Skip to content

adding support for firewall policy on vnet firewall #11003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 8 commits into from
Closed

adding support for firewall policy on vnet firewall #11003

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c76e5cd
adding support for firewall policy on vnet firewall
saisujithreddym Jan 26, 2020
86084c4
adding tests
saisujithreddym Feb 2, 2020
31f62d3
cleanup
saisujithreddym Feb 2, 2020
31fb3ee
test fix
saisujithreddym Feb 2, 2020
05d4b3b
resolving merge conflicts
saisujithreddym Feb 2, 2020
ac104f4
clean up
saisujithreddym Feb 2, 2020
436c4e1
removing the test
saisujithreddym Feb 2, 2020
48c06d4
clean up
saisujithreddym Feb 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 36 additions & 12 deletions src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,22 +263,46 @@ private PSAzureFirewall CreateAzureFirewall()
}
else
{

if (FirewallPolicyId != null && (this.ApplicationRuleCollection != null || this.NetworkRuleCollection != null || this.NatRuleCollection != null))
Copy link
Member

@markcowl markcowl Jan 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like something that should be enforced through parameter sets - FirewallPolicyId should not be in the same parameter sets that include ApplicationRUleCollection or NetworkRuleCollection

Copy link
Contributor Author

@saisujithreddym saisujithreddym Jan 31, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am having trouble with the mutual exclusion scenario @markcowl placing firewall policy id in one parameter set and rule collections in another did not achieve the desired result.

I have tried various combinations but could not get it done. Do you have an example where we can achieve mutual exclusion using paramter sets? I will keep exploring as well

Copy link
Contributor Author

@saisujithreddym saisujithreddym Feb 3, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have decided to fail the call from NRP when there are both the policy and the rule collections. This way we need not make changes on the PS when we try to support policy+collections in case, show a message which is common across multiple platforms and track the usage. Also I would like to make a PR against network january branch and not the master. I have created another PR: #11013 am closing this one

{
throw new ArgumentException("Firewall Policy and Rule Collections cannot coexist");
}

var sku = new PSAzureFirewallSku();
sku.Name = MNM.AzureFirewallSkuName.AZFWVNet;
sku.Tier = MNM.AzureFirewallSkuTier.Standard;
firewall = new PSAzureFirewall()
if (FirewallPolicyId != null)
{
Name = this.Name,
ResourceGroupName = this.ResourceGroupName,
Location = this.Location,
ApplicationRuleCollections = this.ApplicationRuleCollection?.ToList(),
NatRuleCollections = this.NatRuleCollection?.ToList(),
NetworkRuleCollections = this.NetworkRuleCollection?.ToList(),
ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert,
ThreatIntelWhitelist = this.ThreatIntelWhitelist,
PrivateRange = this.PrivateRange,
Sku = sku
};
firewall = new PSAzureFirewall()
{
Name = this.Name,
ResourceGroupName = this.ResourceGroupName,
Location = this.Location,
FirewallPolicy = FirewallPolicyId != null ? new MNM.SubResource(FirewallPolicyId) : null,
ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert,
ThreatIntelWhitelist = this.ThreatIntelWhitelist,
PrivateRange = this.PrivateRange,
Sku = sku
};
}
else
{
firewall = new PSAzureFirewall()
{
Name = this.Name,
ResourceGroupName = this.ResourceGroupName,
Location = this.Location,
ApplicationRuleCollections = this.ApplicationRuleCollection?.ToList(),
NatRuleCollections = this.NatRuleCollection?.ToList(),
NetworkRuleCollections = this.NetworkRuleCollection?.ToList(),
ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert,
ThreatIntelWhitelist = this.ThreatIntelWhitelist,
PrivateRange = this.PrivateRange,
Sku = sku
};
}


if (this.Zone != null)
{
Expand Down
2 changes: 2 additions & 0 deletions src/Network/Network/ChangeLog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@
## Upcoming Release
* Fixed FilterData example in Start-AzVirtualNetworkGatewayConnectionPacketCapture.md and Start-AzVirtualnetworkGatewayPacketCapture.md.
* Added Packet Capture example for capture all inner and outer packets in Start-AzVirtualNetworkGatewayConnectionPacketCapture.md and Start-AzVirtualnetworkGatewayPacketCapture.md.
* Support Azure Firewall Policy on VNet Firewalls
- No new cmdlets are added. Relaxing the restriction for firewall policy on VNet firewalls

## Version 2.3.0
* New example added to Set-AzNetworkWatcherConfigFlowLog.md to demonstrate Traffic Analytics disable scenario.
Expand Down
12 changes: 12 additions & 0 deletions src/Network/Network/help/New-AzFirewall.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,18 @@ Threat Intel will also run in default mode - Alert - which means malicious traff

To support "forced tunneling" scenarios, this firewall will use the subnet "AzureFirewallManagementSubnet" and the management public IP address for its management traffic

### 13: Create a Firewall with Firewall Policy attached to a virtual network
```
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$fp = Get-AzFirewallPolicy -ResourceGroupName $rgName -Name "fp"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -FirewallPolicyId $fp
```

This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall.
The rules and threat intelligence that will be applied to the firewall will be taken from the firewall policy

## PARAMETERS

### -ApplicationRuleCollection
Expand Down