How to migrate Azure Firewall Policies/Configuration to a different Azure account?

Jaikishan A Sah (jaisah) 0

What is the process for migrating or importing existing Azure Firewall Policies/Configuration to different Azure accounts? I have a "template.json" and "parameters.json" file from another Azure Firewall setup, and I want to import those files into my Azure account to verify the Policies and Configuration rules. How can I achieve this?

Deepanshu katara 4,900 Reputation points

2024-01-29T10:31:18.76+00:00

Hi, You can use an Azure PowerShell script to migrate existing Azure Firewall configurations to an Azure Firewall policy resource. You can then use Azure Firewall Manager to deploy the policy.
Here is the migration script.
Jaikishan A Sah (jaisah) 0 Reputation points

2024-01-29T10:48:27.62+00:00

How can we Import just the Policies (Network, Application and NAT Rules) using "template.json" file we have from other Azure Firewalls to our own running Firewall in our account?

Note: We don't have access to the Source Firewall. We just have "template.json" and "parameters.json" file from the same.
Deepanshu katara 4,900 Reputation points

2024-01-29T11:00:09.7933333+00:00
Examine the Template:

Open the "template.json" file and understand its structure. Identify the sections related to network, application, and NAT rules. This may involve looking for resources of type Microsoft.Network/azureFirewalls and associated properties.

Extract Policy Sections:

Extract the relevant sections of the template related to policies. Look for resources or sections that define the rules you want to import.

Modify Template for Target Environment:

Adapt the extracted sections to fit into the template structure of your target firewall. Ensure that you update resource names, dependencies, and any other settings to align with your existing firewall's configuration.

Update Parameters:

If the "parameters.json" file contains values specific to the source environment, update the parameter values to match the target environment.

Deploy Modified Template:

Deploy the modified template to your target Azure subscription using the Azure portal, Azure PowerShell, Azure CLI, or Azure Resource Manager REST API. Example using Azure PowerShell:

New-AzResourceGroupDeployment -ResourceGroupName <TargetResourceGroup> -TemplateFile .\modified_template.json -TemplateParameterFile .\parameters.json 1. **Verify Configuration:** - After deployment, verify that the policies in your target Azure Firewall are correctly configured according to the imported settings.
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2024-01-29T11:53:48.8133333+00:00
@Jaikishan A Sah (jaisah)

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid I did not quite understand your environment.

The JSON file which you are referring, is it from a "Firewall Policy" or "Azure Firewall using Classic Rules" ?

Please note there is a difference and we can no longer create "Azure Firewall using Classic Rules".

See : Azure Firewall Manager policy overview

Both of the above support "Export Template". Please clarify.

In any case, a direct "import" of rules will not be possible.

Instead, you have to loop through the JSON list and get the rules one by one - especially when you don't have access to the original "Firewall Policy" or "Classic Firewall using Classic Rules"

Cheers,

Kapil.
Jaikishan A Sah (jaisah) 0 Reputation points

2024-01-29T14:50:08.54+00:00

@KapilAnanth-MSFT @Deepanshu katara Do we have any Working Script to Export the Application, Network and NAT Firewall rules in CSV format? I tried few but they don;t seem to be a working one

Deepanshu katara 4,900

Hi , simply try


# Connect to your Azure account (login with Azure AD credentials)
Connect-AzAccount

# Specify your Azure subscription and resource group
$subscriptionId = 'your_subscription_id'
$resourceGroupName = 'your_resource_group_name'
$firewallName = 'your_azure_firewall_name'

# Get Azure Firewall rules
$firewallRules = Get-AzFirewallPolicy -ResourceGroupName $resourceGroupName -Name $firewallName | 
    Select-Object -ExpandProperty RuleCollection | 
    Select-Object DisplayName, RuleType, Priority, Action, RuleCondition -ExpandProperty RuleCondition |
    Select-Object DisplayName, RuleType, Priority, Action, 
        @{Name='RuleCondition.ApplicationRuleProtocols'; Expression={$_.ApplicationRule.Protocols -join ', '}},
        @{Name='RuleCondition.NetworkRuleProtocols'; Expression={$_.NetworkRule.Protocols -join ', '}},
        @{Name='RuleCondition.NatRuleAction'; Expression={$_.NatRule.Action -join ', '}},
        @{Name='RuleCondition.NatRuleTranslatedAddress'; Expression={$_.NatRule.TranslatedAddress -join ', '}},
        @{Name='RuleCondition.NatRuleTranslatedPort'; Expression={$_.NatRule.TranslatedPort -join ', '}} |
    ConvertTo-Csv -NoTypeInformation

# Specify the output file path
$outputFilePath = 'azure_firewall_rules.csv'

# Write the rules to the CSV file
$firewallRules | Set-Content -Path $outputFilePath

Write-Host "Azure Firewall rules exported to $outputFilePath"

Jaikishan A Sah (jaisah) 0 Reputation points

2024-01-30T06:53:49.28+00:00

Thanks, for your detailed explanation. I was trying the same to put this Configuration into a new ARM template but unfortunately, it's failing. Will try this again. Also, I have exported the configuration from "Firewall Policy > Automation > Export Template"
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2024-01-31T05:42:13.6633333+00:00

@Jaikishan A Sah (jaisah)

Sure.

Please let us know how it goes.

Cheers,

Kapil
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2024-02-02T05:07:42.9833333+00:00

@Jaikishan A Sah (jaisah)

You can test the above set up and let us know should there be any challenges.

Meanwhile, I shall convert my comment to answer so that it might be beneficial to other community members reading this thread.

I would highly appreciate if you could Accept the answer as original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Jaikishan A Sah (jaisah) 0 Reputation points

2024-02-02T09:12:21.34+00:00

@KapilAnanth-MSFT Do we have any way to Integrate/Import Microsoft Azure FQDN Tags to any other 3rd party vendor Firewall deployed on Azure? Is there a way we can utilize these Tags without using Azure Native Firewall?
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2024-02-02T09:19:13.4933333+00:00

Hi @Jaikishan A Sah (jaisah)

Unfortunately, no.

The FQDN Tags are built into Azure Firewall and is deployed as a Platform resource.

Only Azure services can interact with other Platform resources and in your case, a 3rd party NVA will not be able to integrate or use the tags offered by the Azure Firewall service.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2024-01-30T06:21:55.8866667+00:00
@Jaikishan A Sah (jaisah)

Can you please confirm if the JSON file which you are referring, is it from a "Firewall Policy" or "Azure Firewall using Classic Rules" ?

If you only have the JSON file and not access to the Firewall Policy, I don't think so any Azure commands would help.

Because, you are just processing a JSON file and not an Azure Resource - in which case, the community members will be unable to provide a script.

However, should you have access to the Firewall Policy - you can refer to How to get all firewall rules with all the properties.

With that said,

I would not recommend this.

The rules and rule collection groups is a complex nesting of Rules, Rule Collection and Rule Collection Group on JSON and is not suitable to be stored as a CSV or Excel file.

It's better to store them as JSON file only - which would further be easy for you to reuse this code in future deployments.

E.g.,

I have the below set up

This would contain three JSON objects, each for one RuleCollectionGroup.

And each RuleCollectionGroup will contain a list of RuleCollections.

And each RuleCollection will contain a list of Rules.

All in JSON Format.

See:

1.The entire RuleCollectionGroup "DefaultApplicationRuleCollectionGroup"

2.A RuleCollection called "applicationRuleCollection" inside the "DefaultApplicationRuleCollectionGroup" (highlighted)

Similarly, the rules section further contains the Rules inside this RuleCollection

The advantage here is that,

if you want to reuse a Rule or RuleCollection or RuleCollectionGroup, you can simply copy the Rule or RuleCollection or RuleCollectionGroup and paste it into the new ARM/Bicep/Terraform template (respectively).

They all use a similar syntax to a JSON template.

So, if your intention is to store and reuse the code - I'd suggest you to keep it as JSON only.

Hope this helps.

Cheers,

Kapil
Please sign in to rate this answer.

0 comments No comments
Sign in to comment