Skip to content

Add TranslatedFqdn option for Azure Firewall Policy NAT Rule #13238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
VeryEarly merged 3 commits into from
Nov 5, 2020
Merged

Add TranslatedFqdn option for Azure Firewall Policy NAT Rule #13238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9fa9ee4
Add TranslatedFqdn option for Azure Firewall Policy NAT Rule
tejasshah7 Oct 16, 2020
0644e4d
Fixing LB test
tejasshah7 Nov 5, 2020
6b87b80
Fixed more LB tests
tejasshah7 Nov 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,5 +65,13 @@ public void TestAzureFirewallPolicyWithIpGroups()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyWithIpGroups");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
public void TestAzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN");
}
}
}
126 changes: 120 additions & 6 deletions src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,7 +333,6 @@ function Test-AzureFirewallPolicyWithDNSSettings {
# Check DNS Proxy
Assert-Null $getAzureFirewallPolicy.DnsSettings.EnableProxy
Assert-Null $getAzureFirewallPolicy.DnsSettings.Servers
Assert-Null $getAzureFirewallPolicy.DnsSettings.RequireProxyForNetworkRules

# Update AzureFirewallPolicy with Enable Proxy and DNS Servers

Expand All @@ -353,10 +352,9 @@ function Test-AzureFirewallPolicyWithDNSSettings {
# Check DNS Proxy
Assert-AreEqual true $getAzureFirewallPolicy.DnsSettings.EnableProxy
Assert-AreEqualArray $dnsServers $getAzureFirewallPolicy.DnsSettings.Servers
Assert-Null $getAzureFirewallPolicy.DnsSettings.RequireProxyForNetworkRules

# Update AzureFirewallPolicy with Enable Proxy , DNS Servers and Dns ProxyNotRequiredForNetworkRule
$dnsSettings2 = New-AzFirewallPolicyDnsSetting -EnableProxy -Server $dnsServers -ProxyNotRequiredForNetworkRule
# Update AzureFirewallPolicy with Enable Proxy and DNS Servers
$dnsSettings2 = New-AzFirewallPolicyDnsSetting -EnableProxy -Server $dnsServers

$azureFirewallPolicy = Set-AzFirewallPolicy -InputObject $azureFirewallPolicy -DnsSetting $dnsSettings2

Expand All @@ -372,7 +370,6 @@ function Test-AzureFirewallPolicyWithDNSSettings {
# Check DNS Proxy
Assert-AreEqual true $getAzureFirewallPolicy.DnsSettings.EnableProxy
Assert-AreEqualArray $dnsServers $getAzureFirewallPolicy.DnsSettings.Servers
Assert-AreEqual false $getAzureFirewallPolicy.DnsSettings.RequireProxyForNetworkRules

# Set AzureFirewallPolicy
Set-AzFirewallPolicy -InputObject $azureFirewallPolicy
Expand All @@ -388,7 +385,6 @@ function Test-AzureFirewallPolicyWithDNSSettings {
# Check DNS Proxy
Assert-AreEqual true $getAzureFirewallPolicy.DnsSettings.EnableProxy
Assert-AreEqualArray $dnsServers $getAzureFirewallPolicy.DnsSettings.Servers
Assert-AreEqual false $getAzureFirewallPolicy.DnsSettings.RequireProxyForNetworkRules

$azureFirewallPolicyAsJob = New-AzFirewallPolicy -Name $azureFirewallPolicyAsJobName -ResourceGroupName $rgname -Location $location -DnsSetting $dnsSettings -AsJob
$result = $azureFirewallPolicyAsJob | Wait-Job
Expand Down Expand Up @@ -760,3 +756,121 @@ function Test-AzureFirewallPolicyWithIpGroups {
Clean-ResourceGroup $rgname
}
}

<#
.SYNOPSIS
Tests function Test-AzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN.
#>
function Test-AzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN {
# Setup
$rgname = Get-ResourceGroupName
$azureFirewallPolicyName = Get-ResourceName
$azureFirewallPolicyAsJobName = Get-ResourceName
$resourceTypeParent = "Microsoft.Network/FirewallPolicies"
$location = "canadacentral"

$ruleGroupName = Get-ResourceName

# AzureFirewallPolicyNatRuleCollection
$natRcName = "natRc"
$natRcPriority = 100
$natRcActionType = "Dnat"

# AzureFirewallPolicyNatRule 1
$natRule1Name = "natRule"
$natRule1Desc = "desc1"
$natRule1SourceAddress1 = "10.0.0.0"
$natRule1SourceAddress2 = "111.1.0.0/24"
$natRule1Protocol1 = "UDP"
$natRule1Protocol2 = "TCP"
$natRule1DestinationAddress1 = "10.10.10.1"
$natRule1DestinationPort1 = "90"
$natRule1TranslatedFqdn = "server1.internal.com"
$natRule1TranslatedPort = "91"

$pipelineRcPriority = 154

try {
# Create the resource group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }

# Create AzureFirewallPolicy
$azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $location

# Get AzureFirewallPolicy
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname

#verification
Assert-AreEqual $rgName $getAzureFirewallPolicy.ResourceGroupName
Assert-AreEqual $azureFirewallPolicyName $getAzureFirewallPolicy.Name
Assert-NotNull $getAzureFirewallPolicy.Location
Assert-AreEqual (Normalize-Location $location) $getAzureFirewallPolicy.Location
Assert-AreEqual "Alert" $getAzureFirewallPolicy.ThreatIntelMode

# Create NAT rule
$natRule = New-AzFirewallPolicyNatRule -Name $natRule1Name -Description $natRule1Desc -Protocol $natRule1Protocol1, $natRule1Protocol2 -SourceAddress $natRule1SourceAddress1, $natRule1SourceAddress2 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedFqdn $natRule1TranslatedFqdn -TranslatedPort $natRule1TranslatedPort

# Create a NAT Rule Collection
$natRc = New-AzFirewallPolicyNatRuleCollection -Name $natRcName -ActionType $natRcActionType -Priority $natRcPriority -Rule $natRule

New-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -Priority 100 -RuleCollection $natRc -FirewallPolicyObject $azureFirewallPolicy

# Set AzureFirewallPolicy
Set-AzFirewallPolicy -InputObject $azureFirewallPolicy
# Get AzureFirewallPolicy
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgName

# verification
Assert-AreEqual $rgName $getAzureFirewallPolicy.ResourceGroupName
Assert-AreEqual $azureFirewallPolicyName $getAzureFirewallPolicy.Name
Assert-NotNull $getAzureFirewallPolicy.Location
Assert-AreEqual $location $getAzureFirewallPolicy.Location

# Check rule collection groups count
Assert-AreEqual 1 @($getAzureFirewallPolicy.RuleCollectionGroups).Count

$getRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicy $getAzureFirewallPolicy

Assert-AreEqual 1 @($getRg.properties.ruleCollection).Count

$natRuleCollection = $getRg.Properties.GetRuleCollectionByName($natRcName)

# Verify NAT rule collection and NAT rule
$natRule = $natRuleCollection.GetRuleByName($natRule1Name)

Assert-AreEqual $natRcName $natRuleCollection.Name
Assert-AreEqual $natRcPriority $natRuleCollection.Priority

Assert-AreEqual $natRule1Name $natRule.Name

Assert-AreEqual 2 $natRule.SourceAddresses.Count
Assert-AreEqual $natRule1SourceAddress1 $natRule.SourceAddresses[0]
Assert-AreEqual $natRule1SourceAddress2 $natRule.SourceAddresses[1]

Assert-AreEqual 1 $natRule.DestinationAddresses.Count

Assert-AreEqual 2 $natRule.Protocols.Count
Assert-AreEqual $natRule1Protocol1 $natRule.Protocols[0]
Assert-AreEqual $natRule1Protocol2 $natRule.Protocols[1]

Assert-AreEqual 1 $natRule.DestinationPorts.Count
Assert-AreEqual $natRule1DestinationPort1 $natRule.DestinationPorts[0]

Assert-AreEqual $natRule1TranslatedFqdn $natRule.TranslatedFqdn
Assert-AreEqual $natRule1TranslatedPort $natRule.TranslatedPort


$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
$testPipelineRg|Set-AzFirewallPolicyRuleCollectionGroup -Priority $pipelineRcPriority
$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
Assert-AreEqual $pipelineRcPriority $testPipelineRg.properties.Priority

$azureFirewallPolicyAsJob = New-AzFirewallPolicy -Name $azureFirewallPolicyAsJobName -ResourceGroupName $rgname -Location $location -AsJob
$result = $azureFirewallPolicyAsJob | Wait-Job
Assert-AreEqual "Completed" $result.State
}
finally {
# Cleanup
Clean-ResourceGroup $rgname
}
}
2 changes: 1 addition & 1 deletion src/Network/Network.Test/ScenarioTests/LoadBalancerTests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2437,7 +2437,7 @@ function Test-CreateSubresourcesOnEmptyLoadBalancer
Assert-NotNull $ipConfig

$lb = Add-AzLoadBalancerBackendAddressPoolConfig -Name $poolName -LoadBalancer $lb
$lb = Add-AzLoadBalancerProbeConfig -Name $probeName -LoadBalancer $lb -Port 2000 -IntervalInSeconds 60 -ProbeCount 3
$lb = Add-AzLoadBalancerProbeConfig -Name $probeName -LoadBalancer $lb -Port 2000 -IntervalInSeconds 60 -ProbeCount 3 -Protocol Tcp
$lb = Add-AzLoadBalancerRuleConfig -Name $ruleName -LoadBalancer $lb -FrontendIpConfiguration $ipConfig -Protocol Tcp -FrontendPort 1024 -BackendPort 2048
$lb = Add-AzLoadBalancerInboundNatRuleConfig -Name $natRuleName -LoadBalancer $lb -FrontendIpConfiguration $ipConfig -FrontendPort 128 -BackendPort 256

Expand Down
20 changes: 10 additions & 10 deletions src/Network/Network.Test/ScenarioTests/LoadBalancerTestsGenerated.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ function Test-LoadBalancerCRUDMinimalParameters
$PublicIPAddress = New-AzPublicIPAddress -ResourceGroupName $rgname -Location $location -Name $PublicIPAddressName -AllocationMethod $PublicIPAddressAllocationMethod;
$FrontendIPConfiguration = New-AzLoadBalancerFrontendIpConfig -Name $FrontendIPConfigurationName -PublicIpAddress $PublicIPAddress;
$BackendAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name $BackendAddressPoolName;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount -Protocol Tcp;
$InboundNatPool = New-AzLoadBalancerInboundNatPoolConfig -Name $InboundNatPoolName -FrontendIpConfiguration $FrontendIPConfiguration -Protocol $InboundNatPoolProtocol -FrontendPortRangeStart $InboundNatPoolFrontendPortRangeStart -FrontendPortRangeEnd $InboundNatPoolFrontendPortRangeEnd -BackendPort $InboundNatPoolBackendPort;

# Create LoadBalancer
Expand Down Expand Up @@ -168,7 +168,7 @@ function Test-LoadBalancerCRUDAllParameters
$PublicIPAddress = New-AzPublicIPAddress -ResourceGroupName $rgname -Location $location -Name $PublicIPAddressName -AllocationMethod $PublicIPAddressAllocationMethod;
$FrontendIPConfiguration = New-AzLoadBalancerFrontendIpConfig -Name $FrontendIPConfigurationName -PublicIpAddress $PublicIPAddress;
$BackendAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name $BackendAddressPoolName;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount -Protocol Tcp;
$InboundNatPool = New-AzLoadBalancerInboundNatPoolConfig -Name $InboundNatPoolName -FrontendIpConfiguration $FrontendIPConfiguration -Protocol $InboundNatPoolProtocol -FrontendPortRangeStart $InboundNatPoolFrontendPortRangeStart -FrontendPortRangeEnd $InboundNatPoolFrontendPortRangeEnd -BackendPort $InboundNatPoolBackendPort;

# Create LoadBalancer
Expand Down Expand Up @@ -608,7 +608,7 @@ function Test-LoadBalancingRuleCRUDMinimalParameters
}
$FrontendIPConfiguration = New-AzLoadBalancerFrontendIpConfig -Name $FrontendIPConfigurationName -Subnet $Subnet;
$BackendAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name $BackendAddressPoolName;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount -Protocol Tcp;

# Create LoadBalancingRule
$vLoadBalancingRule = New-AzLoadBalancerRuleConfig -Name $rname -FrontendIpConfiguration $FrontendIPConfiguration -BackendAddressPool $BackendAddressPool -Probe $Probe -Protocol $Protocol -FrontendPort $FrontendPort -BackendPort $BackendPort;
Expand Down Expand Up @@ -764,7 +764,7 @@ function Test-LoadBalancingRuleCRUDAllParameters
}
$FrontendIPConfiguration = New-AzLoadBalancerFrontendIpConfig -Name $FrontendIPConfigurationName -Subnet $Subnet;
$BackendAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name $BackendAddressPoolName;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount;
$Probe = New-AzLoadBalancerProbeConfig -Name $ProbeName -Port $ProbePort -IntervalInSeconds $ProbeIntervalInSeconds -ProbeCount $ProbeProbeCount -Protocol Tcp;

# Create LoadBalancingRule
$vLoadBalancingRule = New-AzLoadBalancerRuleConfig -Name $rname -FrontendIpConfiguration $FrontendIPConfiguration -BackendAddressPool $BackendAddressPool -Probe $Probe -Protocol $Protocol -LoadDistribution $LoadDistribution -FrontendPort $FrontendPort -BackendPort $BackendPort -IdleTimeoutInMinutes $IdleTimeoutInMinutes -EnableFloatingIP;
Expand Down Expand Up @@ -913,7 +913,7 @@ function Test-ProbeCRUDMinimalParameters
$FrontendIPConfiguration = New-AzLoadBalancerFrontendIpConfig -Name $FrontendIPConfigurationName -PublicIpAddress $PublicIPAddress;

# Create Probe
$vProbe = New-AzLoadBalancerProbeConfig -Name $rname -Port $Port -IntervalInSeconds $IntervalInSeconds -ProbeCount $ProbeCount;
$vProbe = New-AzLoadBalancerProbeConfig -Name $rname -Port $Port -IntervalInSeconds $IntervalInSeconds -ProbeCount $ProbeCount -Protocol Tcp;
Assert-NotNull $vProbe;
Assert-True { Check-CmdletReturnType "New-AzLoadBalancerProbeConfig" $vProbe };
$vLoadBalancer = New-AzLoadBalancer -ResourceGroupName $rgname -Name $rname -Probe $vProbe -FrontendIPConfiguration $FrontendIPConfiguration -Location $location;
Expand All @@ -937,7 +937,7 @@ function Test-ProbeCRUDMinimalParameters
Assert-NotNull ($listProbe | Where-Object { $_.Name -eq $rname });

# Set Probe
$vLoadBalancer = Set-AzLoadBalancerProbeConfig -Name $rname -LoadBalancer $vLoadBalancer -Port $PortSet -IntervalInSeconds $IntervalInSecondsSet -ProbeCount $ProbeCountSet;
$vLoadBalancer = Set-AzLoadBalancerProbeConfig -Name $rname -LoadBalancer $vLoadBalancer -Port $PortSet -IntervalInSeconds $IntervalInSecondsSet -ProbeCount $ProbeCountSet -Protocol Tcp;
Assert-NotNull $vLoadBalancer;
$vLoadBalancer = Set-AzLoadBalancer -LoadBalancer $vLoadBalancer;
Assert-NotNull $vLoadBalancer;
Expand All @@ -956,7 +956,7 @@ function Test-ProbeCRUDMinimalParameters
Assert-NotNull ($listProbe | Where-Object { $_.Name -eq $rname });

# Add Probe
$vLoadBalancer = Add-AzLoadBalancerProbeConfig -Name $rnameAdd -LoadBalancer $vLoadBalancer -Port $PortAdd -IntervalInSeconds $IntervalInSecondsAdd -ProbeCount $ProbeCountAdd;
$vLoadBalancer = Add-AzLoadBalancerProbeConfig -Name $rnameAdd -LoadBalancer $vLoadBalancer -Port $PortAdd -IntervalInSeconds $IntervalInSecondsAdd -ProbeCount $ProbeCountAdd -Protocol Tcp;
Assert-NotNull $vLoadBalancer;
$vLoadBalancer = Set-AzLoadBalancer -LoadBalancer $vLoadBalancer;
Assert-NotNull $vLoadBalancer;
Expand All @@ -975,7 +975,7 @@ function Test-ProbeCRUDMinimalParameters
Assert-NotNull ($listProbe | Where-Object { $_.Name -eq $rnameAdd });

# Try Add again
Assert-ThrowsContains { Add-AzLoadBalancerProbeConfig -Name $rnameAdd -LoadBalancer $vLoadBalancer -Port $PortAdd -IntervalInSeconds $IntervalInSecondsAdd -ProbeCount $ProbeCountAdd } "already exists";
Assert-ThrowsContains { Add-AzLoadBalancerProbeConfig -Name $rnameAdd -LoadBalancer $vLoadBalancer -Port $PortAdd -IntervalInSeconds $IntervalInSecondsAdd -ProbeCount $ProbeCountAdd -Protocol Tcp } "already exists";

# Remove Probe
$vLoadBalancer = Remove-AzLoadBalancerProbeConfig -LoadBalancer $vLoadBalancer -Name $rnameAdd;
Expand All @@ -990,7 +990,7 @@ function Test-ProbeCRUDMinimalParameters
Assert-ThrowsContains { Get-AzLoadBalancerProbeConfig -LoadBalancer $vLoadBalancer -Name $rname } "Sequence contains no matching element";

# Set Probe should fail
Assert-ThrowsContains { Set-AzLoadBalancerProbeConfig -Name $rname -LoadBalancer $vLoadBalancer -Port $PortSet -IntervalInSeconds $IntervalInSecondsSet -ProbeCount $ProbeCountSet } "does not exist";
Assert-ThrowsContains { Set-AzLoadBalancerProbeConfig -Name $rname -LoadBalancer $vLoadBalancer -Port $PortSet -IntervalInSeconds $IntervalInSecondsSet -ProbeCount $ProbeCountSet -Protocol Tcp } "does not exist";
}
finally
{
Expand Down Expand Up @@ -1088,7 +1088,7 @@ function Test-ProbeCRUDAllParameters
Assert-NotNull ($listProbe | Where-Object { $_.Name -eq $rname });

# Add Probe
$vLoadBalancer = Add-AzLoadBalancerProbeConfig -Name $rnameAdd -LoadBalancer $vLoadBalancer -Port $PortAdd -IntervalInSeconds $IntervalInSecondsAdd -ProbeCount $ProbeCountAdd;
$vLoadBalancer = Add-AzLoadBalancerProbeConfig -Name $rnameAdd -LoadBalancer $vLoadBalancer -Port $PortAdd -IntervalInSeconds $IntervalInSecondsAdd -ProbeCount $ProbeCountAdd -Protocol Tcp;
Assert-NotNull $vLoadBalancer;
$vLoadBalancer = Set-AzLoadBalancer -LoadBalancer $vLoadBalancer;
Assert-NotNull $vLoadBalancer;
Expand Down
Loading