Skip to content

Azfw ipgroups to master (New)#10668

Closed
ssripadham wants to merge 7 commits intomasterfrom
azfw_ipgroups-to-master
Closed

Azfw ipgroups to master (New)#10668
ssripadham wants to merge 7 commits intomasterfrom
azfw_ipgroups-to-master

Conversation

@ssripadham
Copy link
Contributor

@ssripadham ssripadham commented Dec 6, 2019

Description

- `Azure Firewall will support IpGroups can be used in the network/application/dnat rules as described below.
  • As a source or destination address in AZFW network rules
  • As a source address in AZFW application rules
  • As a source address in DNAT rules. `

1. Azure Firewall Application Rules

     "AzureFirewallApplicationRule": {
         "properties": {
           "name": {
             "type": "string",
             "description": "Name of the application rule."
           },
           "description": {
             "type": "string",
             "description": "Description of the rule."
           },
           ...
           "sourceIpGroups": {
             "type": "array",
             "description": "List of source IP Groups for this rule.",
             "items": {
               "type": "string"
             }
           },
       ...
     }
    }

2. Azure Firewall NAT Rules

   "AzureFirewallNatRule": {
         "properties": {
           "name": {
             "type": "string",
             "description": "Name of the NAT rule."
           },
           "description": {
             "type": "string",
             "description": "Description of the rule."
           },
          ...

    "sourceIpGroups": {
      "type": "array",
      "description": "List of source IP Groups for this rule.",
      "items": {
        "type": "string"
      }
    }
       …
   }
   }

3. Azure Firewall Network Rules

    "AzureFirewallNetworkRule": {
         "properties": {
           "name": {
             "type": "string",
             "description": "Name of the network rule."
           },
           "description": {
             "type": "string",
             "description": "Description of the rule."
           },
          ...
           "sourceIpGroups": {
             "type": "array",
             "description": "List of source IP Groups for this rule.",
             "items": {
               "type": "string"
             }
           },
           "destinationIpGroups": {
             "type": "array",
             "description": "List of destination IP Groups for this rule.",
             "items": {
               "type": "string"
             }
           },
       ...
    }
   }

Checklist

  • I have read the Submitting Changes section of CONTRIBUTING.md
  • The title of the PR is clear and informative
  • The appropriate ChangeLog.md file(s) has been updated:
    • For any service, the ChangeLog.md file can be found at src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md
    • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header -- no new version header should be added
  • The PR does not introduce breaking changes
  • If applicable, the changes made in the PR have proper test coverage
  • For public API changes to cmdlets:
    • a cmdlet design review was approved for the changes in this repository (Microsoft internal only)
    • the markdown help files have been regenerated using the commands listed here

REFERENCE: #10647

VeryEarly
VeryEarly reviewed Dec 6, 2019
View reviewed changes
wyunchi-ms
wyunchi-ms reviewed Dec 6, 2019
View reviewed changes
src/Network/Network/AzureFirewall/ApplicationRule/AzureFirewallApplicationRuleParameterSets.cs Outdated

public const string FqdnTag = @"FqdnTag";

public const string BySourceAddress = @"SourceAddress";
Copy link
Contributor

@wyunchi-ms wyunchi-ms Dec 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This parameter set name is never used.

src/Network/Network/AzureFirewall/ApplicationRule/NewAzureFirewallApplicationRuleCommand.cs
namespace Microsoft.Azure.Commands.Network
{
[Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallApplicationRule", SupportsShouldProcess = true, DefaultParameterSetName = AzureFirewallApplicationRuleParameterSets.TargetFqdn), OutputType(typeof(PSAzureFirewallApplicationRule))]
[Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallApplicationRule", SupportsShouldProcess = true, DefaultParameterSetName = AzureFirewallApplicationRuleParameterSets.Default), OutputType(typeof(PSAzureFirewallApplicationRule))]
Copy link
Contributor

@wyunchi-ms wyunchi-ms Dec 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change default parameter set may cause breaking change. Is this you want?

Copy link
Contributor Author

@ssripadham ssripadham Dec 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is required.

Default (Default)

New-AzFirewallApplicationRule -Name <String> [-Description <String>] -SourceAddress <String[]>
[-TargetFqdn <String[]>] [-FqdnTag <String[]>]
 [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]

SourceIpGroup

New-AzFirewallApplicationRule -Name <String> [-Description <String>] 
 -SourceIpGroup <String[]> [-TargetFqdn <String[]>] [-FqdnTag <String[]>]
 [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]

TargetFqdn

New-AzFirewallApplicationRule -Name <String> [-Description <String>] [-SourceAddress <String[]>]
 [-SourceIpGroup <String[]>] -TargetFqdn <String[]> -Protocol <String[]>
 [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]

FqdnTag

New-AzFirewallApplicationRule -Name <String> [-Description <String>] [-SourceAddress <String[]>]
 [-SourceIpGroup <String[]>] [-FqdnTag <String[]>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
 [-Confirm] [<CommonParameters>]


Ideally, we desire atleast one source and one destination

@wyunchi-ms
Copy link
Contributor

wyunchi-ms commented Dec 6, 2019

Hi @ssripadham could you please take a look at these comments?

@wyunchi-ms wyunchi-ms mentioned this pull request Dec 6, 2019
Closed
8 tasks
@ssripadham
Copy link
Contributor Author

ssripadham commented Dec 7, 2019

I am simplifying the Pull Request wrt Option Sets. The latest PR is here: https://github.com/Azure/azure-powershell/pull/10674/files. Let us close this one.

@ssripadham ssripadham closed this Dec 7, 2019
@dingmeng-xue dingmeng-xue deleted the azfw_ipgroups-to-master branch May 13, 2022 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@VeryEarly VeryEarly VeryEarly left review comments

@wyunchi-ms wyunchi-ms wyunchi-ms left review comments

Assignees

@ssripadham ssripadham

Labels

needs-revision

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ssripadham @wyunchi-ms @VeryEarly @azuresdkci