New-AzFirewall

Creates a new Firewall in a resource group.

Syntax

New-AzFirewall
   -Name <String>
   -ResourceGroupName <String>
   -Location <String>
   [-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
   [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
   [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
   [-Zone <String[]>]
   [-ThreatIntelMode <String>]
   [-Tag <Hashtable>]
   [-Force]
   [-AsJob]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzFirewall
   -Name <String>
   -ResourceGroupName <String>
   -Location <String>
   -VirtualNetworkName <String>
   -PublicIpName <String>
   [-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
   [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
   [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
   [-Zone <String[]>]
   [-ThreatIntelMode <String>]
   [-Tag <Hashtable>]
   [-Force]
   [-AsJob]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzFirewall
   -Name <String>
   -ResourceGroupName <String>
   -Location <String>
   -VirtualNetwork <PSVirtualNetwork>
   -PublicIpAddress <PSPublicIpAddress[]>
   [-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
   [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
   [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
   [-ThreatIntelMode <String>]
   [-Tag <Hashtable>]
   [-Force]
   [-AsJob]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzFirewall cmdlet creates an Azure Firewall.

Examples

1: Create a Firewall attached to a virtual network

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip

This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. Since no rules were specified, the firewall will block all traffic (default behavior). Threat Intel will also run in default mode - Alert - which means malicious traffic will be logged, but not denied.

2: Create a Firewall which allows all HTTPS traffic

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"

$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "https:443" -TargetFqdn "*" 
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection

This example creates a Firewall which allows all HTTPS traffic on port 443. Threat Intel will run in default mode - Alert - which means malicious traffic will be logged, but not denied.

3: DNAT - redirect traffic destined to 10.1.2.3:80 to 10.2.3.4:8080

$rule = New-AzFirewallNatRule -Name "natRule" -Protocol "TCP" -SourceAddress "*" -DestinationAddress "10.1.2.3" -DestinationPort "80" -TranslatedAddress "10.2.3.4" -TranslatedPort "8080"
$ruleCollection = New-AzFirewallNatRuleCollection -Name "NatRuleCollection" -Priority 1000 -Rule $rule
New-AzFirewall -Name "azFw" -ResourceGroupName "rg" -Location centralus -NatRuleCollection $ruleCollection -ThreatIntelMode Off

This example created a Firewall which translated the destination IP and port of all packets destined to 10.1.2.3:80 to 10.2.3.4:8080 Threat Intel is turned off in this example.

4: Create a Firewall with no rules and with Threat Intel in Alert mode

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ThreatIntelMode Alert

This example creates a Firewall which blocks all traffic (default behavior) and has Threat Intel running in Alert mode. This means alerting logs are emitted for malicious traffic before applying the other rules (in this case just the default rule - Deny All)

5: Create a Firewall which allows all HTTP traffic on port 8080, but blocks malicious domains identified by Threat Intel

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"

$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "http:8080" -TargetFqdn "*" 
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny

This example creates a Firewall which allows all HTTP traffic on port 8080 unless it is considered malicious by Threat Intel. When running in Deny mode, unlike Alert, traffic considered malicious by Threat Intel is not just logged, but also blocked.

6: Create a Firewall with no rules and with availability zones

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetworkName $vnet.Name -PublicIpName $pip.Name -Zone 1,2,3

This example creates a Firewall with all available availability zones.

7: Create a Firewall with two or more Public IP Addresses

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -Name "vnet" -ResourceGroupName $rgName
$pip1 = New-AzPublicIpAddress -Name "AzFwPublicIp1" -ResourceGroupName "rg" -Sku "Standard" -Location "centralus" -AllocationMethod Static
$pip2 = New-AzPublicIpAddress -Name "AzFwPublicIp2" -ResourceGroupName "rg" -Sku "Standard" -Location "centralus" -AllocationMethod Static
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress @($pip1, $pip2)

This example creates a Firewall attached to virtual network "vnet" with two public IP addresses.

8: Create a Firewall which allows MSSQL traffic to specific SQL database

$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"

$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "mssql:1433" -TargetFqdn "sql1.database.windows.net"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny

This example creates a Firewall which allows MSSQL traffic on standard port 1433 to SQL database sql1.database.windows.net.

Parameters

-ApplicationRuleCollection

Specifies the collections of application rules for the new Firewall.

Type:Microsoft.Azure.Commands.Network.Models.PSAzureFirewallApplicationRuleCollection[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-AsJob

Run cmdlet in the background

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure.

Type:Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Force

Forces the command to run without asking for user confirmation.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Location

Specifies the region for the Firewall.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Name

Specifies the name of the Azure Firewall that this cmdlet creates.

Type:String
Aliases:ResourceName
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-NatRuleCollection

The list of AzureFirewallNatRuleCollections

Type:Microsoft.Azure.Commands.Network.Models.PSAzureFirewallNatRuleCollection[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-NetworkRuleCollection

The list of AzureFirewallNetworkRuleCollections

Type:Microsoft.Azure.Commands.Network.Models.PSAzureFirewallNetworkRuleCollection[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PublicIpAddress

One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall.

Type:Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PublicIpName

Public Ip Name. The Public IP must use Standard SKU and must belong to the same resource group as the Firewall.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-ResourceGroupName

Specifies the name of a resource group to contain the Firewall.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Tag

Key-value pairs in the form of a hash table. For example:

@{key0="value0";key1=$null;key2="value2"}

Type:Hashtable
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-ThreatIntelMode

Specifies the operation mode for Threat Intelligence. Default mode is Alert, not Off.

Type:String
Accepted values:Alert, Deny, Off
Position:Named
Default value:Alert
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-VirtualNetwork

Virtual Network

Type:PSVirtualNetwork
Position:Named
Default value:None
Accept pipeline input:True (ByValue)
Accept wildcard characters:False
-VirtualNetworkName

Specifies the name of the virtual network for which the Firewall will be deployed. Virtual network and Firewall must belong to the same resource group.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False
-Zone

A list of availability zones denoting where the firewall needs to come from.

Type:System.String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

PSVirtualNetwork

Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress[]

Microsoft.Azure.Commands.Network.Models.PSAzureFirewallApplicationRuleCollection[]

Microsoft.Azure.Commands.Network.Models.PSAzureFirewallNatRuleCollection[]

Microsoft.Azure.Commands.Network.Models.PSAzureFirewallNetworkRuleCollection[]

Hashtable

Outputs

Microsoft.Azure.Commands.Network.Models.PSAzureFirewall