Creates or updates the specified Azure Firewall.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{azureFirewallName}?api-version=2023-09-01
URI Parameters
Name |
In |
Required |
Type |
Description |
azureFirewallName
|
path |
True
|
string
|
The name of the Azure Firewall.
|
resourceGroupName
|
path |
True
|
string
|
The name of the resource group.
|
subscriptionId
|
path |
True
|
string
|
The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
|
api-version
|
query |
True
|
string
|
Client API version.
|
Request Body
Name |
Type |
Description |
id
|
string
|
Resource ID.
|
location
|
string
|
Resource location.
|
properties.additionalProperties
|
object
|
The additional properties used to further config this azure firewall.
|
properties.applicationRuleCollections
|
AzureFirewallApplicationRuleCollection[]
|
Collection of application rule collections used by Azure Firewall.
|
properties.firewallPolicy
|
SubResource
|
The firewallPolicy associated with this azure firewall.
|
properties.hubIPAddresses
|
HubIPAddresses
|
IP addresses associated with AzureFirewall.
|
properties.ipConfigurations
|
AzureFirewallIPConfiguration[]
|
IP configuration of the Azure Firewall resource.
|
properties.managementIpConfiguration
|
AzureFirewallIPConfiguration
|
IP configuration of the Azure Firewall used for management traffic.
|
properties.natRuleCollections
|
AzureFirewallNatRuleCollection[]
|
Collection of NAT rule collections used by Azure Firewall.
|
properties.networkRuleCollections
|
AzureFirewallNetworkRuleCollection[]
|
Collection of network rule collections used by Azure Firewall.
|
properties.sku
|
AzureFirewallSku
|
The Azure Firewall Resource SKU.
|
properties.threatIntelMode
|
AzureFirewallThreatIntelMode
|
The operation mode for Threat Intelligence.
|
properties.virtualHub
|
SubResource
|
The virtualHub to which the firewall belongs.
|
tags
|
object
|
Resource tags.
|
zones
|
string[]
|
A list of availability zones denoting where the resource needs to come from.
|
Responses
Name |
Type |
Description |
200 OK
|
AzureFirewall
|
Update successful. The operation returns the resulting AzureFirewall resource.
|
201 Created
|
AzureFirewall
|
Create successful. The operation returns the resulting AzureFirewall resource.
|
Other Status Codes
|
CloudError
|
Error response describing why the operation failed.
|
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name |
Description |
user_impersonation
|
impersonate your user account
|
Examples
Create Azure Firewall
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-09-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import com.azure.resourcemanager.network.models.HubIpAddresses;
import com.azure.resourcemanager.network.models.HubPublicIpAddresses;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/**
* Samples for AzureFirewalls CreateOrUpdate.
*/
public final class Main {
/*
* x-ms-original-file:
* specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPut.json
*/
/**
* Sample code: Create Azure Firewall.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewall(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT).withSku(new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET).withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/
* AzureFirewallPutWithAdditionalProperties.json
*/
/**
* Sample code: Create Azure Firewall With Additional Properties.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void
createAzureFirewallWithAdditionalProperties(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(new AzureFirewallSku().withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD))
.withAdditionalProperties(mapOf("key1", "fakeTokenPlaceholder", "key2", "fakeTokenPlaceholder")),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file:
* specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
*/
/**
* Sample code: Create Azure Firewall in virtual Hub.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallInVirtualHub(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls().createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList()).withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withVirtualHub(new SubResource()
.withId("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"))
.withFirewallPolicy(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"))
.withHubIpAddresses(new HubIpAddresses()
.withPublicIPs(new HubPublicIpAddresses().withAddresses(Arrays.asList()).withCount(1)))
.withSku(new AzureFirewallSku().withName(AzureFirewallSkuName.AZFW_HUB)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/
* AzureFirewallPutWithMgmtSubnet.json
*/
/**
* Sample code: Create Azure Firewall With management subnet.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithManagementSubnet(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withManagementIpConfiguration(new AzureFirewallIpConfiguration()
.withName("azureFirewallMgmtIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName")))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT).withSku(new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET).withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPut.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPut.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewall() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// IPGroups: []*armnetwork.AzureFirewallIPGroups{
// },
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPut.json
*/
async function createAzureFirewall() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters,
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPut.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"ipGroups": [],
"additionalProperties": {}
}
}
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {}
}
}
Create Azure Firewall in virtual Hub
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-09-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {
"publicIPs": {
"addresses": [],
"count": 1
}
}
}
}
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_in_hub.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {"publicIPs": {"addresses": [], "count": 1}},
"sku": {"name": "AZFW_Hub", "tier": "Standard"},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallInVirtualHub() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
FirewallPolicy: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
},
HubIPAddresses: &armnetwork.HubIPAddresses{
PublicIPs: &armnetwork.HubPublicIPAddresses{
Addresses: []*armnetwork.AzureFirewallPublicIPAddress{},
Count: to.Ptr[int32](1),
},
},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWHub),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
VirtualHub: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
},
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// FirewallPolicy: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
// },
// HubIPAddresses: &armnetwork.HubIPAddresses{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// PublicIPs: &armnetwork.HubPublicIPAddresses{
// Addresses: []*armnetwork.AzureFirewallPublicIPAddress{
// {
// Address: to.Ptr("13.73.240.12"),
// }},
// Count: to.Ptr[int32](1),
// },
// },
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWHub),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// VirtualHub: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
// },
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
*/
async function createAzureFirewallInVirtualHub() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
firewallPolicy: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
hubIPAddresses: { publicIPs: { addresses: [], count: 1 } },
location: "West US",
sku: { name: "AZFW_Hub", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
virtualHub: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters,
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
VirtualHubId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
FirewallPolicyId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
HubIPAddresses = new HubIPAddresses()
{
PublicIPs = new HubPublicIPAddresses()
{
Addresses =
{
},
Count = 1,
},
},
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwHub,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {
"publicIPs": {
"addresses": [
{
"address": "13.73.240.12"
}
],
"count": 1
},
"privateIPAddress": "10.0.0.0"
},
"additionalProperties": {}
}
}
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {
"publicIPs": {
"addresses": [
{
"address": "13.73.240.12"
}
],
"count": 1
},
"privateIPAddress": "10.0.0.0"
},
"ipGroups": [],
"additionalProperties": {}
}
}
Create Azure Firewall With Additional Properties
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-09-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"ipGroups": [],
"additionalProperties": {
"key1": "value1",
"key2": "value2"
}
}
}
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_additional_properties.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"additionalProperties": {"key1": "value1", "key2": "value2"},
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"ipGroups": [],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithAdditionalProperties.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithAdditionalProperties.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithAdditionalProperties() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
AdditionalProperties: map[string]*string{
"key1": to.Ptr("value1"),
"key2": to.Ptr("value2"),
},
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
IPGroups: []*armnetwork.AzureFirewallIPGroups{},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// "key1": to.Ptr("value1"),
// "key2": to.Ptr("value2"),
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithAdditionalProperties.json
*/
async function createAzureFirewallWithAdditionalProperties() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
additionalProperties: { key1: "value1", key2: "value2" },
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
ipGroups: [],
location: "West US",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters,
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithAdditionalProperties.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
AdditionalProperties =
{
["key1"] = "value1",
["key2"] = "value2",
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"additionalProperties": {
"key1": "value1",
"key2": "value2"
}
}
}
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {
"key1": "value1",
"key2": "value2"
}
}
}
Create Azure Firewall With IpGroups
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-09-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import com.azure.resourcemanager.network.models.HubIpAddresses;
import com.azure.resourcemanager.network.models.HubPublicIpAddresses;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/**
* Samples for AzureFirewalls CreateOrUpdate.
*/
public final class Main {
/*
* x-ms-original-file:
* specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithIpGroups.
* json
*/
/**
* Sample code: Create Azure Firewall With IpGroups.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithIpGroups(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT).withSku(new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET).withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/
* AzureFirewallPutWithAdditionalProperties.json
*/
/**
* Sample code: Create Azure Firewall With Additional Properties.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void
createAzureFirewallWithAdditionalProperties(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(new AzureFirewallSku().withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD))
.withAdditionalProperties(mapOf("key1", "fakeTokenPlaceholder", "key2", "fakeTokenPlaceholder")),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file:
* specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
*/
/**
* Sample code: Create Azure Firewall in virtual Hub.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallInVirtualHub(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls().createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList()).withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withVirtualHub(new SubResource()
.withId("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"))
.withFirewallPolicy(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"))
.withHubIpAddresses(new HubIpAddresses()
.withPublicIPs(new HubPublicIpAddresses().withAddresses(Arrays.asList()).withCount(1)))
.withSku(new AzureFirewallSku().withName(AzureFirewallSkuName.AZFW_HUB)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/
* AzureFirewallPutWithMgmtSubnet.json
*/
/**
* Sample code: Create Azure Firewall With management subnet.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithManagementSubnet(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withManagementIpConfiguration(new AzureFirewallIpConfiguration()
.withName("azureFirewallMgmtIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName")))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT).withSku(new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET).withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_ip_groups.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithIpGroups.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithIpGroups.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithIpGroups() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithIpGroups.json
*/
async function createAzureFirewallWithIPGroups() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters,
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithIpGroups.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"additionalProperties": {}
}
}
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceIpGroups": [
"/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceIpGroups": [
"/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationIpGroups": [
"/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups2"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"ipGroups": [
{
"id": "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1",
"changeNumber": "5"
},
{
"id": "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups2",
"changeNumber": "4"
}
],
"additionalProperties": {}
}
}
Create Azure Firewall With management subnet
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-09-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"managementIpConfiguration": {
"name": "azureFirewallMgmtIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"
}
}
},
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_mgmt_subnet.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"managementIpConfiguration": {
"name": "azureFirewallMgmtIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"
},
},
},
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithMgmtSubnet.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithMgmtSubnet.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithManagementSubnet() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
ManagementIPConfiguration: &armnetwork.AzureFirewallIPConfiguration{
Name: to.Ptr("azureFirewallMgmtIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"),
},
},
},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithMgmtSubnet.json
*/
async function createAzureFirewallWithManagementSubnet() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US",
managementIpConfiguration: {
name: "azureFirewallMgmtIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters,
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithMgmtSubnet.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ManagementIPConfiguration = new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"),
Name = "azureFirewallMgmtIpConfiguration",
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"additionalProperties": {}
}
}
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {}
}
}
Create Azure Firewall With Zones
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-09-01
{
"location": "West US 2",
"tags": {
"key1": "value1"
},
"zones": [
"1",
"2",
"3"
],
"properties": {
"threatIntelMode": "Alert",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import com.azure.resourcemanager.network.models.HubIpAddresses;
import com.azure.resourcemanager.network.models.HubPublicIpAddresses;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/**
* Samples for AzureFirewalls CreateOrUpdate.
*/
public final class Main {
/*
* x-ms-original-file:
* specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithZones.
* json
*/
/**
* Sample code: Create Azure Firewall With Zones.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithZones(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US 2").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList("1", "2", "3"))
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT).withSku(new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET).withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/
* AzureFirewallPutWithAdditionalProperties.json
*/
/**
* Sample code: Create Azure Firewall With Additional Properties.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void
createAzureFirewallWithAdditionalProperties(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(new AzureFirewallSku().withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD))
.withAdditionalProperties(mapOf("key1", "fakeTokenPlaceholder", "key2", "fakeTokenPlaceholder")),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file:
* specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutInHub.json
*/
/**
* Sample code: Create Azure Firewall in virtual Hub.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallInVirtualHub(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls().createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList()).withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withVirtualHub(new SubResource()
.withId("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"))
.withFirewallPolicy(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"))
.withHubIpAddresses(new HubIpAddresses()
.withPublicIPs(new HubPublicIpAddresses().withAddresses(Arrays.asList()).withCount(1)))
.withSku(new AzureFirewallSku().withName(AzureFirewallSkuName.AZFW_HUB)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/
* AzureFirewallPutWithMgmtSubnet.json
*/
/**
* Sample code: Create Azure Firewall With management subnet.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithManagementSubnet(com.azure.resourcemanager.AzureResourceManager azure) {
azure.networks().manager().serviceClient().getAzureFirewalls()
.createOrUpdate("rg1", "azurefirewall",
new AzureFirewallInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(Arrays
.asList(new AzureFirewallApplicationRuleCollection().withName("apprulecoll").withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(new AzureFirewallApplicationRule().withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(Arrays.asList(new AzureFirewallApplicationRuleProtocol()
.withProtocolType(AzureFirewallApplicationRuleProtocolType.HTTPS).withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection().withName("natrulecoll").withPriority(112)
.withAction(new AzureFirewallNatRCAction()
.withType(AzureFirewallNatRCActionType.DNAT))
.withRules(Arrays.asList(
new AzureFirewallNatRule().withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5").withTranslatedPort("8443"),
new AzureFirewallNatRule().withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880").withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays.asList(new AzureFirewallNetworkRuleCollection().withName("netrulecoll").withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(Arrays.asList(
new AzureFirewallNetworkRule().withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule().withName("L4-traffic-with-FQDN")
.withDescription("Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(Arrays.asList(new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withManagementIpConfiguration(new AzureFirewallIpConfiguration()
.withName("azureFirewallMgmtIpConfiguration")
.withSubnet(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"))
.withPublicIpAddress(new SubResource().withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName")))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT).withSku(new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET).withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_zones.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US 2",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": ["1", "2", "3"],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithZones.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithZones.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithZones() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US 2"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{
to.Ptr("1"),
to.Ptr("2"),
to.Ptr("3")},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US 2"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// IPGroups: []*armnetwork.AzureFirewallIPGroups{
// },
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// to.Ptr("1"),
// to.Ptr("2"),
// to.Ptr("3")},
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithZones.json
*/
async function createAzureFirewallWithZones() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US 2",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: ["1", "2", "3"],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters,
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/AzureFirewallPutWithZones.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
"1","2","3"
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US 2"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US 2",
"zones": [
"1",
"2",
"3"
],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"ipGroups": [],
"additionalProperties": {}
}
}
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US 2",
"zones": [
"1",
"2",
"3"
],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {}
}
}
Definitions
AzureFirewall
Azure Firewall resource.
Name |
Type |
Description |
etag
|
string
|
A unique read-only string that changes whenever the resource is updated.
|
id
|
string
|
Resource ID.
|
location
|
string
|
Resource location.
|
name
|
string
|
Resource name.
|
properties.additionalProperties
|
object
|
The additional properties used to further config this azure firewall.
|
properties.applicationRuleCollections
|
AzureFirewallApplicationRuleCollection[]
|
Collection of application rule collections used by Azure Firewall.
|
properties.firewallPolicy
|
SubResource
|
The firewallPolicy associated with this azure firewall.
|
properties.hubIPAddresses
|
HubIPAddresses
|
IP addresses associated with AzureFirewall.
|
properties.ipConfigurations
|
AzureFirewallIPConfiguration[]
|
IP configuration of the Azure Firewall resource.
|
properties.ipGroups
|
AzureFirewallIpGroups[]
|
IpGroups associated with AzureFirewall.
|
properties.managementIpConfiguration
|
AzureFirewallIPConfiguration
|
IP configuration of the Azure Firewall used for management traffic.
|
properties.natRuleCollections
|
AzureFirewallNatRuleCollection[]
|
Collection of NAT rule collections used by Azure Firewall.
|
properties.networkRuleCollections
|
AzureFirewallNetworkRuleCollection[]
|
Collection of network rule collections used by Azure Firewall.
|
properties.provisioningState
|
ProvisioningState
|
The provisioning state of the Azure firewall resource.
|
properties.sku
|
AzureFirewallSku
|
The Azure Firewall Resource SKU.
|
properties.threatIntelMode
|
AzureFirewallThreatIntelMode
|
The operation mode for Threat Intelligence.
|
properties.virtualHub
|
SubResource
|
The virtualHub to which the firewall belongs.
|
tags
|
object
|
Resource tags.
|
type
|
string
|
Resource type.
|
zones
|
string[]
|
A list of availability zones denoting where the resource needs to come from.
|
AzureFirewallApplicationRule
Properties of an application rule.
Name |
Type |
Description |
description
|
string
|
Description of the rule.
|
fqdnTags
|
string[]
|
List of FQDN Tags for this rule.
|
name
|
string
|
Name of the application rule.
|
protocols
|
AzureFirewallApplicationRuleProtocol[]
|
Array of ApplicationRuleProtocols.
|
sourceAddresses
|
string[]
|
List of source IP addresses for this rule.
|
sourceIpGroups
|
string[]
|
List of source IpGroups for this rule.
|
targetFqdns
|
string[]
|
List of FQDNs for this rule.
|
AzureFirewallApplicationRuleCollection
Application rule collection resource.
Name |
Type |
Description |
etag
|
string
|
A unique read-only string that changes whenever the resource is updated.
|
id
|
string
|
Resource ID.
|
name
|
string
|
The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
|
properties.action
|
AzureFirewallRCAction
|
The action type of a rule collection.
|
properties.priority
|
integer
|
Priority of the application rule collection resource.
|
properties.provisioningState
|
ProvisioningState
|
The provisioning state of the application rule collection resource.
|
properties.rules
|
AzureFirewallApplicationRule[]
|
Collection of rules used by a application rule collection.
|
AzureFirewallApplicationRuleProtocol
Properties of the application rule protocol.
AzureFirewallApplicationRuleProtocolType
The protocol type of a Application Rule resource.
Name |
Type |
Description |
Http
|
string
|
|
Https
|
string
|
|
Mssql
|
string
|
|
AzureFirewallIPConfiguration
IP configuration of an Azure Firewall.
Name |
Type |
Description |
etag
|
string
|
A unique read-only string that changes whenever the resource is updated.
|
id
|
string
|
Resource ID.
|
name
|
string
|
Name of the resource that is unique within a resource group. This name can be used to access the resource.
|
properties.privateIPAddress
|
string
|
The Firewall Internal Load Balancer IP to be used as the next hop in User Defined Routes.
|
properties.provisioningState
|
ProvisioningState
|
The provisioning state of the Azure firewall IP configuration resource.
|
properties.publicIPAddress
|
SubResource
|
Reference to the PublicIP resource. This field is a mandatory input if subnet is not null.
|
properties.subnet
|
SubResource
|
Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'.
|
type
|
string
|
Type of the resource.
|
AzureFirewallIpGroups
IpGroups associated with azure firewall.
Name |
Type |
Description |
changeNumber
|
string
|
The iteration number.
|
id
|
string
|
Resource ID.
|
AzureFirewallNatRCAction
AzureFirewall NAT Rule Collection Action.
AzureFirewallNatRCActionType
The action type of a NAT rule collection.
Name |
Type |
Description |
Dnat
|
string
|
|
Snat
|
string
|
|
AzureFirewallNatRule
Properties of a NAT rule.
Name |
Type |
Description |
description
|
string
|
Description of the rule.
|
destinationAddresses
|
string[]
|
List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags.
|
destinationPorts
|
string[]
|
List of destination ports.
|
name
|
string
|
Name of the NAT rule.
|
protocols
|
AzureFirewallNetworkRuleProtocol[]
|
Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule.
|
sourceAddresses
|
string[]
|
List of source IP addresses for this rule.
|
sourceIpGroups
|
string[]
|
List of source IpGroups for this rule.
|
translatedAddress
|
string
|
The translated address for this NAT rule.
|
translatedFqdn
|
string
|
The translated FQDN for this NAT rule.
|
translatedPort
|
string
|
The translated port for this NAT rule.
|
AzureFirewallNatRuleCollection
NAT rule collection resource.
Name |
Type |
Description |
etag
|
string
|
A unique read-only string that changes whenever the resource is updated.
|
id
|
string
|
Resource ID.
|
name
|
string
|
The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
|
properties.action
|
AzureFirewallNatRCAction
|
The action type of a NAT rule collection.
|
properties.priority
|
integer
|
Priority of the NAT rule collection resource.
|
properties.provisioningState
|
ProvisioningState
|
The provisioning state of the NAT rule collection resource.
|
properties.rules
|
AzureFirewallNatRule[]
|
Collection of rules used by a NAT rule collection.
|
AzureFirewallNetworkRule
Properties of the network rule.
Name |
Type |
Description |
description
|
string
|
Description of the rule.
|
destinationAddresses
|
string[]
|
List of destination IP addresses.
|
destinationFqdns
|
string[]
|
List of destination FQDNs.
|
destinationIpGroups
|
string[]
|
List of destination IpGroups for this rule.
|
destinationPorts
|
string[]
|
List of destination ports.
|
name
|
string
|
Name of the network rule.
|
protocols
|
AzureFirewallNetworkRuleProtocol[]
|
Array of AzureFirewallNetworkRuleProtocols.
|
sourceAddresses
|
string[]
|
List of source IP addresses for this rule.
|
sourceIpGroups
|
string[]
|
List of source IpGroups for this rule.
|
AzureFirewallNetworkRuleCollection
Network rule collection resource.
Name |
Type |
Description |
etag
|
string
|
A unique read-only string that changes whenever the resource is updated.
|
id
|
string
|
Resource ID.
|
name
|
string
|
The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
|
properties.action
|
AzureFirewallRCAction
|
The action type of a rule collection.
|
properties.priority
|
integer
|
Priority of the network rule collection resource.
|
properties.provisioningState
|
ProvisioningState
|
The provisioning state of the network rule collection resource.
|
properties.rules
|
AzureFirewallNetworkRule[]
|
Collection of rules used by a network rule collection.
|
AzureFirewallNetworkRuleProtocol
The protocol of a Network Rule resource.
Name |
Type |
Description |
Any
|
string
|
|
ICMP
|
string
|
|
TCP
|
string
|
|
UDP
|
string
|
|
AzureFirewallPublicIPAddress
Public IP Address associated with azure firewall.
Name |
Type |
Description |
address
|
string
|
Public IP Address value.
|
AzureFirewallRCAction
Properties of the AzureFirewallRCAction.
AzureFirewallRCActionType
The action type of a rule collection.
Name |
Type |
Description |
Allow
|
string
|
|
Deny
|
string
|
|
AzureFirewallSku
SKU of an Azure Firewall.
AzureFirewallSkuName
Name of an Azure Firewall SKU.
Name |
Type |
Description |
AZFW_Hub
|
string
|
|
AZFW_VNet
|
string
|
|
AzureFirewallSkuTier
Tier of an Azure Firewall.
Name |
Type |
Description |
Basic
|
string
|
|
Premium
|
string
|
|
Standard
|
string
|
|
AzureFirewallThreatIntelMode
The operation mode for Threat Intel.
Name |
Type |
Description |
Alert
|
string
|
|
Deny
|
string
|
|
Off
|
string
|
|
CloudError
An error response from the service.
CloudErrorBody
An error response from the service.
Name |
Type |
Description |
code
|
string
|
An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
|
details
|
CloudErrorBody[]
|
A list of additional details about the error.
|
message
|
string
|
A message describing the error, intended to be suitable for display in a user interface.
|
target
|
string
|
The target of the particular error. For example, the name of the property in error.
|
HubIPAddresses
IP addresses associated with azure firewall.
Name |
Type |
Description |
privateIPAddress
|
string
|
Private IP Address associated with azure firewall.
|
publicIPs
|
HubPublicIPAddresses
|
Public IP addresses associated with azure firewall.
|
HubPublicIPAddresses
Public IP addresses associated with azure firewall.
Name |
Type |
Description |
addresses
|
AzureFirewallPublicIPAddress[]
|
The list of Public IP addresses associated with azure firewall or IP addresses to be retained.
|
count
|
integer
|
The number of Public IP addresses associated with azure firewall.
|
ProvisioningState
The current provisioning state.
Name |
Type |
Description |
Deleting
|
string
|
|
Failed
|
string
|
|
Succeeded
|
string
|
|
Updating
|
string
|
|
SubResource
Reference to another subresource.
Name |
Type |
Description |
id
|
string
|
Resource ID.
|