From ae04da4c2553fda08b600f7c3d575083e53e233a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 15:35:34 +0100 Subject: [PATCH 01/15] init --- .../.test/hub/dependencies.bicep | 27 ++++++++++ .../.test/hub/deploy.test.bicep | 50 +++++++++++++++++++ .../.test/vnet/dependencies.bicep | 27 ++++++++++ .../.test/vnet/deploy.test.bicep | 50 +++++++++++++++++++ 4 files changed, 154 insertions(+) create mode 100644 modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep create mode 100644 modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep create mode 100644 modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep create mode 100644 modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep new file mode 100644 index 0000000000..5d70333cf0 --- /dev/null +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep @@ -0,0 +1,27 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'AzureFirewallSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep new file mode 100644 index 0000000000..3873838592 --- /dev/null +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep @@ -0,0 +1,50 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for a testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nafmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + vNetId: resourceGroupResources.outputs.virtualNetworkResourceId + } +} diff --git a/modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep b/modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep new file mode 100644 index 0000000000..5d70333cf0 --- /dev/null +++ b/modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep @@ -0,0 +1,27 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'AzureFirewallSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep new file mode 100644 index 0000000000..3873838592 --- /dev/null +++ b/modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep @@ -0,0 +1,50 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for a testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nafmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + vNetId: resourceGroupResources.outputs.virtualNetworkResourceId + } +} From 4e3d08a177a8d3bef66a58c9b87ca64e86f8e0db Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Thu, 1 Dec 2022 15:36:02 +0100 Subject: [PATCH 02/15] added notes to specific azure firewall setup --- modules/Microsoft.Network/virtualHubs/deploy.bicep | 6 ------ modules/Microsoft.Network/virtualHubs/readme.md | 14 +++++++++----- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/modules/Microsoft.Network/virtualHubs/deploy.bicep b/modules/Microsoft.Network/virtualHubs/deploy.bicep index 3a24d379f8..46c8f920cd 100644 --- a/modules/Microsoft.Network/virtualHubs/deploy.bicep +++ b/modules/Microsoft.Network/virtualHubs/deploy.bicep @@ -13,9 +13,6 @@ param addressPrefix string @description('Optional. Flag to control transit for VirtualRouter hub.') param allowBranchToBranchTraffic bool = true -@description('Optional. Resource ID of the Azure Firewall to link to.') -param azureFirewallId string = '' - @description('Optional. Resource ID of the Express Route Gateway to link to.') param expressRouteGatewayId string = '' @@ -100,9 +97,6 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2022-05-01' = { properties: { addressPrefix: addressPrefix allowBranchToBranchTraffic: allowBranchToBranchTraffic - azureFirewall: !empty(azureFirewallId) ? { - id: azureFirewallId - } : null expressRouteGateway: !empty(expressRouteGatewayId) ? { id: expressRouteGatewayId } : null diff --git a/modules/Microsoft.Network/virtualHubs/readme.md b/modules/Microsoft.Network/virtualHubs/readme.md index a2edf921d7..3b0518d9d6 100644 --- a/modules/Microsoft.Network/virtualHubs/readme.md +++ b/modules/Microsoft.Network/virtualHubs/readme.md @@ -1,14 +1,18 @@ # Virtual Hubs `[Microsoft.Network/virtualHubs]` This module deploys a Virtual Hub. +If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module. ## Navigation -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) +- [Virtual Hubs `[Microsoft.Network/virtualHubs]`](#virtual-hubs-microsoftnetworkvirtualhubs) + - [Navigation](#navigation) + - [Resource Types](#resource-types) + - [Parameters](#parameters) + - [Parameter Usage: `tags`](#parameter-usage-tags) + - [Outputs](#outputs) + - [Cross-referenced modules](#cross-referenced-modules) + - [Deployment examples](#deployment-examples) ## Resource Types From d8ca7253d07218ca02e0cc29d0be5be33b7a9b98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 16:01:11 +0100 Subject: [PATCH 03/15] implement vhub --- .../.test/hub/dependencies.bicep | 60 ++++++++++++------- .../.test/hub/deploy.test.bicep | 7 ++- .../.test/vnet/dependencies.bicep | 27 --------- .../.test/vnet/deploy.test.bicep | 50 ---------------- .../azureFirewalls/deploy.bicep | 8 +++ 5 files changed, 51 insertions(+), 101 deletions(-) delete mode 100644 modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep delete mode 100644 modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep index 5d70333cf0..52825d5de6 100644 --- a/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep @@ -1,27 +1,43 @@ @description('Optional. The location to deploy to.') param location string = resourceGroup().location -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - '10.0.0.0/24' - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: '10.0.0.0/24' - } - } - ] +param virtualWanName string + +param virtualHubName string + +param firewallPolicieName string + +resource virtualWan 'Microsoft.Network/virtualWans@2021-08-01' = { + name: virtualWanName + location: location + properties: { + disableVpnEncryption: false + allowBranchToBranchTraffic: true + type: 'Standard' + } +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2021-08-01' = { + name: virtualHubName + location: location + properties: { + addressPrefix: '10.1.0.0/16' + virtualWan: { + id: virtualWan.id } + } } -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id + +resource policy 'Microsoft.Network/firewallPolicies@2021-08-01' = { + name: firewallPolicieName + location: location + properties: { + threatIntelMode: 'Alert' + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The resource ID of the created Firewall Policie.') +output firewallPolicieResourceId string = policy.id diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep index 3873838592..e96e31f5d6 100644 --- a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep @@ -31,7 +31,9 @@ module resourceGroupResources 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-paramNested' params: { - virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + virtualWanName: 'dep-<>-vwan-${serviceShort}' + virtualHubName: 'dep-<>-vhub-${serviceShort}' + firewallPolicieName: 'dep-<>-afwp-${serviceShort}' } } @@ -45,6 +47,7 @@ module testDeployment '../../deploy.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '<>${serviceShort}001' - vNetId: resourceGroupResources.outputs.virtualNetworkResourceId + firewallPolicyId: resourceGroupResources.outputs.firewallPolicieResourceId + } } diff --git a/modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep b/modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep deleted file mode 100644 index 5d70333cf0..0000000000 --- a/modules/Microsoft.Network/azureFirewalls/.test/vnet/dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - '10.0.0.0/24' - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: '10.0.0.0/24' - } - } - ] - } -} -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep deleted file mode 100644 index 3873838592..0000000000 --- a/modules/Microsoft.Network/azureFirewalls/.test/vnet/deploy.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for a testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - virtualNetworkName: 'dep-<>-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../deploy.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '<>${serviceShort}001' - vNetId: resourceGroupResources.outputs.virtualNetworkResourceId - } -} diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index c497ca5efa..fb44e39722 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -243,6 +243,14 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = { applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections + hubIPAddresses: { + publicIPs: { + count: 1 + } + } + virtualHub: empty(virtualHubId) ? null : { + id: virtualHubId + } } dependsOn: [ publicIPAddress From 5a228890143e72eca76053e435baa16f444e57b8 Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Thu, 1 Dec 2022 16:04:00 +0100 Subject: [PATCH 04/15] changed sku based on vnet config --- modules/Microsoft.Network/azureFirewalls/deploy.bicep | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index fb44e39722..375a4e3772 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -1,13 +1,6 @@ @description('Required. Name of the Azure Firewall.') param name string -@description('Optional. Name of an Azure Firewall SKU.') -@allowed([ - 'AZFW_VNet' - 'AZFW_Hub' -]) -param azureSkuName string = 'AZFW_VNet' - @description('Optional. Tier of an Azure Firewall.') @allowed([ 'Standard' @@ -148,6 +141,9 @@ var newPip = { } : null } +var azureSkuName = empty(vNetId) ? 'AZFW_Hub' : 'AZFW_VNet' + + var ipConfigurations = concat([ { name: !empty(azureFirewallSubnetPublicIpId) ? last(split(azureFirewallSubnetPublicIpId, '/')) : publicIPAddress.outputs.name From 4feefbf4eb5dc9476c5a5c125cf024efbfb65b13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 16:04:36 +0100 Subject: [PATCH 05/15] update properties --- modules/Microsoft.Network/azureFirewalls/deploy.bicep | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index fb44e39722..767a6c5cbc 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -243,11 +243,7 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = { applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections - hubIPAddresses: { - publicIPs: { - count: 1 - } - } + hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses virtualHub: empty(virtualHubId) ? null : { id: virtualHubId } From a7db457b54f89fe70f71d3da43621c9fe3511a97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 16:49:57 +0100 Subject: [PATCH 06/15] Update bicep configuration --- .../azureFirewalls/.test/hub/dependencies.bicep | 6 +++--- .../azureFirewalls/.test/hub/deploy.test.bicep | 17 +++++++++++------ .../azureFirewalls/deploy.bicep | 17 +++++++++++------ 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep index 52825d5de6..3981ef362c 100644 --- a/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep @@ -5,7 +5,7 @@ param virtualWanName string param virtualHubName string -param firewallPolicieName string +param firewallPolicyName string resource virtualWan 'Microsoft.Network/virtualWans@2021-08-01' = { name: virtualWanName @@ -29,7 +29,7 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2021-08-01' = { } resource policy 'Microsoft.Network/firewallPolicies@2021-08-01' = { - name: firewallPolicieName + name: firewallPolicyName location: location properties: { threatIntelMode: 'Alert' @@ -40,4 +40,4 @@ resource policy 'Microsoft.Network/firewallPolicies@2021-08-01' = { output virtualHubResourceId string = virtualHub.id @description('The resource ID of the created Firewall Policie.') -output firewallPolicieResourceId string = policy.id +output firewallPolicyResourceId string = policy.id diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep index e96e31f5d6..16c380cc60 100644 --- a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep @@ -31,9 +31,9 @@ module resourceGroupResources 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-paramNested' params: { - virtualWanName: 'dep-<>-vwan-${serviceShort}' - virtualHubName: 'dep-<>-vhub-${serviceShort}' - firewallPolicieName: 'dep-<>-afwp-${serviceShort}' + virtualWanName: 'dep-jpe-vwan-${serviceShort}' + virtualHubName: 'dep-jpe-vhub-${serviceShort}' + firewallPolicyName: 'dep-jpe-afwp-${serviceShort}' } } @@ -46,8 +46,13 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry - name: '<>${serviceShort}001' - firewallPolicyId: resourceGroupResources.outputs.firewallPolicieResourceId - + name: 'jpe${serviceShort}001' + firewallPolicyId: resourceGroupResources.outputs.firewallPolicyResourceId + virtualHubId: resourceGroupResources.outputs.virtualHubResourceId + hubIPAddresses: { + publicIPs: { + count: 1 + } + } } } diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index e9e0066131..74772d08e2 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -8,8 +8,8 @@ param name string ]) param azureSkuTier string = 'Standard' -@description('Required. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable.') -param vNetId string +@description('Conditional. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty.') +param vNetId string = '' @description('Optional. The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet.') param azureFirewallSubnetPublicIpId string = '' @@ -35,6 +35,12 @@ param natRuleCollections array = [] @description('Optional. Resource ID of the Firewall Policy that should be attached.') param firewallPolicyId string = '' +@description('Conditional. IP addresses associated with AzureFirewall. Must be set if `virtualHubId` is supplied.') +param hubIPAddresses object = {} + +@description('Conditional. The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty.') +param virtualHubId string = '' + @allowed([ 'Alert' 'Deny' @@ -143,7 +149,6 @@ var newPip = { var azureSkuName = empty(vNetId) ? 'AZFW_Hub' : 'AZFW_VNet' - var ipConfigurations = concat([ { name: !empty(azureFirewallSubnetPublicIpId) ? last(split(azureFirewallSubnetPublicIpId, '/')) : publicIPAddress.outputs.name @@ -186,7 +191,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } // create a public ip address if one is not provided and the flag is true -module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) { +module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP && azureSkuName == 'AZFW_VNet') { name: '${uniqueString(deployment().name, location)}-Firewall-PIP' params: { name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip' @@ -227,11 +232,11 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = { zones: length(zones) == 0 ? null : zones tags: tags properties: { - threatIntelMode: threatIntelMode + threatIntelMode: azureSkuName == 'AZFW_Hub' ? null : threatIntelMode firewallPolicy: empty(firewallPolicyId) ? null : { id: firewallPolicyId } - ipConfigurations: ipConfigurations + ipConfigurations: azureSkuName == 'AZFW_Hub' ? null : ipConfigurations sku: { name: azureSkuName tier: azureSkuTier From c31e93feb4242a848e3969972cb9461eea4603bb Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Thu, 1 Dec 2022 16:57:39 +0100 Subject: [PATCH 07/15] separated firewallproperties to var --- .../azureFirewalls/deploy.bicep | 49 ++++++++++++------- 1 file changed, 31 insertions(+), 18 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index 74772d08e2..883724da9f 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -178,6 +178,36 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] +var firewallProperties = azureSkuName == 'AZFW_VNet' ? { + threatIntelMode: threatIntelMode + firewallPolicy: empty(firewallPolicyId) ? null : { + id: firewallPolicyId + } + ipConfigurations: ipConfigurations + sku: { + name: azureSkuName + tier: azureSkuTier + } + applicationRuleCollections: applicationRuleCollections + natRuleCollections: natRuleCollections + networkRuleCollections: networkRuleCollections +} : { + firewallPolicy: empty(firewallPolicyId) ? null : { + id: firewallPolicyId + } + sku: { + name: azureSkuName + tier: azureSkuTier + } + applicationRuleCollections: applicationRuleCollections + natRuleCollections: natRuleCollections + networkRuleCollections: networkRuleCollections + hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses + virtualHub: empty(virtualHubId) ? null : { + id: virtualHubId + } +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -231,24 +261,7 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = { location: location zones: length(zones) == 0 ? null : zones tags: tags - properties: { - threatIntelMode: azureSkuName == 'AZFW_Hub' ? null : threatIntelMode - firewallPolicy: empty(firewallPolicyId) ? null : { - id: firewallPolicyId - } - ipConfigurations: azureSkuName == 'AZFW_Hub' ? null : ipConfigurations - sku: { - name: azureSkuName - tier: azureSkuTier - } - applicationRuleCollections: applicationRuleCollections - natRuleCollections: natRuleCollections - networkRuleCollections: networkRuleCollections - hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses - virtualHub: empty(virtualHubId) ? null : { - id: virtualHubId - } - } + properties: firewallProperties dependsOn: [ publicIPAddress ] From 93e2e4bd48c64bb7aba1f052767fb119fee1ad7a Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Thu, 1 Dec 2022 17:06:44 +0100 Subject: [PATCH 08/15] fixed output --- modules/Microsoft.Network/azureFirewalls/deploy.bicep | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index 883724da9f..fca169ef47 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -199,9 +199,6 @@ var firewallProperties = azureSkuName == 'AZFW_VNet' ? { name: azureSkuName tier: azureSkuTier } - applicationRuleCollections: applicationRuleCollections - natRuleCollections: natRuleCollections - networkRuleCollections: networkRuleCollections hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses virtualHub: empty(virtualHubId) ? null : { id: virtualHubId @@ -315,7 +312,7 @@ output resourceGroupName string = resourceGroup().name output privateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress @description('The public ipconfiguration object for the AzureFirewallSubnet.') -output ipConfAzureFirewallSubnet object = azureFirewall.properties.ipConfigurations[0] +output ipConfAzureFirewallSubnet object = azureSkuName == 'AZFW_VNet' ? azureFirewall.properties.ipConfigurations[0] : {} @description('List of Application Rule Collections.') output applicationRuleCollections array = applicationRuleCollections From d6c2064994c23426f71b67a6866416cd8ca479a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 17:17:33 +0100 Subject: [PATCH 09/15] Update outputs --- modules/Microsoft.Network/azureFirewalls/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index 883724da9f..6778543774 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -312,10 +312,10 @@ output name string = azureFirewall.name output resourceGroupName string = resourceGroup().name @description('The private IP of the Azure firewall.') -output privateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress +output privateIp string = contains(azureFirewall.properties, 'ipConfigurations') ? azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' @description('The public ipconfiguration object for the AzureFirewallSubnet.') -output ipConfAzureFirewallSubnet object = azureFirewall.properties.ipConfigurations[0] +output ipConfAzureFirewallSubnet object = contains(azureFirewall.properties, 'ipConfigurations') ? azureFirewall.properties.ipConfigurations[0] : {} @description('List of Application Rule Collections.') output applicationRuleCollections array = applicationRuleCollections From 48d7489169d9ad7ffee38f21cc19706cccd590fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 17:21:54 +0100 Subject: [PATCH 10/15] namePrifix --- .../azureFirewalls/.test/hub/deploy.test.bicep | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep index 16c380cc60..a4a7f7785a 100644 --- a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep @@ -31,9 +31,9 @@ module resourceGroupResources 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-paramNested' params: { - virtualWanName: 'dep-jpe-vwan-${serviceShort}' - virtualHubName: 'dep-jpe-vhub-${serviceShort}' - firewallPolicyName: 'dep-jpe-afwp-${serviceShort}' + virtualWanName: 'dep-<>-vwan-${serviceShort}' + virtualHubName: 'dep-<>-vhub-${serviceShort}' + firewallPolicyName: 'dep-<>-afwp-${serviceShort}' } } @@ -46,7 +46,7 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry - name: 'jpe${serviceShort}001' + name: '<>${serviceShort}001' firewallPolicyId: resourceGroupResources.outputs.firewallPolicyResourceId virtualHubId: resourceGroupResources.outputs.virtualHubResourceId hubIPAddresses: { From 05ed436e5a1c066943f998af94fbefbb98d6a035 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 17:24:45 +0100 Subject: [PATCH 11/15] update readme --- .../azureFirewalls/readme.md | 107 +++++++++++++++--- 1 file changed, 89 insertions(+), 18 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/readme.md b/modules/Microsoft.Network/azureFirewalls/readme.md index 4ad14c5ad1..5009563f17 100644 --- a/modules/Microsoft.Network/azureFirewalls/readme.md +++ b/modules/Microsoft.Network/azureFirewalls/readme.md @@ -28,7 +28,14 @@ This module deploys a firewall. | Parameter Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Name of the Azure Firewall. | -| `vNetId` | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable. | + +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `hubIPAddresses` | object | `{object}` | IP addresses associated with AzureFirewall. Must be set if `virtualHubId` is supplied. | +| `virtualHubId` | string | `''` | The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. | +| `vNetId` | string | `''` | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. | **Optional parameters** @@ -37,7 +44,6 @@ This module deploys a firewall. | `additionalPublicIpConfigurations` | array | `[]` | | This is to add any additional public ip configurations on top of the public ip with subnet ip configuration. | | `applicationRuleCollections` | array | `[]` | | Collection of application rule collections used by Azure Firewall. | | `azureFirewallSubnetPublicIpId` | string | `''` | | The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet. | -| `azureSkuName` | string | `'AZFW_VNet'` | `[AZFW_Hub, AZFW_VNet]` | Name of an Azure Firewall SKU. | | `azureSkuTier` | string | `'Standard'` | `[Premium, Standard]` | Tier of an Azure Firewall. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | @@ -327,7 +333,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { params: { // Required parameters name: '<>nafaddpip001' - vNetId: '' // Non-required parameters additionalPublicIpConfigurations: [ { @@ -336,6 +341,7 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { } ] enableDefaultTelemetry: '' + vNetId: '' } } ``` @@ -356,9 +362,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "name": { "value": "<>nafaddpip001" }, - "vNetId": { - "value": "" - }, // Non-required parameters "additionalPublicIpConfigurations": { "value": [ @@ -370,6 +373,9 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { }, "enableDefaultTelemetry": { "value": "" + }, + "vNetId": { + "value": "" } } } @@ -390,7 +396,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { params: { // Required parameters name: '<>nafcom001' - vNetId: '' // Non-required parameters applicationRuleCollections: [ { @@ -490,6 +495,7 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + vNetId: '' zones: [ '1' '2' @@ -515,9 +521,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "name": { "value": "<>nafcom001" }, - "vNetId": { - "value": "" - }, // Non-required parameters "applicationRuleCollections": { "value": [ @@ -639,6 +642,9 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { } ] }, + "vNetId": { + "value": "" + }, "zones": { "value": [ "1", @@ -665,7 +671,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { params: { // Required parameters name: '<>nafcstpip001' - vNetId: '' // Non-required parameters enableDefaultTelemetry: '' publicIPAddressObject: { @@ -692,6 +697,7 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { skuName: 'Standard' skuTier: 'Regional' } + vNetId: '' } } ``` @@ -712,9 +718,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "name": { "value": "<>nafcstpip001" }, - "vNetId": { - "value": "" - }, // Non-required parameters "enableDefaultTelemetry": { "value": "" @@ -744,6 +747,9 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "skuName": "Standard", "skuTier": "Regional" } + }, + "vNetId": { + "value": "" } } } @@ -752,7 +758,7 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = {

-

Example 4: Min

+

Example 4: Hub

@@ -764,9 +770,15 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { params: { // Required parameters name: '<>nafmin001' - vNetId: '' // Non-required parameters enableDefaultTelemetry: '' + firewallPolicyId: '' + hubIPAddresses: { + publicIPs: { + count: 1 + } + } + virtualHubId: '' } } ``` @@ -787,12 +799,71 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "name": { "value": "<>nafmin001" }, - "vNetId": { - "value": "" + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "firewallPolicyId": { + "value": "" + }, + "hubIPAddresses": { + "value": { + "publicIPs": { + "count": 1 + } + } + }, + "virtualHubId": { + "value": "" + } + } +} +``` + +
+

+ +

Example 5: Min

+ +
+ +via Bicep module + +```bicep +module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-test-nafmin' + params: { + // Required parameters + name: '<>nafmin001' + // Non-required parameters + enableDefaultTelemetry: '' + vNetId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "<>nafmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "vNetId": { + "value": "" } } } From 480946d5f47c749b1a843788b419ee24c9c605ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Pei=C3=9Fker?= Date: Thu, 1 Dec 2022 17:34:43 +0100 Subject: [PATCH 12/15] update readme --- modules/Microsoft.Network/azureFirewalls/deploy.bicep | 2 +- modules/Microsoft.Network/azureFirewalls/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index 41dcdc1320..a8612ece71 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -35,7 +35,7 @@ param natRuleCollections array = [] @description('Optional. Resource ID of the Firewall Policy that should be attached.') param firewallPolicyId string = '' -@description('Conditional. IP addresses associated with AzureFirewall. Must be set if `virtualHubId` is supplied.') +@description('Conditional. IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied.') param hubIPAddresses object = {} @description('Conditional. The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty.') diff --git a/modules/Microsoft.Network/azureFirewalls/readme.md b/modules/Microsoft.Network/azureFirewalls/readme.md index 5009563f17..8c6a9fe239 100644 --- a/modules/Microsoft.Network/azureFirewalls/readme.md +++ b/modules/Microsoft.Network/azureFirewalls/readme.md @@ -33,7 +33,7 @@ This module deploys a firewall. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `hubIPAddresses` | object | `{object}` | IP addresses associated with AzureFirewall. Must be set if `virtualHubId` is supplied. | +| `hubIPAddresses` | object | `{object}` | IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. | | `virtualHubId` | string | `''` | The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. | | `vNetId` | string | `''` | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. | From 876fc19eb971734fd791fc82728735e76ca43980 Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Thu, 1 Dec 2022 17:42:34 +0100 Subject: [PATCH 13/15] updated dependency naming --- .../azureFirewalls/.test/hub/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep index a4a7f7785a..a159a1e7b6 100644 --- a/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep +++ b/modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep @@ -11,7 +11,7 @@ param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafmin' +param serviceShort string = 'nafhub' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 6333b038d58b3ca12d905096c164e5bc6563ac50 Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Thu, 1 Dec 2022 21:49:20 +0100 Subject: [PATCH 14/15] updated readme --- modules/Microsoft.Network/azureFirewalls/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/readme.md b/modules/Microsoft.Network/azureFirewalls/readme.md index 8c6a9fe239..4e6a29e6fa 100644 --- a/modules/Microsoft.Network/azureFirewalls/readme.md +++ b/modules/Microsoft.Network/azureFirewalls/readme.md @@ -766,10 +766,10 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { ```bicep module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-test-nafmin' + name: '${uniqueString(deployment().name)}-test-nafhub' params: { // Required parameters - name: '<>nafmin001' + name: '<>nafhub001' // Non-required parameters enableDefaultTelemetry: '' firewallPolicyId: '' @@ -797,7 +797,7 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>nafmin001" + "value": "<>nafhub001" }, // Non-required parameters "enableDefaultTelemetry": { From 1de867a8d7168b83fe0f7eeda52151647991b2aa Mon Sep 17 00:00:00 2001 From: Felix Borst Date: Fri, 6 Jan 2023 13:41:46 +0100 Subject: [PATCH 15/15] removed variable --- .../azureFirewalls/deploy.bicep | 54 +++++++++---------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/modules/Microsoft.Network/azureFirewalls/deploy.bicep b/modules/Microsoft.Network/azureFirewalls/deploy.bicep index a8612ece71..019d69cbe4 100644 --- a/modules/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/modules/Microsoft.Network/azureFirewalls/deploy.bicep @@ -178,33 +178,6 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] -var firewallProperties = azureSkuName == 'AZFW_VNet' ? { - threatIntelMode: threatIntelMode - firewallPolicy: empty(firewallPolicyId) ? null : { - id: firewallPolicyId - } - ipConfigurations: ipConfigurations - sku: { - name: azureSkuName - tier: azureSkuTier - } - applicationRuleCollections: applicationRuleCollections - natRuleCollections: natRuleCollections - networkRuleCollections: networkRuleCollections -} : { - firewallPolicy: empty(firewallPolicyId) ? null : { - id: firewallPolicyId - } - sku: { - name: azureSkuName - tier: azureSkuTier - } - hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses - virtualHub: empty(virtualHubId) ? null : { - id: virtualHubId - } -} - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -258,7 +231,32 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = { location: location zones: length(zones) == 0 ? null : zones tags: tags - properties: firewallProperties + properties: azureSkuName == 'AZFW_VNet' ? { + threatIntelMode: threatIntelMode + firewallPolicy: empty(firewallPolicyId) ? null : { + id: firewallPolicyId + } + ipConfigurations: ipConfigurations + sku: { + name: azureSkuName + tier: azureSkuTier + } + applicationRuleCollections: applicationRuleCollections + natRuleCollections: natRuleCollections + networkRuleCollections: networkRuleCollections + } : { + firewallPolicy: empty(firewallPolicyId) ? null : { + id: firewallPolicyId + } + sku: { + name: azureSkuName + tier: azureSkuTier + } + hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses + virtualHub: empty(virtualHubId) ? null : { + id: virtualHubId + } + } dependsOn: [ publicIPAddress ]