"IP Group" azurerm_firewall_policy_rule_collection_group

Kaushalendra Kumar 106 Reputation points
2022-05-20T15:02:29.097+00:00

I have to implement "IP Groups" Azure Firewall Firewall Policy Rule Collection using terraform but I am not able to find any code block which I can refer to create it. May be some one else already did and can share it?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
567 questions
Accepted answer
  1. GitaraniSharma-MSFT 47,416 Reputation points Microsoft Employee
    2022-05-23T14:33:20.54+00:00

    Hello @Kaushalendra Kumar ,

    Thank you for the update.

    I understand that you would like to add IP groups in your firewall policy rule collection group using Terraform.

    I couldn't find any existing code block to do this using Terraform but if we look into the resource "azurerm_firewall_network_rule_collection", we can see it supports source_ip_groups & destination_ip_groups arguments in the form of IP Group IDs for the rule.

    The resource "azurerm_firewall_policy_rule_collection_group" contains the Network/NAT/Application rule collections and that is where you specify the IP groups.

    1) Create an Azure IP Group.
    Refer : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group

    2)Create "azurerm_firewall_policy_rule_collection_group" with Network/NAT/Application rule collections which has reference to the above created IP group by it's resource ID.
    Refer : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group
    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_network_rule_collection

    Example Code Block:

    resource "azurerm_firewall_policy_rule_collection_group" "example" {  
  name               = "example-fwpolicy-rcg"  
  firewall_policy_id = azurerm_firewall_policy.example.id  
  priority           = 500  
  network_rule_collection {  
    name     = "network_rule_collection1"  
    priority = 400  
    action   = "Deny"  
    rule {  
      name                  = "network_rule_collection1_rule1"  
      protocols             = ["TCP", "UDP"]  
      source_addresses      = []  
      destination_addresses = []  
      destination_ports     = ["80"]  
      source_ip_groups      = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/sipgxxx"]  
      destination_ip_groups = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/dipgxxx"]  
    }  
  }

    ARM template reference : https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/azurefirewall-create-with-firewallpolicy-ipgroups

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest