Migrate Azure Firewall Standard to Premium using Terraform

Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.

If you use Terraform to deploy standard Azure Firewall with classic rules, you can modify your Terraform configuration file to migrate your firewall to Azure Firewall Premium using a Premium firewall policy.

In this article, you learn how to:

  • Deploy a standard Azure Firewall with classic rules using Terraform
  • Import the firewall rules into a premium firewall policy
  • Edit the Terraform configuration file to migrate the firewall

1. Configure your environment

  • Azure subscription: If you don't have an Azure subscription, create a free account before you begin.

2. Implement the Terraform code

  1. Create a directory in which to test the sample Terraform code and make it the current directory.

  2. Create a file named main.tf and insert the following code:

    terraform {
    
      required_version = ">=0.12"
      
      required_providers {
        azurerm = {
          source  = "hashicorp/azurerm"
          version = ">=2.46.0"
        }
      }
    }
    
    provider "azurerm" {
      features {}
    }
    
    resource "azurerm_resource_group" "rg" {
      name     = "test-resources"
      location = var.resource_group_location
    }
    
    resource "azurerm_virtual_network" "vnet" {
      name                = "testvnet"
      address_space       = ["10.0.0.0/16"]
      location            = azurerm_resource_group.rg.location
      resource_group_name = azurerm_resource_group.rg.name
    }
    
    resource "azurerm_subnet" "subnet" {
      name                 = "AzureFirewallSubnet"
      resource_group_name  = azurerm_resource_group.rg.name
      virtual_network_name = azurerm_virtual_network.vnet.name
      address_prefixes     = ["10.0.1.0/24"]
    }
    
    resource "azurerm_public_ip" "pip" {
      name                = "testpip"
      location            = azurerm_resource_group.rg.location
      resource_group_name = azurerm_resource_group.rg.name
      allocation_method   = "Static"
      sku                 = "Standard"
    }
    
    resource "azurerm_firewall" "fw" {
      name                = "testfirewall"
      location            = azurerm_resource_group.rg.location
      resource_group_name = azurerm_resource_group.rg.name
    
      ip_configuration {
        name                 = "configuration"
        subnet_id            = azurerm_subnet.subnet.id
        public_ip_address_id = azurerm_public_ip.pip.id
      }
    }
    
    resource "azurerm_firewall_application_rule_collection" "app-rc" {
      name                = "apptestcollection"
      azure_firewall_name = azurerm_firewall.fw.name
      resource_group_name = azurerm_resource_group.rg.name
      priority            = 100
      action              = "Allow"
    
      rule {
        name = "testrule"
    
        source_addresses = [
          "10.0.0.0/16",
        ]
    
        target_fqdns = [
          "*.google.com",
        ]
    
        protocol {
          port = "443"
          type = "Https"
        }
      }
    }
    
    resource "azurerm_firewall_network_rule_collection" "net-rc" {
      name                = "nettestcollection"
      azure_firewall_name = azurerm_firewall.fw.name
      resource_group_name = azurerm_resource_group.rg.name
      priority            = 100
      action              = "Allow"
    
      rule {
        name = "dnsrule"
    
        source_addresses = [
          "10.0.0.0/16",
        ]
    
        destination_ports = [
          "53",
        ]
    
        destination_addresses = [
          "8.8.8.8",
          "8.8.4.4",
        ]
    
        protocols = [
          "TCP",
          "UDP",
        ]
      }
    }
    
  3. Create a file named variables.tf and insert the following code:

    variable "resource_group_location" {
      default = "eastus"
    }
    

3. Initialize Terraform

Run terraform init to initialize the Terraform deployment. This command downloads the Azure modules required to manage your Azure resources.

terraform init

4. Create a Terraform execution plan

Run terraform plan to create an execution plan.

terraform plan -out main.tfplan

Key points:

  • The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
  • The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
  • To read more about persisting execution plans and security, see the security warning section.

5. Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply main.tfplan

Key points:

  • The terraform apply command above assumes you previously ran terraform plan -out main.tfplan.
  • If you specified a different filename for the -out parameter, use that same filename in the call to terraform apply.
  • If you didn't use the -out parameter, call terraform apply without any parameters.

6. Import the firewall rules into a premium policy

Now you have a standard firewall with classic rules. Next, create a premium Firewall Policy and import the rules from the firewall.

  1. On the Azure portal, select Create a resource.
  2. Search for firewall policy and select it.
  3. Select Create.
  4. For Resource group select test-resources .
  5. For Name, type prem-pol.
  6. For Region, select East US.
  7. For Policy tier, select Premium.
  8. Select Next: DNS Settings, and continue until you reach the Rules page.
  9. On the Rules page, select Import rules from an Azure Firewall.
  10. Select testfirewall, and then select Import.
  11. Select Review + create.
  12. Select Create.

7. Edit the Terraform configuration file to migrate the firewall

Open the main.tf file, and make the following changes:

  1. Add the following 'data' section:

    data "azurerm_firewall_policy" "prem-pol" {
      name                 = "prem-pol"
      resource_group_name  = azurerm_resource_group.rg.name
    }
    
  2. Modify the firewall resource:

     resource "azurerm_firewall" "fw" {
         name                = "testfirewall"
         location            = azurerm_resource_group.rg.location
         resource_group_name = azurerm_resource_group.rg.name
         firewall_policy_id  = data.azurerm_firewall_policy.prem-pol.id
         sku_tier            = "Premium"
    
     ip_configuration {
         name                 = "configuration"
         subnet_id            = azurerm_subnet.subnet.id
         public_ip_address_id = azurerm_public_ip.pip.id
     }
    }
    
  3. Delete the classic rule collections:

    resource "azurerm_firewall_application_rule_collection" "app-rc" {
      name                = "apptestcollection"
      azure_firewall_name = azurerm_firewall.fw.name
      resource_group_name = azurerm_resource_group.rg.name
      priority            = 100
      action              = "Allow"
    
      rule {
        name = "testrule"
    
        source_addresses = [
          "10.0.0.0/16",
        ]
    
        target_fqdns = [
          "*.google.com",
        ]
    
        protocol {
          port = "443"
          type = "Https"
        }
      }
    }
    
    resource "azurerm_firewall_network_rule_collection" "net-rc" {
      name                = "nettestcollection"
      azure_firewall_name = azurerm_firewall.fw.name
      resource_group_name = azurerm_resource_group.rg.name
      priority            = 100
      action              = "Allow"
    
      rule {
        name = "dnsrule"
    
        source_addresses = [
          "10.0.0.0/16",
        ]
    
        destination_ports = [
          "53",
        ]
    
        destination_addresses = [
          "8.8.8.8",
          "8.8.4.4",
        ]
    
        protocols = [
          "TCP",
          "UDP",
        ]
      }
    }
    

8. Apply the modified Terraform execution plan

  1. terraform plan -out main.tfplan
  2. terraform apply main.tfplan

9. Verify the results

  1. Select the test-resources resource group.
  2. Select the testfirewall resource.
  3. Verify the Firewall sku is Premium.
  4. Verify the firewall is using the prem-pol firewall policy. Azure Firewall Premium with a Premium policy.

10. Clean up resources

When you no longer need the resources created via Terraform, do the following steps:

  1. Run terraform plan and specify the destroy flag.

    terraform plan -destroy -out main.destroy.tfplan
    

    Key points:

    • The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
    • The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
    • To read more about persisting execution plans and security, see the security warning section.
  2. Run terraform apply to apply the execution plan.

    terraform apply main.destroy.tfplan
    

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps