Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azfw quickstarts #245

Merged
merged 10 commits into from
Sep 4, 2023
Merged

azfw quickstarts #245

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ed29f3c
adding azfw quickstarts
cshea-msft Aug 22, 2023
9e2da22
Merge pull request #1 from cshea15/master
cshea-msft Aug 22, 2023
a79609c
UPDATE format
cshea-msft Aug 22, 2023
85c7f84
updated files with feedback from pr
cshea-msft Aug 28, 2023
1cadacf
made some changes to clean up deployment
cshea-msft Aug 28, 2023
39f24e4
changing the provider feature
cshea-msft Aug 28, 2023
4f1a6c1
updated rg prefixes and removed commented lines
cshea-msft Aug 28, 2023
79fa9bd
fixed output
cshea-msft Aug 28, 2023
010c19f
fixing mistakes
cshea-msft Aug 31, 2023
23a7bf1
fixed the readme's
cshea-msft Aug 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
228 changes: 228 additions & 0 deletions quickstart/101-azfw-with-fwpolicy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,228 @@
# Deploy Azure Firewall and a Firewall Policy
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

README.md file name needs to be renamed to lowercase.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did that and it broke it. There seems to be no consistency with other quickstarts since some are lower case and some are upper case.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is inconsistency as many samples were created before we started defining a standard for the samples. All new samples have a much higher bar than previous samples. However, we don't have the resources to go back and retroactively update every sample. Instead, we enforce the standards on new samples and when we need to fix older samples, we apply the standards then. The lack of consistency across the repo is why I referred to specific examples for you to follow in my comments.


## Resources

| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all the deployed resources.|
| `azurerm_virtual_network` | The virtual network for the firewall. |
| `azurerm_subnet` |The firewall subnet.|
| `azurerm_public_ip` | The firewall public IP address. |
| `azurerm_firewall` | The premium Azure Firewall. |
| `azurerm_firewall_policy` | The policy associated to the Firewall |
| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy |
| `azurerm_ip_group` | The IP group for source addresses. |

## Variables

| Name | Description |
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
|-|-|
| `location` | location for your resources |
| `tags` | tags to organize your resources |
| `fw_sku` | Sku size for your Firewall and Firewall Policy |

## Example
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the plan output from this section. This section should just point to the article. See https://github.com/Azure/terraform/tree/master/quickstart/101-front-door-standard-premium. If you don't know the title and URL of the article, I'll update those values when I generate the article from this sample code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed code. Doc is not ready yet. Can update once doc is published.


```powershell
terraform plan -out main.tfplan

# azurerm_firewall.fw will be created
+ resource "azurerm_firewall" "fw" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw"
+ resource_group_name = "azfw-rg"
+ sku_name = "AZFW_VNet"
+ sku_tier = "Premium"
+ threat_intel_mode = (known after apply)

+ ip_configuration {
+ name = "azfw-ipconfig"
+ private_ip_address = (known after apply)
+ public_ip_address_id = (known after apply)
+ subnet_id = (known after apply)
}
}

# azurerm_firewall_policy.azfw_policy will be created
+ resource "azurerm_firewall_policy" "azfw_policy" {
+ child_policies = (known after apply)
+ firewalls = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-policy"
+ resource_group_name = "azfw-rg"
+ rule_collection_groups = (known after apply)
+ sku = "Premium"
+ threat_intelligence_mode = "Alert"
}

# azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created
+ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ name = "DefaulApplicationtRuleCollectionGroup"
+ priority = 300

+ application_rule_collection {
+ action = "Allow"
+ name = "DefaultApplicationRuleCollection"
+ priority = 500

+ rule {
+ description = "Allow Windows Update"
+ destination_fqdn_tags = [
+ "WindowsUpdate",
]
+ name = "AllowWindowsUpdate"
+ source_ip_groups = (known after apply)

+ protocols {
+ port = 80
+ type = "Http"
}
+ protocols {
+ port = 443
+ type = "Https"
}
}
+ rule {
+ description = "Allow access to Microsoft.com"
+ destination_fqdns = [
+ "*.microsoft.com",
]
+ name = "Global Rule"
+ source_ip_groups = (known after apply)
+ terminate_tls = false

+ protocols {
+ port = 443
+ type = "Https"
}
}
}
}

# azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created
+ resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ name = "DefaultNetworkRuleCollectionGroup"
+ priority = 200

+ network_rule_collection {
+ action = "Allow"
+ name = "DefaultNetworkRuleCollection"
+ priority = 200

+ rule {
+ destination_addresses = [
+ "132.86.101.172",
]
+ destination_ports = [
+ "123",
]
+ name = "time-windows"
+ protocols = [
+ "UDP",
]
+ source_ip_groups = (known after apply)
}
}
}

# azurerm_ip_group.infra_ip_group will be created
+ resource "azurerm_ip_group" "infra_ip_group" {
+ cidrs = [
+ "10.40.0.0/24",
+ "10.50.0.0/24",
]
+ firewall_ids = (known after apply)
+ firewall_policy_ids = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "infra-ip-group"
+ resource_group_name = "azfw-rg"
}

# azurerm_ip_group.workload_ip_group will be created
+ resource "azurerm_ip_group" "workload_ip_group" {
+ cidrs = [
+ "10.20.0.0/24",
+ "10.30.0.0/24",
]
+ firewall_ids = (known after apply)
+ firewall_policy_ids = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "workload-ip-group"
+ resource_group_name = "azfw-rg"
}

# azurerm_public_ip.pip_azfw will be created
+ resource "azurerm_public_ip" "pip_azfw" {
+ allocation_method = "Static"
+ ddos_protection_mode = "VirtualNetworkInherited"
+ fqdn = (known after apply)
+ id = (known after apply)
+ idle_timeout_in_minutes = 4
+ ip_address = (known after apply)
+ ip_version = "IPv4"
+ location = "eastus"
+ name = "pip-azfw"
+ resource_group_name = "azfw-rg"
+ sku = "Standard"
+ sku_tier = "Regional"
+ tags = {
+ "costcenter" = "1234556677"
+ "environment" = "dev"
+ "owner" = "cloud team"
+ "workload" = "azure firewall"
}
}

# azurerm_resource_group.azfw_rg will be created
+ resource "azurerm_resource_group" "azfw_rg" {
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-rg"
+ tags = {
+ "costcenter" = "1234556677"
+ "environment" = "dev"
+ "owner" = "cloud team"
+ "workload" = "azure firewall"
}
}

# azurerm_subnet.azfw_subnet will be created
+ resource "azurerm_subnet" "azfw_subnet" {
+ address_prefixes = [
+ "10.10.0.0/26",
]
+ enforce_private_link_endpoint_network_policies = (known after apply)
+ enforce_private_link_service_network_policies = (known after apply)
+ id = (known after apply)
+ name = "AzureFirewallSubnet"
+ private_endpoint_network_policies_enabled = (known after apply)
+ private_link_service_network_policies_enabled = (known after apply)
+ resource_group_name = "azfw-rg"
+ virtual_network_name = "azfw-vnet"
}

# azurerm_virtual_network.azfw_vnet will be created
+ resource "azurerm_virtual_network" "azfw_vnet" {
+ address_space = [
+ "10.10.0.0/24",
]
+ dns_servers = (known after apply)
+ guid = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-vnet"
+ resource_group_name = "azfw-rg"
+ subnet = (known after apply)
}

Plan: 10 to add, 0 to change, 0 to destroy.
```
153 changes: 153 additions & 0 deletions quickstart/101-azfw-with-fwpolicy/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@

// Create a Resource Group
resource "azurerm_resource_group" "azfw_rg" {
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
name = "azfw-rg"
location = var.location
tags = var.tags
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
}
// Create a Virtual Network
resource "azurerm_virtual_network" "azfw_vnet" {
name = "azfw-vnet"
location = azurerm_resource_group.azfw_rg.location
resource_group_name = azurerm_resource_group.azfw_rg.name
address_space = ["10.10.0.0/24"]
depends_on = [
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
azurerm_resource_group.azfw_rg
]
}

// Create IP Groups
resource "azurerm_ip_group" "workload_ip_group" {
name = "workload-ip-group"
resource_group_name = azurerm_resource_group.azfw_rg.name
location = azurerm_resource_group.azfw_rg.location
cidrs = ["10.20.0.0/24", "10.30.0.0/24"]
depends_on = [
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
azurerm_resource_group.azfw_rg,
azurerm_virtual_network.azfw_vnet
]
}
resource "azurerm_ip_group" "infra_ip_group" {
name = "infra-ip-group"
resource_group_name = azurerm_resource_group.azfw_rg.name
location = azurerm_resource_group.azfw_rg.location
cidrs = ["10.40.0.0/24", "10.50.0.0/24"]
depends_on = [
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
azurerm_resource_group.azfw_rg,
azurerm_virtual_network.azfw_vnet
]
}

// Create the Azure Firewall Subnet
resource "azurerm_subnet" "azfw_subnet" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.azfw_rg.name
virtual_network_name = azurerm_virtual_network.azfw_vnet.name
address_prefixes = ["10.10.0.0/26"]
depends_on = [
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
azurerm_resource_group.azfw_rg,
azurerm_virtual_network.azfw_vnet
]
}

// Create a Public IP Address for Azure Firewall
resource "azurerm_public_ip" "pip_azfw" {
name = "pip-azfw"
location = azurerm_resource_group.azfw_rg.location
resource_group_name = azurerm_resource_group.azfw_rg.name
allocation_method = "Static"
sku = "Standard"
tags = azurerm_resource_group.azfw_rg.tags
depends_on = [
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
azurerm_resource_group.azfw_rg
]
}

// Create a Azure Firewall Policy
resource "azurerm_firewall_policy" "azfw_policy" {
name = "azfw-policy"
resource_group_name = azurerm_resource_group.azfw_rg.name
location = azurerm_resource_group.azfw_rg.location
sku = var.fw_sku
threat_intelligence_mode = "Alert"
}

// Create a Network Rule Collection Group
// Create a Network Rule Collection
// Create rules for NTP
resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" {
name = "DefaultNetworkRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 200
network_rule_collection {
name = "DefaultNetworkRuleCollection"
action = "Allow"
priority = 200
rule {
name = "time-windows"
protocols = ["UDP"]
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
destination_ports = ["123"]
destination_addresses = ["132.86.101.172"]
}
}
}

// Create a Azure Firewall Policy Rule Collection Group
// Create a Application Rule Collection
// Create rules for Windows Update
// Create rules for Microsoft.com
resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" {
name = "DefaulApplicationtRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 300
application_rule_collection {
name = "DefaultApplicationRuleCollection"
action = "Allow"
priority = 500
rule {
name = "AllowWindowsUpdate"

description = "Allow Windows Update"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
destination_fqdn_tags = ["WindowsUpdate"]
}
rule {
name = "Global Rule"
description = "Allow access to Microsoft.com"
protocols {
type = "Https"
port = 443
}
destination_fqdns = ["*.microsoft.com"]
terminate_tls = false
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
}
}
depends_on = [
cshea-msft marked this conversation as resolved.
Show resolved Hide resolved
azurerm_firewall_policy.azfw_policy
]
}

// Create the Azure Firewall
resource "azurerm_firewall" "fw" {
name = "azfw"
location = azurerm_resource_group.azfw_rg.location
resource_group_name = azurerm_resource_group.azfw_rg.name
sku_name = "AZFW_VNet"
sku_tier = var.fw_sku
ip_configuration {
name = "azfw-ipconfig"
subnet_id = azurerm_subnet.azfw_subnet.id
public_ip_address_id = azurerm_public_ip.pip_azfw.id
}
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
}
3 changes: 3 additions & 0 deletions quickstart/101-azfw-with-fwpolicy/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "rg_name" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the same rg output name from the following sample so that the article-generator outputs the correct instructions: https://github.com/Azure/terraform/blob/master/quickstart/101-front-door-standard-premium/outputs.tf

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please output at least one more variable that the customer can use to verify that the Azure resources were created properly. Note that the resource group name alone is not sufficient for this purpose. In the following example, the front door endpoint host name is output so that the customer can browse to the endpoint: https://github.com/Azure/terraform/blob/master/quickstart/101-front-door-standard-premium/outputs.tf.

In other samples, the output variables are used in subsequent Azure CLI and/or Azure Powershell command calls to view the created resource(s).

You can use whatever is appropriate for the testing/verification of this sample.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added another output.

value = azurerm_resource_group.azfw_rg.name
}
Loading
Loading