.0.0/24" + $networkRule2DestinationFqdn1 = "www.bing.com" + $networkRule2Protocol1 = "UDP" + $networkRule2Protocol2 = "TCP" + $networkRule2Protocol3 = "ICMP" + $networkRule2DestinationPort1 = "80" + + # AzureFirewallNatRuleCollection + $natRcName = "natRc" + $natRcPriority = 200 + + # AzureFirewallNatRule 1 + $natRule1Name = "natRule" + $natRule1Desc = "desc1" + $natRule1SourceAddress1 = "10.0.0.0" + $natRule1SourceAddress2 = "111.1.0.0/24" + $natRule1DestinationAddress1 = "1.2.3.4" + $natRule1Protocol1 = "UDP" + $natRule1Protocol2 = "TCP" + $natRule1DestinationPort1 = "90" + $natRule1TranslatedAddress = "10.1.2.3" + $natRule1TranslatedPort = "91" + + # AzureFirewallNatRule 2 + $natRule2Name = "natRule2" + $natRule2Desc = "desc2" + $natRule2SourceAddress1 = "10.0.0.0" + $natRule2SourceAddress2 = "111.1.0.0/24" + $natRule2Protocol1 = "UDP" + $natRule2Protocol2 = "TCP" + $natRule2DestinationPort1 = "95" + $natRule2TranslatedFqdn = "server1.internal.com" + $natRule2TranslatedPort = "96" + + try { + # Create the resource group + $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" } + + # Create the Virtual Network + $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24 + $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet + # Get full subnet details + $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName + + # Create public ip + $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard + + # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default) + $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName + + # Get AzureFirewall + $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname + + #verification + Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName + Assert-AreEqual $azureFirewallName $getAzureFirewall.Name + Assert-NotNull $getAzureFirewall.Location + Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location + Assert-NotNull $getAzureFirewall.Etag + Assert-AreEqual "Alert" $getAzureFirewall.ThreatIntelMode + Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count + Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id + Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id + Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress + Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id + Assert-AreEqual $publicip.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id + Assert-AreEqual 0 @($getAzureFirewall.ApplicationRuleCollections).Count + Assert-AreEqual 0 @($getAzureFirewall.NatRuleCollections).Count + Assert-AreEqual 0 @($getAzureFirewall.NetworkRuleCollections).Count + + # list all Azure Firewalls in the resource group + $list = Get-AzFirewall -ResourceGroupName $rgname + Assert-AreEqual 1 @($list).Count + Assert-AreEqual $list[0].ResourceGroupName $getAzureFirewall.ResourceGroupName + Assert-AreEqual $list[0].Name $getAzureFirewall.Name + Assert-AreEqual $list[0].Location $getAzureFirewall.Location + Assert-AreEqual $list[0].Etag $getAzureFirewall.Etag + Assert-AreEqual @($list[0].IpConfigurations).Count @($getAzureFirewall.IpConfigurations).Count + Assert-AreEqual @($list[0].IpConfigurations)[0].Subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id + Assert-AreEqual @($list[0].IpConfigurations)[0].PublicIpAddress.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id + Assert-AreEqual @($list[0].IpConfigurations)[0].PrivateIpAddress $getAzureFirewall.IpConfigurations[0].PrivateIpAddress + Assert-AreEqual @($list[0].ApplicationRuleCollections).Count @($getAzureFirewall.ApplicationRuleCollections).Count + Assert-AreEqual @($list[0].NatRuleCollections).Count @($getAzureFirewall.NatRuleCollections).Count + Assert-AreEqual @($list[0].NetworkRuleCollections).Count @($getAzureFirewall.NetworkRuleCollections).Count + + # list all Azure Firewalls under subscription + $listAll = Get-AzureRmFirewall + Assert-NotNull $listAll + + $listAll = Get-AzureRmFirewall -Name "*" + Assert-NotNull $listAll + + $listAll = Get-AzureRmFirewall -ResourceGroupName "*" + Assert-NotNull $listAll + + $listAll = Get-AzureRmFirewall -ResourceGroupName "*" -Name "*" + Assert-NotNull $listAll + + # Create Application Rules + $appRule = New-AzFirewallApplicationRule -Name $appRule1Name -Description $appRule1Desc -Protocol $appRule1Protocol1, $appRule1Protocol2 -TargetFqdn $appRule1Fqdn1, $appRule1Fqdn2 -SourceAddress $appRule1SourceAddress1 + + $appRule2 = New-AzFirewallApplicationRule -Name $appRule2Name -Protocol $appRule2Protocol1 -TargetFqdn $appRule2Fqdn1 + + $appRule3 = New-AzFirewallApplicationRule -Name $appRule3Name -Protocol $appRule3Protocol1 -TargetFqdn $appRule3Fqdn1 + + # Create Application Rule Collection with 1 rule + $appRc = New-AzFirewallApplicationRuleCollection -Name $appRcName -Priority $appRcPriority -Rule $appRule -ActionType $appRcActionType + + # Add a rule to the rule collection using AddRule method + $appRc.AddRule($appRule2) + $appRc.AddRule($appRule3) + + # Create a second Application Rule Collection with 1 rule + $appRc2 = New-AzFirewallApplicationRuleCollection -Name $appRc2Name -Priority $appRc2Priority -Rule $appRule -ActionType $appRc2ActionType + + # Create Network Rule + $networkRule = New-AzFirewallNetworkRule -Name $networkRule1Name -Description $networkRule1Desc -Protocol $networkRule1Protocol1, $networkRule1Protocol2 -SourceAddress $networkRule1SourceAddress1, $networkRule1SourceAddress2 -DestinationAddress $networkRule1DestinationAddress1 -DestinationPort $networkRule1DestinationPort1 + $networkRule.AddProtocol($networkRule1Protocol3) + + # Test handling of incorrect values + Assert-ThrowsContains { $networkRule.AddProtocol() } "Cannot find an overload" + Assert-ThrowsContains { $networkRule.AddProtocol($null) } "A protocol must be provided" + Assert-ThrowsContains { $networkRule.AddProtocol("ABCD") } "Invalid protocol" + + # Create Network Rule Collection + $netRc = New-AzFirewallNetworkRuleCollection -Name $networkRcName -Priority $networkRcPriority -Rule $networkRule -ActionType $networkRcActionType + + # Create Second Network Rule + $networkRule2 = New-AzFirewallNetworkRule -Name $networkRule2Name -Description $networkRule2Desc -Protocol $networkRule2Protocol1, $networkRule2Protocol2 -SourceAddress $networkRule2SourceAddress1, $networkRule2SourceAddress2 -DestinationFqdn $networkRule2DestinationFqdn1 -DestinationPort $networkRule2DestinationPort1 + $networkRule2.AddProtocol($networkRule2Protocol3) + + # Add this second Network Rule to the rule collection + $netRc.AddRule($networkRule2) + + # Create a NAT rule + $natRule = New-AzFirewallNatRule -Name $natRule1Name -Description $natRule1Desc -Protocol $natRule1Protocol1 -SourceAddress $natRule1SourceAddress1, $natRule1SourceAddress2 -DestinationAddress $publicip.IpAddress -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort + $natRule.AddProtocol($natRule1Protocol2) + + # Test handling of incorrect values + Assert-ThrowsContains { $natRule.AddProtocol() } "Cannot find an overload" + Assert-ThrowsContains { $natRule.AddProtocol($null) } "A protocol must be provided" + Assert-ThrowsContains { $natRule.AddProtocol("ABCD") } "Invalid protocol" + # Test handling of ICMP protocol + Assert-ThrowsContains { + New-AzFirewallNatRule -Name $natRule1Name -Protocol $natRule1Protocol1, "ICMP" -SourceAddress $natRule1SourceAddress1 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort + } "The argument `"ICMP`" does not belong to the set" + Assert-ThrowsContains { $natRule.AddProtocol("ICMP") } "Invalid protocol" + + # Create second NAT rule + $natRule2 = New-AzFirewallNatRule -Name $natRule2Name -Description $natRule2Desc -Protocol $natRule2Protocol1 -SourceAddress $natRule2SourceAddress1, $natRule2SourceAddress2 -DestinationAddress $publicip.IpAddress -DestinationPort $natRule2DestinationPort1 -TranslatedFqdn $natRule2TranslatedFqdn -TranslatedPort $natRule2TranslatedPort + $natRule2.AddProtocol($natRule2Protocol2) + + # Create a NAT Rule Collection + $natRc = New-AzFirewallNatRuleCollection -Name $natRcName -Priority $natRcPriority -Rule $natRule + + # Add second NAT Rule to rule Collection + $natRc.AddRule($natRule2) + + # Add ApplicationRuleCollections to the Firewall using method AddApplicationRuleCollection + $azureFirewall.AddApplicationRuleCollection($appRc) + $azureFirewall.AddApplicationRuleCollection($appRc2) + + # Add NatRuleCollections to the Firewall using method AddNatRuleCollection + $azureFirewall.AddNatRuleCollection($natRc) + + # Add NetworkRuleCollections to the Firewall using method AddNetworkRuleCollection + $azureFirewall.AddNetworkRuleCollection($netRc) + + # Update ThreatIntel mode + $azureFirewall.ThreatIntelMode = "Deny" + + # Set AzureFirewall + Set-AzFirewall -AzureFirewall $azureFirewall + + # Get AzureFirewall + $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName + $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations + + #verification + Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName + Assert-AreEqual $azureFirewallName $getAzureFirewall.Name + Assert-NotNull $getAzureFirewall.Location + Assert-AreEqual $location $getAzureFirewall.Location + Assert-NotNull $getAzureFirewall.Etag + Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode + + Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count + Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id + Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id + Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress + + # Check rule collections + Assert-AreEqual 2 @($getAzureFirewall.ApplicationRuleCollections).Count + Assert-AreEqual 3 @($getAzureFirewall.ApplicationRuleCollections[0].Rules).Count + Assert-AreEqual 1 @($getAzureFirewall.ApplicationRuleCollections[1].Rules).Count + + Assert-AreEqual 1 @($getAzureFirewall.NatRuleCollections).Count + Assert-AreEqual 2 @($getAzureFirewall.NatRuleCollections[0].Rules).Count + + Assert-AreEqual 1 @($getAzureFirewall.NetworkRuleCollections).Count + Assert-AreEqual 2 @($getAzureFirewall.NetworkRuleCollections[0].Rules).Count + + $appRc = $getAzureFirewall.GetApplicationRuleCollectionByName($appRcName) + $appRule = $appRc.GetRuleByName($appRule1Name) + $appRule2 = $appRc.GetRuleByName($appRule2Name) + $appRule3 = $appRc.GetRuleByName($appRule3Name) + + # Verify application rule collection 1 + Assert-AreEqual $appRcName $appRc.Name + Assert-AreEqual $appRcPriority $appRc.Priority + Assert-AreEqual $appRcActionType $appRc.Action.Type + + # Verify application rule 1 + Assert-AreEqual $appRule1Name $appRule.Name + Assert-AreEqual $appRule1Desc $appRule.Description + + Assert-AreEqual 1 $appRule.SourceAddresses.Count + Assert-AreEqual $appRule1SourceAddress1 $appRule.SourceAddresses[0] + + Assert-AreEqual 2 $appRule.Protocols.Count + Assert-AreEqual $appRule1ProtocolType1 $appRule.Protocols[0].ProtocolType + Assert-AreEqual $appRule1ProtocolType2 $appRule.Protocols[1].ProtocolType + Assert-AreEqual $appRule1Port1 $appRule.Protocols[0].Port + Assert-AreEqual $appRule1Port2 $appRule.Protocols[1].Port + + Assert-AreEqual 2 $appRule.TargetFqdns.Count + Assert-AreEqual $appRule1Fqdn1 $appRule.TargetFqdns[0] + Assert-AreEqual $appRule1Fqdn2 $appRule.TargetFqdns[1] + + # Verify application rule 2 + Assert-AreEqual $appRule2Name $appRule2.Name + Assert-Null $appRule2.Description + + Assert-AreEqual 0 $appRule2.SourceAddresses.Count + + Assert-AreEqual 1 $appRule2.Protocols.Count + Assert-AreEqual $appRule2ProtocolType1 $appRule2.Protocols[0].ProtocolType + Assert-AreEqual $appRule2Port1 $appRule2.Protocols[0].Port + + Assert-AreEqual 1 $appRule2.TargetFqdns.Count + Assert-AreEqual $appRule2Fqdn1 $appRule2.TargetFqdns[0] + + # Verify application rule 3 + Assert-AreEqual $appRule3Name $appRule3.Name + Assert-Null $appRule3.Description + + Assert-AreEqual 0 $appRule3.SourceAddresses.Count + + Assert-AreEqual 1 $appRule3.Protocols.Count + Assert-AreEqual $appRule3ProtocolType1 $appRule3.Protocols[0].ProtocolType + Assert-AreEqual $appRule3Port1 $appRule3.Protocols[0].Port + + Assert-AreEqual 1 $appRule3.TargetFqdns.Count + Assert-AreEqual $appRule3Fqdn1 $appRule3.TargetFqdns[0] + + # Verify application rule collection 2 + $appRc2 = $getAzureFirewall.GetApplicationRuleCollectionByName($appRc2Name) + + Assert-AreEqual $appRc2Name $appRc2.Name + Assert-AreEqual $appRc2Priority $appRc2.Priority + Assert-AreEqual $appRc2ActionType $appRc2.Action.Type + + # Verify application rule + $appRule = $appRc2.GetRuleByName($appRule1Name) + + Assert-AreEqual $appRule1Name $appRule.Name + Assert-AreEqual $appRule1Desc $appRule.Description + + Assert-AreEqual 1 $appRule.SourceAddresses.Count + Assert-AreEqual $appRule1SourceAddress1 $appRule.SourceAddresses[0] + + Assert-AreEqual 2 $appRule.Protocols.Count + Assert-AreEqual $appRule1ProtocolType1 $appRule.Protocols[0].ProtocolType + Assert-AreEqual $appRule1ProtocolType2 $appRule.Protocols[1].ProtocolType + Assert-AreEqual $appRule1Port1 $appRule.Protocols[0].Port + Assert-AreEqual $appRule1Port2 $appRule.Protocols[1].Port + + Assert-AreEqual 2 $appRule.TargetFqdns.Count + Assert-AreEqual $appRule1Fqdn1 $appRule.TargetFqdns[0] + Assert-AreEqual $appRule1Fqdn2 $appRule.TargetFqdns[1] + + # Verify NAT rule collection and NAT rules + $natRc = $getAzureFirewall.GetNatRuleCollectionByName($natRcName) + $natRule = $natRc.GetRuleByName($natRule1Name) + + Assert-AreEqual $natRcName $natRc.Name + Assert-AreEqual $natRcPriority $natRc.Priority + + Assert-AreEqual $natRule1Name $natRule.Name + Assert-AreEqual $natRule1Desc $natRule.Description + + Assert-AreEqual 2 $natRule.SourceAddresses.Count + Assert-AreEqual $natRule1SourceAddress1 $natRule.SourceAddresses[0] + Assert-AreEqual $natRule1SourceAddress2 $natRule.SourceAddresses[1] + + Assert-AreEqual 1 $natRule.DestinationAddresses.Count + Assert-AreEqual $publicip.IpAddress $natRule.DestinationAddresses[0] + + Assert-AreEqual 2 $natRule.Protocols.Count + Assert-AreEqual $natRule1Protocol1 $natRule.Protocols[0] + Assert-AreEqual $natRule1Protocol2 $natRule.Protocols[1] + + Assert-AreEqual 1 $natRule.DestinationPorts.Count + Assert-AreEqual $natRule1DestinationPort1 $natRule.DestinationPorts[0] + + Assert-AreEqual $natRule1TranslatedAddress $natRule.TranslatedAddress + Assert-AreEqual $natRule1TranslatedPort $natRule.TranslatedPort + + $natRule2 = $natRc.GetRuleByName($natRule2Name) + + Assert-AreEqual $natRule2Name $natRule2.Name + Assert-AreEqual $natRule2Desc $natRule2.Description + + Assert-AreEqual 2 $natRule2.SourceAddresses.Count + Assert-AreEqual $natRule2SourceAddress1 $natRule2.SourceAddresses[0] + Assert-AreEqual $natRule2SourceAddress2 $natRule2.SourceAddresses[1] + + Assert-AreEqual 1 $natRule2.DestinationAddresses.Count + Assert-AreEqual $publicip.IpAddress $natRule2.DestinationAddresses[0] + + Assert-AreEqual 2 $natRule2.Protocols.Count + Assert-AreEqual $natRule2Protocol1 $natRule2.Protocols[0] + Assert-AreEqual $natRule2Protocol2 $natRule2.Protocols[1] + + Assert-AreEqual 1 $natRule2.DestinationPorts.Count + Assert-AreEqual $natRule2DestinationPort1 $natRule2.DestinationPorts[0] + + Assert-AreEqual $natRule2TranslatedFqdn $natRule2.TranslatedFqdn + Assert-AreEqual $natRule2TranslatedPort $natRule2.TranslatedPort + + # Verify network rule collection and network rules + $networkRc = $getAzureFirewall.GetNetworkRuleCollectionByName($networkRcName) + $networkRule = $networkRc.GetRuleByName($networkRule1Name) + + Assert-AreEqual $networkRcName $networkRc.Name + Assert-AreEqual $networkRcPriority $networkRc.Priority + Assert-AreEqual $networkRcActionType $networkRc.Action.Type + + Assert-AreEqual $networkRule1Name $networkRule.Name + Assert-AreEqual $networkRule1Desc $networkRule.Description + + Assert-AreEqual 2 $networkRule.SourceAddresses.Count + Assert-AreEqual $networkRule1SourceAddress1 $networkRule.SourceAddresses[0] + Assert-AreEqual $networkRule1SourceAddress2 $networkRule.SourceAddresses[1] + + Assert-AreEqual 1 $networkRule.DestinationAddresses.Count + Assert-AreEqual $networkRule1DestinationAddress1 $networkRule.DestinationAddresses[0] + + Assert-AreEqual 3 $networkRule.Protocols.Count + Assert-AreEqual $networkRule1Protocol1 $networkRule.Protocols[0] + Assert-AreEqual $networkRule1Protocol2 $networkRule.Protocols[1] + Assert-AreEqual $networkRule1Protocol3 $networkRule.Protocols[2] + + Assert-AreEqual 1 $networkRule.DestinationPorts.Count + Assert-AreEqual $networkRule1DestinationPort1 $networkRule.DestinationPorts[0] + + $networkRule2 = $networkRc.GetRuleByName($networkRule2Name) + + Assert-AreEqual $networkRule2Name $networkRule2.Name + Assert-AreEqual $networkRule2Desc $networkRule2.Description + + Assert-AreEqual 2 $networkRule2.SourceAddresses.Count + Assert-AreEqual $networkRule2SourceAddress1 $networkRule2.SourceAddresses[0] + Assert-AreEqual $networkRule2SourceAddress2 $networkRule2.SourceAddresses[1] + + Assert-AreEqual 1 $networkRule2.DestinationFqdns.Count + Assert-AreEqual $networkRule2DestinationFqdn1 $networkRule2.DestinationFqdns[0] + + Assert-AreEqual 3 $networkRule2.Protocols.Count + Assert-AreEqual $networkRule2Protocol1 $networkRule2.Protocols[0] + Assert-AreEqual $networkRule2Protocol2 $networkRule2.Protocols[1] + Assert-AreEqual $networkRule2Protocol3 $networkRule2.Protocols[2] + + Assert-AreEqual 1 $networkRule2.DestinationPorts.Count + Assert-AreEqual $networkRule2DestinationPort1 $networkRule2.DestinationPorts[0] + + # Delete AzureFirewall + $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force + Assert-AreEqual true $delete + + # Delete VirtualNetwork + $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force + Assert-AreEqual true $delete + + $list = Get-AzFirewall -ResourceGroupName $rgname + Assert-AreEqual 0 @($list).Count + } + finally { + # Cleanup + Clean-ResourceGroup $rgname + } +} + +<# +.SYNOPSIS +Tests AzureFirewall Set and Remove IpConfiguration +#> +function Test-AzureFirewallVirtualHubCRUD { + # Setup + $rgname = Get-ResourceGroupName + $azureFirewallName = Get-ResourceName + $resourceTypeParent = "Microsoft.Network/AzureFirewalls" + $policyLocation = "westcentralus" + $location = Get-ProviderLocation $resourceTypeParent + $azureFirewallPolicyName = Get-ResourceName + $sku = "AZFW_Hub" + $tier = "Standard" + + try { + # Create the resource group + $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" } + + # Create AzureFirewallPolicy (with no rules, ThreatIntel is in Alert mode by default) + $azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $policyLocation + + # Get the AzureFirewallPolicy + $getazureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname + + + Assert-NotNull $azureFirewallPolicy + Assert-NotNull $getazureFirewallPolicy.Id + + $azureFirewallPolicyId = $getazureFirewallPolicy.Id + + New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -Sku $sku -FirewallPolicyId $azureFirewallPolicyId + + # Get AzureFirewall + $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname + + #verification + Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName + Assert-AreEqual $azureFirewallName $getAzureFirewall.Name + Assert-NotNull $getAzureFirewall.Location + Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location + Assert-NotNull $sku $getAzureFirewall.Sku + Assert-AreEqual $sku $getAzureFirewall.Sku.Name + Assert-AreEqual $tier $getAzureFirewall.Sku.Tier + Assert-NotNull $getAzureFirewall.FirewallPolicy + Assert-AreEqual $azureFirewallPolicyId $getAzureFirewall.FirewallPolicy.Id + } + finally { + # Cleanup + Clean-ResourceGroup $rgname + } +} + +<# +.SYNOPSIS +Tests AzureFirewallCRUD. +#> +function Test-AzureFirewallWithFirewallPolicyCRUD { + # Setup + $rgname = Get-ResourceGroupName + $azureFirewallName = Get-ResourceName + $resourceTypeParent = "Microsoft.Network/AzureFirewalls" + $firewallPolicyLocation = Get-ProviderLocation $resourceTypeParent "eastus" + $location = Get-ProviderLocation $resourceTypeParent "centraluseuap" + + $vnetName = Get-ResourceName + $subnetName = "AzureFirewallSubnet" + $publicIpName = Get-ResourceName + $azureFirewallPolicyName = Get-ResourceName + + try { + # Create the resource group + $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" } + + # Create the Virtual Network + $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24 + $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet + # Get full subnet details + $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName + + # Create public ip + $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard + + + # Create AzureFirewallPolicy (with no rules, ThreatIntel is in Alert mode by default) + $azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $firewallPolicyLocation + + # Get the AzureFirewallPolicy + $getazureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname + + + # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default) + $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName -FirewallPolicyId $azureFirewallPolicyId + + # Get AzureFirewall + $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname + + #verification + Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName + Assert-AreEqual $azureFirewallName $getAzureFirewall.Name + Assert-NotNull $getAzureFirewall.Location + Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location + Assert-NotNull $getAzureFirewall.Etag + Assert-AreEqual "Alert" $getAzureFirewall.ThreatIntelMode + Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count + Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id + Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id + Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress + Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id + Assert-AreEqual $publicip.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id + Assert-AreEqual 0 @($getAzureFirewall.ApplicationRuleCollections).Count + Assert-AreEqual 0 @($getAzureFirewall.NatRuleCollections).Count + Assert-AreEqual 0 @($getAzureFirewall.NetworkRuleCollections).Count + Assert-AreEqual $azureFirewallPolicyId $getAzureFirewall.FirewallPolicy.Id + + # Update ThreatIntel mode + $azureFirewall.ThreatIntelMode = "Deny" + + # Set AzureFirewall + Set-AzFirewall -AzureFirewall $azureFirewall + + # Get AzureFirewall + $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName + $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations + + #verification + Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName + Assert-AreEqual $azureFirewallName $getAzureFirewall.Name + Assert-NotNull $getAzureFirewall.Location + Assert-AreEqual $location $getAzureFirewall.Location + Assert-NotNull $getAzureFirewall.Etag + Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode + + Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count + Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id + Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id + Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress + + # Delete AzureFirewall + $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force + Assert-AreEqual true $delete + + # Delete VirtualNetwork + $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force + Assert-AreEqual true $delete + + $list = Get-AzFirewall -ResourceGroupName $rgname + Assert-AreEqual 0 @($list).Count + } + finally { + # Cleanup + Clean-ResourceGroup $rgname + } +} + diff --git a/src/Network/Network/ChangeLog.md b/src/Network/Network/ChangeLog.md index fbd092b96b1d..5aa7720c3d77 100644 --- a/src/Network/Network/ChangeLog.md +++ b/src/Network/Network/ChangeLog.md @@ -19,6 +19,8 @@ ---> ## Upcoming Release +* Support Azure Firewall Policy on VNet Firewalls + - No new cmdlets are added. Relaxing the restriction for firewall policy on VNet firewalls ## Version 2.2.0 * Update references in .psd1 to use relative path diff --git a/src/Network/Network/help/New-AzFirewall.md b/src/Network/Network/help/New-AzFirewall.md index 8d283ab04a1d..236f3f907514 100644 --- a/src/Network/Network/help/New-AzFirewall.md +++ b/src/Network/Network/help/New-AzFirewall.md @@ -183,6 +183,20 @@ New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -Virt This example creates a Firewall that treats "99.99.99.0/24" and "66.66.0.0/16" as private ip ranges and won't snat traffic to those addresses + +### 12: Create a Firewall with Firewall Policy attached to a virtual network +``` +$rgName = "resourceGroupName" +$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet" +$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName" +$fp = Get-AzFirewallPolicy -ResourceGroupName $rgName -Name "fp" +New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -FirewallPolicyId $fp +``` + +This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. +The rules and threat intelligence that will be applied to the firewall will be taken from the firewall policy + + ## PARAMETERS ### -ApplicationRuleCollection From 31f62d37621198f76d480d60e726a955616a15b8 Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 2 Feb 2020 13:39:51 -0800 Subject: [PATCH 3/7] cleanup --- .../ScenarioTests/AzureFirewallTests.ps1 | 542 +----------------- 1 file changed, 5 insertions(+), 537 deletions(-) diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 index cbbab162b65e..b261b36e9922 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 @@ -21,7 +21,7 @@ function Test-AzureFirewallCRUD { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus" + $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -486,7 +486,7 @@ function Test-AzureFirewallCRUDWithZones { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus" + $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -848,7 +848,7 @@ function Test-AzureFirewallPIPAndVNETObjectTypeParams { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus" + $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -1002,7 +1002,7 @@ function Test-AzureFirewallAllocateAndDeallocate { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus" + $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -1165,7 +1165,7 @@ function Test-AzureFirewallThreatIntelWhitelistCRUD { $rgname = Get-ResourceGroupName $azureFirewallName = Get-ResourceName $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus" + $location = Get-ProviderLocation $resourceTypeParent "eastus2euap" $vnetName = Get-ResourceName $subnetName = "AzureFirewallSubnet" @@ -1253,538 +1253,6 @@ function Test-AzureFirewallPrivateRangeCRUD { } } -# ---------------------------------------------------------------------------------- -# -# Copyright Microsoft Corporation -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ---------------------------------------------------------------------------------- - -<# -.SYNOPSIS -Tests AzureFirewallCRUD. -#> -function Test-AzureFirewallCRUD { - # Setup - $rgname = Get-ResourceGroupName - $azureFirewallName = Get-ResourceName - $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $location = Get-ProviderLocation $resourceTypeParent "eastus" - - $vnetName = Get-ResourceName - $subnetName = "AzureFirewallSubnet" - $publicIpName = Get-ResourceName - - # AzureFirewallApplicationRuleCollection - $appRcName = "appRc" - $appRcPriority = 100 - $appRcActionType = "Allow" - - # AzureFirewallApplicationRuleCollection 2 - $appRc2Name = "appRc2" - $appRc2Priority = 101 - $appRc2ActionType = "Deny" - - # AzureFirewallApplicationRule 1 - $appRule1Name = "appRule" - $appRule1Desc = "desc1" - $appRule1Fqdn1 = "*google.com" - $appRule1Fqdn2 = "*microsoft.com" - $appRule1Protocol1 = "http:80" - $appRule1Port1 = 80 - $appRule1ProtocolType1 = "http" - $appRule1Protocol2 = "https:443" - $appRule1Port2 = 443 - $appRule1ProtocolType2 = "https" - $appRule1SourceAddress1 = "10.0.0.0" - - # AzureFirewallApplicationRule 2 - $appRule2Name = "appRule2" - $appRule2Fqdn1 = "*bing.com" - $appRule2Protocol1 = "http:8080" - $appRule2Port1 = 8080 - $appRule2ProtocolType1 = "http" - - # AzureFirewallApplicationRule 3 - $appRule3Name = "appRule3" - $appRule3Fqdn1 = "sql1.database.windows.net" - $appRule3Protocol1 = "mssql:1433" - $appRule3Port1 = 1433 - $appRule3ProtocolType1 = "mssql" - - # AzureFirewallNetworkRuleCollection - $networkRcName = "networkRc" - $networkRcPriority = 200 - $networkRcActionType = "Deny" - - # AzureFirewallNetworkRule 1 - $networkRule1Name = "networkRule" - $networkRule1Desc = "desc1" - $networkRule1SourceAddress1 = "10.0.0.0" - $networkRule1SourceAddress2 = "111.1.0.0/24" - $networkRule1DestinationAddress1 = "*" - $networkRule1Protocol1 = "UDP" - $networkRule1Protocol2 = "TCP" - $networkRule1Protocol3 = "ICMP" - $networkRule1DestinationPort1 = "90" - - # AzureFirewallNetworkRule 2 - $networkRule2Name = "networkRule2" - $networkRule2Desc = "desc2" - $networkRule2SourceAddress1 = "10.0.0.0" - $networkRule2SourceAddress2 = "111.1.0.0/24" - $networkRule2DestinationFqdn1 = "www.bing.com" - $networkRule2Protocol1 = "UDP" - $networkRule2Protocol2 = "TCP" - $networkRule2Protocol3 = "ICMP" - $networkRule2DestinationPort1 = "80" - - # AzureFirewallNatRuleCollection - $natRcName = "natRc" - $natRcPriority = 200 - - # AzureFirewallNatRule 1 - $natRule1Name = "natRule" - $natRule1Desc = "desc1" - $natRule1SourceAddress1 = "10.0.0.0" - $natRule1SourceAddress2 = "111.1.0.0/24" - $natRule1DestinationAddress1 = "1.2.3.4" - $natRule1Protocol1 = "UDP" - $natRule1Protocol2 = "TCP" - $natRule1DestinationPort1 = "90" - $natRule1TranslatedAddress = "10.1.2.3" - $natRule1TranslatedPort = "91" - - # AzureFirewallNatRule 2 - $natRule2Name = "natRule2" - $natRule2Desc = "desc2" - $natRule2SourceAddress1 = "10.0.0.0" - $natRule2SourceAddress2 = "111.1.0.0/24" - $natRule2Protocol1 = "UDP" - $natRule2Protocol2 = "TCP" - $natRule2DestinationPort1 = "95" - $natRule2TranslatedFqdn = "server1.internal.com" - $natRule2TranslatedPort = "96" - - try { - # Create the resource group - $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" } - - # Create the Virtual Network - $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24 - $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet - # Get full subnet details - $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName - - # Create public ip - $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard - - # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default) - $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName - - # Get AzureFirewall - $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname - - #verification - Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName - Assert-AreEqual $azureFirewallName $getAzureFirewall.Name - Assert-NotNull $getAzureFirewall.Location - Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location - Assert-NotNull $getAzureFirewall.Etag - Assert-AreEqual "Alert" $getAzureFirewall.ThreatIntelMode - Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count - Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id - Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id - Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress - Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id - Assert-AreEqual $publicip.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id - Assert-AreEqual 0 @($getAzureFirewall.ApplicationRuleCollections).Count - Assert-AreEqual 0 @($getAzureFirewall.NatRuleCollections).Count - Assert-AreEqual 0 @($getAzureFirewall.NetworkRuleCollections).Count - - # list all Azure Firewalls in the resource group - $list = Get-AzFirewall -ResourceGroupName $rgname - Assert-AreEqual 1 @($list).Count - Assert-AreEqual $list[0].ResourceGroupName $getAzureFirewall.ResourceGroupName - Assert-AreEqual $list[0].Name $getAzureFirewall.Name - Assert-AreEqual $list[0].Location $getAzureFirewall.Location - Assert-AreEqual $list[0].Etag $getAzureFirewall.Etag - Assert-AreEqual @($list[0].IpConfigurations).Count @($getAzureFirewall.IpConfigurations).Count - Assert-AreEqual @($list[0].IpConfigurations)[0].Subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id - Assert-AreEqual @($list[0].IpConfigurations)[0].PublicIpAddress.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id - Assert-AreEqual @($list[0].IpConfigurations)[0].PrivateIpAddress $getAzureFirewall.IpConfigurations[0].PrivateIpAddress - Assert-AreEqual @($list[0].ApplicationRuleCollections).Count @($getAzureFirewall.ApplicationRuleCollections).Count - Assert-AreEqual @($list[0].NatRuleCollections).Count @($getAzureFirewall.NatRuleCollections).Count - Assert-AreEqual @($list[0].NetworkRuleCollections).Count @($getAzureFirewall.NetworkRuleCollections).Count - - # list all Azure Firewalls under subscription - $listAll = Get-AzureRmFirewall - Assert-NotNull $listAll - - $listAll = Get-AzureRmFirewall -Name "*" - Assert-NotNull $listAll - - $listAll = Get-AzureRmFirewall -ResourceGroupName "*" - Assert-NotNull $listAll - - $listAll = Get-AzureRmFirewall -ResourceGroupName "*" -Name "*" - Assert-NotNull $listAll - - # Create Application Rules - $appRule = New-AzFirewallApplicationRule -Name $appRule1Name -Description $appRule1Desc -Protocol $appRule1Protocol1, $appRule1Protocol2 -TargetFqdn $appRule1Fqdn1, $appRule1Fqdn2 -SourceAddress $appRule1SourceAddress1 - - $appRule2 = New-AzFirewallApplicationRule -Name $appRule2Name -Protocol $appRule2Protocol1 -TargetFqdn $appRule2Fqdn1 - - $appRule3 = New-AzFirewallApplicationRule -Name $appRule3Name -Protocol $appRule3Protocol1 -TargetFqdn $appRule3Fqdn1 - - # Create Application Rule Collection with 1 rule - $appRc = New-AzFirewallApplicationRuleCollection -Name $appRcName -Priority $appRcPriority -Rule $appRule -ActionType $appRcActionType - - # Add a rule to the rule collection using AddRule method - $appRc.AddRule($appRule2) - $appRc.AddRule($appRule3) - - # Create a second Application Rule Collection with 1 rule - $appRc2 = New-AzFirewallApplicationRuleCollection -Name $appRc2Name -Priority $appRc2Priority -Rule $appRule -ActionType $appRc2ActionType - - # Create Network Rule - $networkRule = New-AzFirewallNetworkRule -Name $networkRule1Name -Description $networkRule1Desc -Protocol $networkRule1Protocol1, $networkRule1Protocol2 -SourceAddress $networkRule1SourceAddress1, $networkRule1SourceAddress2 -DestinationAddress $networkRule1DestinationAddress1 -DestinationPort $networkRule1DestinationPort1 - $networkRule.AddProtocol($networkRule1Protocol3) - - # Test handling of incorrect values - Assert-ThrowsContains { $networkRule.AddProtocol() } "Cannot find an overload" - Assert-ThrowsContains { $networkRule.AddProtocol($null) } "A protocol must be provided" - Assert-ThrowsContains { $networkRule.AddProtocol("ABCD") } "Invalid protocol" - - # Create Network Rule Collection - $netRc = New-AzFirewallNetworkRuleCollection -Name $networkRcName -Priority $networkRcPriority -Rule $networkRule -ActionType $networkRcActionType - - # Create Second Network Rule - $networkRule2 = New-AzFirewallNetworkRule -Name $networkRule2Name -Description $networkRule2Desc -Protocol $networkRule2Protocol1, $networkRule2Protocol2 -SourceAddress $networkRule2SourceAddress1, $networkRule2SourceAddress2 -DestinationFqdn $networkRule2DestinationFqdn1 -DestinationPort $networkRule2DestinationPort1 - $networkRule2.AddProtocol($networkRule2Protocol3) - - # Add this second Network Rule to the rule collection - $netRc.AddRule($networkRule2) - - # Create a NAT rule - $natRule = New-AzFirewallNatRule -Name $natRule1Name -Description $natRule1Desc -Protocol $natRule1Protocol1 -SourceAddress $natRule1SourceAddress1, $natRule1SourceAddress2 -DestinationAddress $publicip.IpAddress -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort - $natRule.AddProtocol($natRule1Protocol2) - - # Test handling of incorrect values - Assert-ThrowsContains { $natRule.AddProtocol() } "Cannot find an overload" - Assert-ThrowsContains { $natRule.AddProtocol($null) } "A protocol must be provided" - Assert-ThrowsContains { $natRule.AddProtocol("ABCD") } "Invalid protocol" - # Test handling of ICMP protocol - Assert-ThrowsContains { - New-AzFirewallNatRule -Name $natRule1Name -Protocol $natRule1Protocol1, "ICMP" -SourceAddress $natRule1SourceAddress1 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort - } "The argument `"ICMP`" does not belong to the set" - Assert-ThrowsContains { $natRule.AddProtocol("ICMP") } "Invalid protocol" - - # Create second NAT rule - $natRule2 = New-AzFirewallNatRule -Name $natRule2Name -Description $natRule2Desc -Protocol $natRule2Protocol1 -SourceAddress $natRule2SourceAddress1, $natRule2SourceAddress2 -DestinationAddress $publicip.IpAddress -DestinationPort $natRule2DestinationPort1 -TranslatedFqdn $natRule2TranslatedFqdn -TranslatedPort $natRule2TranslatedPort - $natRule2.AddProtocol($natRule2Protocol2) - - # Create a NAT Rule Collection - $natRc = New-AzFirewallNatRuleCollection -Name $natRcName -Priority $natRcPriority -Rule $natRule - - # Add second NAT Rule to rule Collection - $natRc.AddRule($natRule2) - - # Add ApplicationRuleCollections to the Firewall using method AddApplicationRuleCollection - $azureFirewall.AddApplicationRuleCollection($appRc) - $azureFirewall.AddApplicationRuleCollection($appRc2) - - # Add NatRuleCollections to the Firewall using method AddNatRuleCollection - $azureFirewall.AddNatRuleCollection($natRc) - - # Add NetworkRuleCollections to the Firewall using method AddNetworkRuleCollection - $azureFirewall.AddNetworkRuleCollection($netRc) - - # Update ThreatIntel mode - $azureFirewall.ThreatIntelMode = "Deny" - - # Set AzureFirewall - Set-AzFirewall -AzureFirewall $azureFirewall - - # Get AzureFirewall - $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName - $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations - - #verification - Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName - Assert-AreEqual $azureFirewallName $getAzureFirewall.Name - Assert-NotNull $getAzureFirewall.Location - Assert-AreEqual $location $getAzureFirewall.Location - Assert-NotNull $getAzureFirewall.Etag - Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode - - Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count - Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id - Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id - Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress - - # Check rule collections - Assert-AreEqual 2 @($getAzureFirewall.ApplicationRuleCollections).Count - Assert-AreEqual 3 @($getAzureFirewall.ApplicationRuleCollections[0].Rules).Count - Assert-AreEqual 1 @($getAzureFirewall.ApplicationRuleCollections[1].Rules).Count - - Assert-AreEqual 1 @($getAzureFirewall.NatRuleCollections).Count - Assert-AreEqual 2 @($getAzureFirewall.NatRuleCollections[0].Rules).Count - - Assert-AreEqual 1 @($getAzureFirewall.NetworkRuleCollections).Count - Assert-AreEqual 2 @($getAzureFirewall.NetworkRuleCollections[0].Rules).Count - - $appRc = $getAzureFirewall.GetApplicationRuleCollectionByName($appRcName) - $appRule = $appRc.GetRuleByName($appRule1Name) - $appRule2 = $appRc.GetRuleByName($appRule2Name) - $appRule3 = $appRc.GetRuleByName($appRule3Name) - - # Verify application rule collection 1 - Assert-AreEqual $appRcName $appRc.Name - Assert-AreEqual $appRcPriority $appRc.Priority - Assert-AreEqual $appRcActionType $appRc.Action.Type - - # Verify application rule 1 - Assert-AreEqual $appRule1Name $appRule.Name - Assert-AreEqual $appRule1Desc $appRule.Description - - Assert-AreEqual 1 $appRule.SourceAddresses.Count - Assert-AreEqual $appRule1SourceAddress1 $appRule.SourceAddresses[0] - - Assert-AreEqual 2 $appRule.Protocols.Count - Assert-AreEqual $appRule1ProtocolType1 $appRule.Protocols[0].ProtocolType - Assert-AreEqual $appRule1ProtocolType2 $appRule.Protocols[1].ProtocolType - Assert-AreEqual $appRule1Port1 $appRule.Protocols[0].Port - Assert-AreEqual $appRule1Port2 $appRule.Protocols[1].Port - - Assert-AreEqual 2 $appRule.TargetFqdns.Count - Assert-AreEqual $appRule1Fqdn1 $appRule.TargetFqdns[0] - Assert-AreEqual $appRule1Fqdn2 $appRule.TargetFqdns[1] - - # Verify application rule 2 - Assert-AreEqual $appRule2Name $appRule2.Name - Assert-Null $appRule2.Description - - Assert-AreEqual 0 $appRule2.SourceAddresses.Count - - Assert-AreEqual 1 $appRule2.Protocols.Count - Assert-AreEqual $appRule2ProtocolType1 $appRule2.Protocols[0].ProtocolType - Assert-AreEqual $appRule2Port1 $appRule2.Protocols[0].Port - - Assert-AreEqual 1 $appRule2.TargetFqdns.Count - Assert-AreEqual $appRule2Fqdn1 $appRule2.TargetFqdns[0] - - # Verify application rule 3 - Assert-AreEqual $appRule3Name $appRule3.Name - Assert-Null $appRule3.Description - - Assert-AreEqual 0 $appRule3.SourceAddresses.Count - - Assert-AreEqual 1 $appRule3.Protocols.Count - Assert-AreEqual $appRule3ProtocolType1 $appRule3.Protocols[0].ProtocolType - Assert-AreEqual $appRule3Port1 $appRule3.Protocols[0].Port - - Assert-AreEqual 1 $appRule3.TargetFqdns.Count - Assert-AreEqual $appRule3Fqdn1 $appRule3.TargetFqdns[0] - - # Verify application rule collection 2 - $appRc2 = $getAzureFirewall.GetApplicationRuleCollectionByName($appRc2Name) - - Assert-AreEqual $appRc2Name $appRc2.Name - Assert-AreEqual $appRc2Priority $appRc2.Priority - Assert-AreEqual $appRc2ActionType $appRc2.Action.Type - - # Verify application rule - $appRule = $appRc2.GetRuleByName($appRule1Name) - - Assert-AreEqual $appRule1Name $appRule.Name - Assert-AreEqual $appRule1Desc $appRule.Description - - Assert-AreEqual 1 $appRule.SourceAddresses.Count - Assert-AreEqual $appRule1SourceAddress1 $appRule.SourceAddresses[0] - - Assert-AreEqual 2 $appRule.Protocols.Count - Assert-AreEqual $appRule1ProtocolType1 $appRule.Protocols[0].ProtocolType - Assert-AreEqual $appRule1ProtocolType2 $appRule.Protocols[1].ProtocolType - Assert-AreEqual $appRule1Port1 $appRule.Protocols[0].Port - Assert-AreEqual $appRule1Port2 $appRule.Protocols[1].Port - - Assert-AreEqual 2 $appRule.TargetFqdns.Count - Assert-AreEqual $appRule1Fqdn1 $appRule.TargetFqdns[0] - Assert-AreEqual $appRule1Fqdn2 $appRule.TargetFqdns[1] - - # Verify NAT rule collection and NAT rules - $natRc = $getAzureFirewall.GetNatRuleCollectionByName($natRcName) - $natRule = $natRc.GetRuleByName($natRule1Name) - - Assert-AreEqual $natRcName $natRc.Name - Assert-AreEqual $natRcPriority $natRc.Priority - - Assert-AreEqual $natRule1Name $natRule.Name - Assert-AreEqual $natRule1Desc $natRule.Description - - Assert-AreEqual 2 $natRule.SourceAddresses.Count - Assert-AreEqual $natRule1SourceAddress1 $natRule.SourceAddresses[0] - Assert-AreEqual $natRule1SourceAddress2 $natRule.SourceAddresses[1] - - Assert-AreEqual 1 $natRule.DestinationAddresses.Count - Assert-AreEqual $publicip.IpAddress $natRule.DestinationAddresses[0] - - Assert-AreEqual 2 $natRule.Protocols.Count - Assert-AreEqual $natRule1Protocol1 $natRule.Protocols[0] - Assert-AreEqual $natRule1Protocol2 $natRule.Protocols[1] - - Assert-AreEqual 1 $natRule.DestinationPorts.Count - Assert-AreEqual $natRule1DestinationPort1 $natRule.DestinationPorts[0] - - Assert-AreEqual $natRule1TranslatedAddress $natRule.TranslatedAddress - Assert-AreEqual $natRule1TranslatedPort $natRule.TranslatedPort - - $natRule2 = $natRc.GetRuleByName($natRule2Name) - - Assert-AreEqual $natRule2Name $natRule2.Name - Assert-AreEqual $natRule2Desc $natRule2.Description - - Assert-AreEqual 2 $natRule2.SourceAddresses.Count - Assert-AreEqual $natRule2SourceAddress1 $natRule2.SourceAddresses[0] - Assert-AreEqual $natRule2SourceAddress2 $natRule2.SourceAddresses[1] - - Assert-AreEqual 1 $natRule2.DestinationAddresses.Count - Assert-AreEqual $publicip.IpAddress $natRule2.DestinationAddresses[0] - - Assert-AreEqual 2 $natRule2.Protocols.Count - Assert-AreEqual $natRule2Protocol1 $natRule2.Protocols[0] - Assert-AreEqual $natRule2Protocol2 $natRule2.Protocols[1] - - Assert-AreEqual 1 $natRule2.DestinationPorts.Count - Assert-AreEqual $natRule2DestinationPort1 $natRule2.DestinationPorts[0] - - Assert-AreEqual $natRule2TranslatedFqdn $natRule2.TranslatedFqdn - Assert-AreEqual $natRule2TranslatedPort $natRule2.TranslatedPort - - # Verify network rule collection and network rules - $networkRc = $getAzureFirewall.GetNetworkRuleCollectionByName($networkRcName) - $networkRule = $networkRc.GetRuleByName($networkRule1Name) - - Assert-AreEqual $networkRcName $networkRc.Name - Assert-AreEqual $networkRcPriority $networkRc.Priority - Assert-AreEqual $networkRcActionType $networkRc.Action.Type - - Assert-AreEqual $networkRule1Name $networkRule.Name - Assert-AreEqual $networkRule1Desc $networkRule.Description - - Assert-AreEqual 2 $networkRule.SourceAddresses.Count - Assert-AreEqual $networkRule1SourceAddress1 $networkRule.SourceAddresses[0] - Assert-AreEqual $networkRule1SourceAddress2 $networkRule.SourceAddresses[1] - - Assert-AreEqual 1 $networkRule.DestinationAddresses.Count - Assert-AreEqual $networkRule1DestinationAddress1 $networkRule.DestinationAddresses[0] - - Assert-AreEqual 3 $networkRule.Protocols.Count - Assert-AreEqual $networkRule1Protocol1 $networkRule.Protocols[0] - Assert-AreEqual $networkRule1Protocol2 $networkRule.Protocols[1] - Assert-AreEqual $networkRule1Protocol3 $networkRule.Protocols[2] - - Assert-AreEqual 1 $networkRule.DestinationPorts.Count - Assert-AreEqual $networkRule1DestinationPort1 $networkRule.DestinationPorts[0] - - $networkRule2 = $networkRc.GetRuleByName($networkRule2Name) - - Assert-AreEqual $networkRule2Name $networkRule2.Name - Assert-AreEqual $networkRule2Desc $networkRule2.Description - - Assert-AreEqual 2 $networkRule2.SourceAddresses.Count - Assert-AreEqual $networkRule2SourceAddress1 $networkRule2.SourceAddresses[0] - Assert-AreEqual $networkRule2SourceAddress2 $networkRule2.SourceAddresses[1] - - Assert-AreEqual 1 $networkRule2.DestinationFqdns.Count - Assert-AreEqual $networkRule2DestinationFqdn1 $networkRule2.DestinationFqdns[0] - - Assert-AreEqual 3 $networkRule2.Protocols.Count - Assert-AreEqual $networkRule2Protocol1 $networkRule2.Protocols[0] - Assert-AreEqual $networkRule2Protocol2 $networkRule2.Protocols[1] - Assert-AreEqual $networkRule2Protocol3 $networkRule2.Protocols[2] - - Assert-AreEqual 1 $networkRule2.DestinationPorts.Count - Assert-AreEqual $networkRule2DestinationPort1 $networkRule2.DestinationPorts[0] - - # Delete AzureFirewall - $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force - Assert-AreEqual true $delete - - # Delete VirtualNetwork - $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force - Assert-AreEqual true $delete - - $list = Get-AzFirewall -ResourceGroupName $rgname - Assert-AreEqual 0 @($list).Count - } - finally { - # Cleanup - Clean-ResourceGroup $rgname - } -} - -<# -.SYNOPSIS -Tests AzureFirewall Set and Remove IpConfiguration -#> -function Test-AzureFirewallVirtualHubCRUD { - # Setup - $rgname = Get-ResourceGroupName - $azureFirewallName = Get-ResourceName - $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $policyLocation = "westcentralus" - $location = Get-ProviderLocation $resourceTypeParent - $azureFirewallPolicyName = Get-ResourceName - $sku = "AZFW_Hub" - $tier = "Standard" - - try { - # Create the resource group - $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" } - - # Create AzureFirewallPolicy (with no rules, ThreatIntel is in Alert mode by default) - $azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $policyLocation - - # Get the AzureFirewallPolicy - $getazureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname - - - Assert-NotNull $azureFirewallPolicy - Assert-NotNull $getazureFirewallPolicy.Id - - $azureFirewallPolicyId = $getazureFirewallPolicy.Id - - New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -Sku $sku -FirewallPolicyId $azureFirewallPolicyId - - # Get AzureFirewall - $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname - - #verification - Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName - Assert-AreEqual $azureFirewallName $getAzureFirewall.Name - Assert-NotNull $getAzureFirewall.Location - Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location - Assert-NotNull $sku $getAzureFirewall.Sku - Assert-AreEqual $sku $getAzureFirewall.Sku.Name - Assert-AreEqual $tier $getAzureFirewall.Sku.Tier - Assert-NotNull $getAzureFirewall.FirewallPolicy - Assert-AreEqual $azureFirewallPolicyId $getAzureFirewall.FirewallPolicy.Id - } - finally { - # Cleanup - Clean-ResourceGroup $rgname - } -} - <# .SYNOPSIS Tests AzureFirewallCRUD. From 31fb3ee50f823864bea63c5259adbea43d72e9ea Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 2 Feb 2020 14:17:00 -0800 Subject: [PATCH 4/7] test fix --- src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 index b261b36e9922..365c85a7d4b3 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 @@ -1290,8 +1290,8 @@ function Test-AzureFirewallWithFirewallPolicyCRUD { # Get the AzureFirewallPolicy $getazureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname + $azureFirewallPolicyId = $getazureFirewallPolicy.Id - # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default) $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName -FirewallPolicyId $azureFirewallPolicyId # Get AzureFirewall From ac104f4dc5dec810537870b7041c4424d8853137 Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 2 Feb 2020 14:25:07 -0800 Subject: [PATCH 5/7] clean up --- .../Network.Test/ScenarioTests/AzureFirewallTests.cs | 9 +++++---- src/Network/Network/ChangeLog.md | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs index bc3931b99b06..02bd70b65391 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs @@ -85,16 +85,17 @@ public void TestAzureFirewallPrivateRangeCRUD() [Fact] [Trait(Category.AcceptanceType, Category.CheckIn)] [Trait(Category.Owner, NrpTeamAlias.azurefirewall)] - public void TestAzureFirewallWithFirewallPolicyCRUD() + public void TestAzureFirewallCRUDwithManagementIpConfig() { - TestRunner.RunTestScript("Test-AzureFirewallWithFirewallPolicyCRUD"); + TestRunner.RunTestScript("Test-AzureFirewallCRUDwithManagementIpConfig"); } + [Fact] [Trait(Category.AcceptanceType, Category.CheckIn)] [Trait(Category.Owner, NrpTeamAlias.azurefirewall)] - public void TestAzureFirewallCRUDwithManagementIpConfig() + public void TestAzureFirewallWithFirewallPolicyCRUD() { - TestRunner.RunTestScript("Test-AzureFirewallCRUDwithManagementIpConfig"); + TestRunner.RunTestScript("Test-AzureFirewallWithFirewallPolicyCRUD"); } } diff --git a/src/Network/Network/ChangeLog.md b/src/Network/Network/ChangeLog.md index 5a5591cef566..6eab6f3105d1 100644 --- a/src/Network/Network/ChangeLog.md +++ b/src/Network/Network/ChangeLog.md @@ -23,6 +23,7 @@ * Added Packet Capture example for capture all inner and outer packets in Start-AzVirtualNetworkGatewayConnectionPacketCapture.md and Start-AzVirtualnetworkGatewayPacketCapture.md. * Support Azure Firewall Policy on VNet Firewalls - No new cmdlets are added. Relaxing the restriction for firewall policy on VNet firewalls + ## Version 2.3.0 * New example added to Set-AzNetworkWatcherConfigFlowLog.md to demonstrate Traffic Analytics disable scenario. * Add support for assigning management IP configuration to Azure Firewall - a dedicated subnet and Public IP that the firewall will use for its management traffic From 436c4e197415fb4b9785f86a8799c7d2dc085bc8 Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 2 Feb 2020 15:55:42 -0800 Subject: [PATCH 6/7] removing the test --- .../ScenarioTests/AzureFirewallTests.cs | 8 -- .../ScenarioTests/AzureFirewallTests.ps1 | 102 ------------------ 2 files changed, 110 deletions(-) diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs index 02bd70b65391..cc71c01b1285 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs @@ -89,14 +89,6 @@ public void TestAzureFirewallCRUDwithManagementIpConfig() { TestRunner.RunTestScript("Test-AzureFirewallCRUDwithManagementIpConfig"); } - - [Fact] - [Trait(Category.AcceptanceType, Category.CheckIn)] - [Trait(Category.Owner, NrpTeamAlias.azurefirewall)] - public void TestAzureFirewallWithFirewallPolicyCRUD() - { - TestRunner.RunTestScript("Test-AzureFirewallWithFirewallPolicyCRUD"); - } } } diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 index deae32ac5beb..66ad0d3a9914 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 @@ -1368,105 +1368,3 @@ function Test-AzureFirewallPrivateRangeCRUD { } } -<# -.SYNOPSIS -Tests AzureFirewallCRUD. -#> -function Test-AzureFirewallWithFirewallPolicyCRUD { - # Setup - $rgname = Get-ResourceGroupName - $azureFirewallName = Get-ResourceName - $resourceTypeParent = "Microsoft.Network/AzureFirewalls" - $firewallPolicyLocation = Get-ProviderLocation $resourceTypeParent "eastus" - $location = Get-ProviderLocation $resourceTypeParent "centraluseuap" - - $vnetName = Get-ResourceName - $subnetName = "AzureFirewallSubnet" - $publicIpName = Get-ResourceName - $azureFirewallPolicyName = Get-ResourceName - - try { - # Create the resource group - $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" } - - # Create the Virtual Network - $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24 - $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet - # Get full subnet details - $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName - - # Create public ip - $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard - - - # Create AzureFirewallPolicy (with no rules, ThreatIntel is in Alert mode by default) - $azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $firewallPolicyLocation - - # Get the AzureFirewallPolicy - $getazureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname - - $azureFirewallPolicyId = $getazureFirewallPolicy.Id - - $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName -FirewallPolicyId $azureFirewallPolicyId - - # Get AzureFirewall - $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname - - #verification - Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName - Assert-AreEqual $azureFirewallName $getAzureFirewall.Name - Assert-NotNull $getAzureFirewall.Location - Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location - Assert-NotNull $getAzureFirewall.Etag - Assert-AreEqual "Alert" $getAzureFirewall.ThreatIntelMode - Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count - Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id - Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id - Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress - Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id - Assert-AreEqual $publicip.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id - Assert-AreEqual 0 @($getAzureFirewall.ApplicationRuleCollections).Count - Assert-AreEqual 0 @($getAzureFirewall.NatRuleCollections).Count - Assert-AreEqual 0 @($getAzureFirewall.NetworkRuleCollections).Count - Assert-AreEqual $azureFirewallPolicyId $getAzureFirewall.FirewallPolicy.Id - - # Update ThreatIntel mode - $azureFirewall.ThreatIntelMode = "Deny" - - # Set AzureFirewall - Set-AzFirewall -AzureFirewall $azureFirewall - - # Get AzureFirewall - $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName - $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations - - #verification - Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName - Assert-AreEqual $azureFirewallName $getAzureFirewall.Name - Assert-NotNull $getAzureFirewall.Location - Assert-AreEqual $location $getAzureFirewall.Location - Assert-NotNull $getAzureFirewall.Etag - Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode - - Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count - Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id - Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id - Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress - - # Delete AzureFirewall - $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force - Assert-AreEqual true $delete - - # Delete VirtualNetwork - $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force - Assert-AreEqual true $delete - - $list = Get-AzFirewall -ResourceGroupName $rgname - Assert-AreEqual 0 @($list).Count - } - finally { - # Cleanup - Clean-ResourceGroup $rgname - } -} - From 48c06d4b21e6aecd6eba48ebc88f7b8141429295 Mon Sep 17 00:00:00 2001 From: "samankal@microsoft.com" Date: Sun, 2 Feb 2020 15:56:52 -0800 Subject: [PATCH 7/7] clean up --- src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs | 1 - src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 | 1 - 2 files changed, 2 deletions(-) diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs index cc71c01b1285..7cdd5fddb934 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs @@ -81,7 +81,6 @@ public void TestAzureFirewallPrivateRangeCRUD() { TestRunner.RunTestScript("Test-AzureFirewallPrivateRangeCRUD"); } - [Fact] [Trait(Category.AcceptanceType, Category.CheckIn)] [Trait(Category.Owner, NrpTeamAlias.azurefirewall)] diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 index 66ad0d3a9914..7d340573c16f 100644 --- a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 +++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 @@ -1367,4 +1367,3 @@ function Test-AzureFirewallPrivateRangeCRUD { Clean-ResourceGroup $rgname } } -