Azure · rahalan · Jan 21, 2022 · Jan 18, 2022 · Jan 18, 2022 · Jan 18, 2022
@@ -320,6 +320,9 @@ stages:
             - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json
               templateFilePath: $(templateFilePath)
               displayName: Load balancer Public IP
+            - path: $(dependencyPath)/$(resourceType)/parameters/fw.parameters.json
+              templateFilePath: $(templateFilePath)
+              displayName: Firewall Public IP
 
   - stage: deploy_appi
     displayName: Deploy application insight

@@ -472,7 +472,7 @@ jobs:
       fail-fast: false
       matrix:
         parameterFilePaths:
-          ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json']
+          ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json', 'fw.parameters.json']
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2

@@ -5,13 +5,22 @@
         "name": {
             "value": "sxx-az-azfw-x-001"
         },
-        "availabilityZones": {
+        "zones": {
             "value": [
                 "1",
                 "2",
                 "3"
             ]
         },
+        "ipConfigurations": {
+            "value": [
+                {
+                    "name": "ipConfig01",
+                    "publicIPAddressResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-fw",
+                    "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw/subnets/AzureFirewallSubnet"
+                }
+            ]
+        },
         "applicationRuleCollections": {
             "value": [
                 {
@@ -97,9 +106,6 @@
                 }
             ]
         },
-        "vNetId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw"
-        },
         "roleAssignments": {
             "value": [
                 {

@@ -15,9 +15,6 @@ param azureSkuName string = 'AZFW_VNet'
 ])
 param azureSkuTier string = 'Standard'
 
-@description('Optional. Enable the preview feature for DNS proxy.')
-param enableDnsProxy bool = false
-
 @description('Optional. Collection of application rule collections used by Azure Firewall.')
 param applicationRuleCollections array = []
 
@@ -27,14 +24,26 @@ param networkRuleCollections array = []
 @description('Optional. Collection of NAT rule collections used by Azure Firewall.')
 param natRuleCollections array = []
 
-@description('Required. Shared services Virtual Network resource ID')
-param vNetId string
+@description('Required. List of IP Configurations.')
+param ipConfigurations array
 
-@description('Optional. Specifies the name of the Public IP used by Azure Firewall. If it\'s not provided, a \'-pip\' suffix will be appended to the Firewall\'s name.')
-param azureFirewallPipName string = ''
+@description('Optional. Resource ID of the Firewall Policy that should be attached.')
+param firewallPolicyId string = ''
 
-@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.')
-param publicIPPrefixId string = ''
+@allowed([
+  'Alert'
+  'Deny'
+  'Off'
+])
+@description('Optional. The operation mode for Threat Intel.')
+param threatIntelMode string = 'Deny'
+
+@description('Optional. Zone numbers e.g. 1,2,3.')
+param zones array = [
+  '1'
+  '2'
+  '3'
+]
 
 @description('Optional. Diagnostic Storage Account resource identifier')
 param diagnosticStorageAccountId string = ''
@@ -56,13 +65,6 @@ param diagnosticEventHubName string = ''
 @description('Optional. Location for all resources.')
 param location string = resourceGroup().location
 
-@description('Optional. Zone numbers e.g. 1,2,3.')
-param availabilityZones array = [
-  '1'
-  '2'
-  '3'
-]
-
 @allowed([
   'CanNotDelete'
   'NotSpecified'
@@ -80,36 +82,18 @@ param tags object = {}
 @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
 param cuaId string = ''
 
-var publicIPPrefix = {
-  id: publicIPPrefixId
-}
-var azureFirewallSubnetId = '${vNetId}/subnets/AzureFirewallSubnet'
-var azureFirewallPipId = azureFirewallPip.id
-
 @description('Optional. The name of firewall logs that will be streamed.')
 @allowed([
   'AzureFirewallApplicationRule'
   'AzureFirewallNetworkRule'
   'AzureFirewallDnsProxy'
 ])
-param firewallLogsToEnable array = [
+param logsToEnable array = [
   'AzureFirewallApplicationRule'
   'AzureFirewallNetworkRule'
   'AzureFirewallDnsProxy'
 ]
 
-@description('Optional. The name of public IP logs that will be streamed.')
-@allowed([
-  'DDoSProtectionNotifications'
-  'DDoSMitigationReports'
-  'DDoSMitigationFlowLogs'
-])
-param publicIPLogsToEnable array = [
-  'DDoSProtectionNotifications'
-  'DDoSMitigationReports'
-  'DDoSMitigationFlowLogs'
-]
-
 @description('Optional. The name of metrics that will be streamed.')
 @allowed([
   'AllMetrics'
@@ -118,16 +102,19 @@ param metricsToEnable array = [
   'AllMetrics'
 ]
 
-var diagnosticsLogsAzureFirewall = [for log in firewallLogsToEnable: {
-  category: log
-  enabled: true
-  retentionPolicy: {
-    enabled: true
-    days: diagnosticLogsRetentionInDays
+var ipConfigurations_var = [for ipConfiguration in ipConfigurations: {
+  name: ipConfiguration.name
+  properties: {
+    publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? {
+      id: ipConfiguration.publicIPAddressResourceId
+    } : null
+    subnet: contains(ipConfiguration, 'subnetResourceId') ? {
+      id: ipConfiguration.subnetResourceId
+    } : null
   }
 }]
 
-var diagnosticsLogsPublicIp = [for log in publicIPLogsToEnable: {
+var diagnosticsLogs = [for log in logsToEnable: {
   category: log
   enabled: true
   retentionPolicy: {
@@ -151,70 +138,21 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
   params: {}
 }
 
-resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
-  name: !empty(azureFirewallPipName) ? azureFirewallPipName : '${name}-pip'
-  location: location
-  tags: tags
-  sku: {
-    name: 'Standard'
-  }
-  zones: availabilityZones
-  properties: {
-    publicIPAllocationMethod: 'Static'
-    publicIPAddressVersion: 'IPv4'
-    publicIPPrefix: !empty(publicIPPrefixId) ? publicIPPrefix : null
-  }
-}
-
-resource azureFirewallPip_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
-  name: '${azureFirewallPip.name}-${lock}-lock'
-  properties: {
-    level: lock
-    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
-  }
-  scope: azureFirewallPip
-}
-
-resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
-  name: '${azureFirewallPip.name}-diagnosticSettings'
-  properties: {
-    storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
-    workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
-    eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
-    eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
-    metrics: diagnosticsMetrics
-    logs: diagnosticsLogsPublicIp
-  }
-  scope: azureFirewallPip
-}
-
-resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = {
+resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = {
   name: name
   location: location
-  zones: length(availabilityZones) == 0 ? null : availabilityZones
+  zones: length(zones) == 0 ? null : zones
   tags: tags
   properties: {
-    threatIntelMode: 'Deny'
-    ipConfigurations: [
-      {
-        name: 'IpConf'
-        properties: {
-          subnet: {
-            id: azureFirewallSubnetId
-          }
-          publicIPAddress: {
-            id: azureFirewallPipId
-          }
-        }
-      }
-    ]
+    threatIntelMode: threatIntelMode
+    firewallPolicy: empty(firewallPolicyId) ? null : {
+      id: firewallPolicyId
+    }
+    ipConfigurations: ipConfigurations_var
     sku: {
       name: azureSkuName
       tier: azureSkuTier
     }
-    additionalProperties: {
-      'Network.DNS.EnableProxy': string(enableDnsProxy)
-    }
     applicationRuleCollections: applicationRuleCollections
     natRuleCollections: natRuleCollections
     networkRuleCollections: networkRuleCollections
@@ -238,7 +176,7 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings
     eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
     eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
     metrics: diagnosticsMetrics
-    logs: diagnosticsLogsAzureFirewall
+    logs: diagnosticsLogs
   }
   scope: azureFirewall
 }
@@ -264,9 +202,6 @@ output azureFirewallResourceGroup string = resourceGroup().name
 @description('The private IP of the Azure Firewall')
 output azureFirewallPrivateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress
 
-@description('The public IP of the Azure Firewall')
-output azureFirewallPublicIp string = azureFirewallPip.properties.ipAddress
-
 @description('List of Application Rule Collections')
 output applicationRuleCollections array = applicationRuleCollections
 

@@ -9,16 +9,13 @@ This module deploys a firewall.
 | `Microsoft.Authorization/locks` | 2017-04-01 |
 | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview |
 | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview |
-| `Microsoft.Network/azureFirewalls` | 2021-03-01 |
-| `Microsoft.Network/publicIPAddresses` | 2021-02-01 |
+| `Microsoft.Network/azureFirewalls` | 2021-05-01 |
 
 ## Parameters
 
 | Parameter Name | Type | Default Value | Possible Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
 | `applicationRuleCollections` | array | `[]` |  | Optional. Collection of application rule collections used by Azure Firewall. |
-| `availabilityZones` | array | `[1, 2, 3]` |  | Optional. Zone numbers e.g. 1,2,3. |
-| `azureFirewallPipName` | string |  |  | Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name. |
 | `azureSkuName` | string | `AZFW_VNet` | `[AZFW_VNet, AZFW_Hub]` | Optional. Name of an Azure Firewall SKU. |
 | `azureSkuTier` | string | `Standard` | `[Standard, Premium]` | Optional. Tier of an Azure Firewall. |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
@@ -27,19 +24,19 @@ This module deploys a firewall.
 | `diagnosticLogsRetentionInDays` | int | `365` |  | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
 | `diagnosticStorageAccountId` | string |  |  | Optional. Diagnostic Storage Account resource identifier |
 | `diagnosticWorkspaceId` | string |  |  | Optional. Log Analytics workspace resource identifier |
-| `enableDnsProxy` | bool |  |  | Optional. Enable the preview feature for DNS proxy. |
-| `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. |
+| `firewallPolicyId` | string |  |  | Optional. Resource ID of the Firewall Policy that should be attached. |
+| `ipConfigurations` | array |  |  | Required. List of IP Configurations. |
 | `location` | string | `[resourceGroup().location]` |  | Optional. Location for all resources. |
 | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. |
+| `logsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. |
 | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. |
 | `name` | string |  |  | Required. Name of the Azure Firewall. |
 | `natRuleCollections` | array | `[]` |  | Optional. Collection of NAT rule collections used by Azure Firewall. |
 | `networkRuleCollections` | array | `[]` |  | Optional. Collection of network rule collections used by Azure Firewall. |
-| `publicIPLogsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | Optional. The name of public IP logs that will be streamed. |
-| `publicIPPrefixId` | string |  |  | Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. |
 | `roleAssignments` | array | `[]` |  | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' |
 | `tags` | object | `{object}` |  | Optional. Tags of the Azure Firewall resource. |
-| `vNetId` | string |  |  | Required. Shared services Virtual Network resource ID |
+| `threatIntelMode` | string | `Deny` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. |
+| `zones` | array | `[1, 2, 3]` |  | Optional. Zone numbers e.g. 1,2,3. |
 
 ### Parameter Usage: `roleAssignments`
 
@@ -87,7 +84,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 | `applicationRuleCollections` | array | List of Application Rule Collections |
 | `azureFirewallName` | string | The name of the Azure firewall |
 | `azureFirewallPrivateIp` | string | The private IP of the Azure Firewall |
-| `azureFirewallPublicIp` | string | The public IP of the Azure Firewall |
 | `azureFirewallResourceGroup` | string | The resource group the azure firewall was deployed into |
 | `azureFirewallResourceId` | string | The resource ID of the Azure firewall |
 | `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall |
@@ -100,8 +96,7 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw
 
 ## Template references
 
-- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/azureFirewalls)
+- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/azureFirewalls)
 - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings)
 - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks)
-- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses)
-- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments)
+- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments)
@@ -19,9 +19,6 @@ param basePolicyResourceId string = ''
 @description('Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy.')
 param enableProxy bool = false
 
-@description('Optional. FQDNs in Network Rules are supported when set to true.')
-param requireProxyForNetworkRules bool = false
-
 @description('Optional. List of Custom DNS Servers.')
 param servers array = []
 
@@ -113,7 +110,6 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = {
     } : null
     dnsSettings: enableProxy ? {
       enableProxy: enableProxy
-      requireProxyForNetworkRules: requireProxyForNetworkRules
       servers: servers
     } : null
     insights: insightsIsEnabled ? {
@@ -153,6 +149,7 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = {
   }
 }
 
+@batchSize(1)
 module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: {
   name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleCollectionGroups-${index}'
   params: {
@@ -161,11 +158,9 @@ module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' =
     priority: ruleCollectionGroup.priority
     ruleCollections: ruleCollectionGroup.ruleCollections
   }
-  dependsOn: [
-    firewallPolicy
-  ]
 }]
 
+@batchSize(1)
 module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: {
   name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleGroups-${index}'
   params: {
@@ -174,9 +169,6 @@ module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, in
     priority: ruleGroup.priority
     rules: ruleGroup.rules
   }
-  dependsOn: [
-    firewallPolicy
-  ]
 }]
 
 @description('The name of the deployed firewall policy')

@@ -28,7 +28,6 @@ This module deploys Network Firewall Policies.
 | `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. |
 | `name` | string |  |  | Required. Name of the Firewall Policy. |
 | `privateRanges` | array | `[]` |  | Optional. List of private IP addresses/IP address ranges to not be SNAT. |
-| `requireProxyForNetworkRules` | bool |  |  | Optional. FQDNs in Network Rules are supported when set to true. |
 | `retentionDays` | int | `365` |  | Optional. Number of days the insights should be enabled on the policy. |
 | `ruleCollectionGroups` | _[ruleCollectionGroups](ruleCollectionGroups/readme.md)_ array | `[]` |  | Optional. Rule collection groups. |
 | `ruleGroups` | _[ruleGroups](ruleGroups/readme.md)_ array | `[]` |  | Optional. Rule groups. |