-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Firewall Network Rule collection Compatibility #8312
Comments
Thanks for opening this issue. After investigated and tested, seems dns proxy has to be enabled if you want to use fqdn per the document. After checked, seems additionalProperties can enable dns proxy but terraform hasn't support it. I assume it would be supported in near future but there is no ETA yet. |
Hi, Thank you for that confirmation! As said I can import that config once it's made available, are we saying that therefore, due to the rationale above:
|
Yes. I assume terraform doesn't support fqdns rule for now. It would be supported in near future but there is no ETA yet. |
@ShahradGH FYI I just made a PR #8878 to support both the DNS setting in firewall and also the FQDNs in the network rule collection. |
This has been released in version 2.35.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.35.0"
}
# ... other configuration ... |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
https://www.terraform.io/docs/providers/azurerm/r/firewall_network_rule_collection.html
Whilst adhering to the requirements, I note that destination addresses in the rule block can be: "(Required) A list of destination IP addresses, IP ranges, or FQDNs."
When creating a rule with FQDN (so it can both utilise Firewall DNS (something I cant see how to configure in Terraform so had to do otherwise) and as a bi-product DNS Proxy) I get the error on compile:
network.AzureFirewallsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="AzureFirewallRuleInvalidIpAddressOrRangeFormat" Message="AzureFirewallRule RULENAME001: Invalid IP address value or range or Service Tag destination.subdomain.com.
Code being attempted to run:
` rule {
name = "RULENAME001"
}`
Can I confirm that terraform does support Network Rules by FQDN and perhaps be given a steer on how best to get a rule with the below logic implemented in the AzFirewall as a rule, as well as how best to implement turning on DNS Settings (pointed to Azure) and using DNS proxy:
Source IP1 -> Outbound -> destination.subdomain.com -> port random such as 64721
The text was updated successfully, but these errors were encountered: