Azure Firewall Network Rule collection Compatibility

[ShahradGH]

https://www.terraform.io/docs/providers/azurerm/r/firewall_network_rule_collection.html

Whilst adhering to the requirements, I note that destination addresses in the rule block can be: "(Required) A list of destination IP addresses, IP ranges, or FQDNs."

When creating a rule with FQDN (so it can both utilise Firewall DNS (something I cant see how to configure in Terraform so had to do otherwise) and as a bi-product DNS Proxy) I get the error on compile:

network.AzureFirewallsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="AzureFirewallRuleInvalidIpAddressOrRangeFormat" Message="AzureFirewallRule RULENAME001: Invalid IP address value or range or Service Tag destination.subdomain.com.

Code being attempted to run:

` rule {
name = "RULENAME001"

source_addresses = [
  "192.168.0.1",
  "192.168.0.2",
]

destination_addresses = [
  "destination.subdomain.com",
]

destination_ports = [
  "22",
]

protocols = [
  "TCP"
]

}`

Can I confirm that terraform does support Network Rules by FQDN and perhaps be given a steer on how best to get a rule with the below logic implemented in the AzFirewall as a rule, as well as how best to implement turning on DNS Settings (pointed to Azure) and using DNS proxy:

Source IP1 -> Outbound -> destination.subdomain.com -> port random such as 64721

[neil-yechenwei]

Thanks for opening this issue. After investigated and tested, seems dns proxy has to be enabled if you want to use fqdn per the document. After checked, seems additionalProperties can enable dns proxy but terraform hasn't support it. I assume it would be supported in near future but there is no ETA yet.

[ShahradGH]

Thanks for opening this issue. After investigated and tested, seems dns proxy has to be enabled if you want to use fqdn per the document. After checked, seems additionalProperties can enable dns proxy but terraform hasn't support it. I assume it would be supported in near future but there is no ETA yet.

Hi,

Thank you for that confirmation!

As said I can import that config once it's made available, are we saying that therefore, due to the rationale above:

• FQDN filters rules also not supported as of yet but once the terraform version does, that it can continue to use the same.network rule properties but FQDNs will just work, or do they already work now??

[neil-yechenwei]

Yes. I assume terraform doesn't support fqdns rule for now. It would be supported in near future but there is no ETA yet.

[magodo]

@ShahradGH FYI

I just made a PR #8878 to support both the DNS setting in firewall and also the FQDNs in the network rule collection.

[ghost]

This has been released in version 2.35.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.35.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!