Migrieren von Azure Firewall-Konfigurationen mithilfe von PowerShell zu einer Azure Firewall-Richtlinie
Sie können ein Azure PowerShell-Skript verwenden, um vorhandene Azure Firewall-Konfigurationen zu einer Azure Firewall-Richtlinienressource zu migrieren. Anschließend können Sie die Richtlinie mithilfe von Azure Firewall Manager bereitstellen.
Vom Skript AZFWMigrationScript.ps1 wird eine FirewallPolicy mit drei RuleCollectionGroup-Objekten jeweils für ApplicationRuleCollections, NetworkRuleCollections und NatRuleCollections erstellt.
Eine RuleCollectionGroup ist eine neue Gruppierung der obersten Ebene für Regelsammlungen und ist für die zukünftige Erweiterbarkeit vorgesehen. Die oben genannten Standardwerte werden empfohlen und automatisch aus dem Portal verwendet.
Am Anfang des Skripts werden der Name der Quellfirewall und die Ressourcengruppe sowie der Name und Speicherort der Zielrichtlinie definiert. Ersetzen Sie die Werte ggf. durch geeignete Werte für Ihr Unternehmen.
Migrationsskript
Ändern Sie das folgende Skript, um die Firewallkonfiguration zu migrieren.
# Input params to be modified as needed
$FirewallResourceGroup = "AzFWMigrateRG"
$FirewallName = "azfw"
$FirewallPolicyResourceGroup = "AzFWPolicyRG"
$FirewallPolicyName = "fwpolicy"
$FirewallPolicyLocation = "WestEurope"
$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"
$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"
$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"
$ApplicationRuleGroupPriority = 300
$NetworkRuleGroupPriority = 200
$NatRuleGroupPriority = 100
$InvalidCharsPattern = "[']"
# Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
Param([Object[]] $Protocols)
$output = ""
ForEach ($protocol in $Protocols)
{
$output += $protocol.ProtocolType + ":" + $protocol.Port + ","
}
return $output.Substring(0, $output.Length - 1)
}
Function GetApplicationRuleCmd
{
Param([Object] $ApplicationRule)
$cmd = "New-AzFirewallPolicyApplicationRule"
$parsedName = ParseRuleName($ApplicationRule.Name)
$cmd = $cmd + " -Name " + "'" + $parsedName + "'"
if ($ApplicationRule.SourceAddresses)
{
$ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
$cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
}
elseif ($ApplicationRule.SourceIpGroups)
{
$ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
$cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
}
if ($ApplicationRule.Description)
{
$cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
}
if ($ApplicationRule.TargetFqdns)
{
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
$cmd = $cmd + " -Protocol " + $protocols
$AppRule = $($ApplicationRule.TargetFqdns) -join ","
$cmd = $cmd + " -TargetFqdn " + $AppRule
}
if ($ApplicationRule.FqdnTags)
{
$cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
}
return $cmd
}
Function ParseRuleName
{
Param([Object] $RuleName)
if ($RuleName -match $InvalidCharsPattern) {
$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Yellow
return $newRuleName
}
return $RuleName
}
If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
{
New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
}
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
Write-Host "creating empty firewall policy"
if ($azfw.DNSEnableProxy) {
$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
}
else {
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
}
Write-Host $fwp.Name "created"
# Translate ApplicationRuleCollection
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
If ($azfw.ApplicationRuleCollections.Count -gt 0)
{
$firewallPolicyAppRuleCollections = @()
ForEach ($appRc in $azfw.ApplicationRuleCollections)
{
If ($appRc.Rules.Count -gt 0)
{
Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
$firewallPolicyAppRules = @()
ForEach ($appRule in $appRc.Rules)
{
$cmd = GetApplicationRuleCmd($appRule)
$firewallPolicyAppRule = Invoke-Expression $cmd
Write-Host "Created Application Rule: " $firewallPolicyAppRule.Name
$firewallPolicyAppRules += $firewallPolicyAppRule
}
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
Write-Host "Created Application Rule Collection: " $fwpAppRuleCollection.Name
}
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
}
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created Application Rule Collection Group: " $appRuleGroup.Name
}
# Translate NetworkRuleCollection
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
If ($azfw.NetworkRuleCollections.Count -gt 0)
{
$firewallPolicyNetRuleCollections = @()
ForEach ($rc in $azfw.NetworkRuleCollections)
{
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
$firewallPolicyNetRules = @()
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
elseif ($rule.SourceIpGroups)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
Write-Host "Created network rule: " $firewallPolicyNetRule.Name
$firewallPolicyNetRules += $firewallPolicyNetRule
}
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
Write-Host "Created Network Rule Collection: " $fwpNetRuleCollection.Name
}
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
}
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created Network Rule Collection Group: " $netRuleGroup.Name
}
# Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, translated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"
If ($azfw.NatRuleCollections.Count -gt 0)
{
$firewallPolicyNatRuleCollections = @()
$priority = 100
ForEach ($rc in $azfw.NatRuleCollections)
{
$firewallPolicyNatRules = @()
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
{
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.SourceIpGroups)
{
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
$firewallPolicyNatRules += $firewallPolicyNatRule
}
$natRuleCollectionName = $rc.Name
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
$priority += 1
Write-Host "Created NAT Rule Collection: " $fwpNatRuleCollection.Name
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
}
}
$natRuleCollectionGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created NAT Rule Collection Group: " $natRuleCollectionGroup.Name
}
Nächste Schritte
Weitere Informationen zur Bereitstellung mit Azure Firewall Manager: Übersicht über die Bereitstellung mit Azure Firewall Manager