Quickstart: Create an Azure Firewall and IP Groups - Bicep
In this quickstart, you use a Bicep file to deploy an Azure Firewall with sample IP Groups used in a network rule and application rule. An IP Group is a top-level resource that allows you to define and group IP addresses, ranges, and subnets into a single object. IP Group is useful for managing IP addresses in Azure Firewall rules. You can either manually enter IP addresses or import them from a file.
Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
Prerequisites
- An Azure account with an active subscription. Create an account for free.
Review the Bicep file
This Bicep file creates an Azure Firewall and IP Groups, along with the necessary resources to support the Azure Firewall.
The Bicep file used in this quickstart is from Azure Quickstart Templates.
@description('virtual network name')
param virtualNetworkName string = 'vnet${uniqueString(resourceGroup().id)}'
param ipgroups_name1 string = 'ipgroup1${uniqueString(resourceGroup().id)}'
param ipgroups_name2 string = 'ipgroup2${uniqueString(resourceGroup().id)}'
@description('Username for the Virtual Machine.')
param adminUsername string
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Zone numbers e.g. 1,2,3.')
param vmSize string = 'Standard_D2s_v3'
@description('Number of public IP addresses for the Azure Firewall')
@minValue(1)
@maxValue(100)
param numberOfFirewallPublicIPAddresses int = 1
@description('Type of authentication to use on the Virtual Machine. SSH key is recommended.')
@allowed([
'sshPublicKey'
'password'
])
param authenticationType string = 'sshPublicKey'
@description('SSH Key or password for the Virtual Machine. SSH key is recommended.')
@secure()
param adminPasswordOrKey string
var vnetAddressPrefix = '10.0.0.0/16'
var serversSubnetPrefix = '10.0.2.0/24'
var azureFirewallSubnetPrefix = '10.0.1.0/24'
var jumpboxSubnetPrefix = '10.0.0.0/24'
var nextHopIP = '10.0.1.4'
var azureFirewallSubnetName = 'AzureFirewallSubnet'
var jumpBoxSubnetName = 'JumpboxSubnet'
var serversSubnetName = 'ServersSubnet'
var jumpBoxPublicIPAddressName = 'JumpHostPublicIP'
var jumpBoxNsgName = 'JumpHostNSG'
var jumpBoxNicName = 'JumpHostNic'
var jumpBoxSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, jumpBoxSubnetName)
var serverNicName = 'ServerNic'
var serverSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, serversSubnetName)
var storageAccountName = '${uniqueString(resourceGroup().id)}sajumpbox'
var azfwRouteTableName = 'AzfwRouteTable'
var firewallName = 'firewall1'
var publicIPNamePrefix = 'publicIP'
var azureFirewallSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, azureFirewallSubnetName)
var linuxConfiguration = {
disablePasswordAuthentication: true
ssh: {
publicKeys: [
{
path: '/home/${adminUsername}/.ssh/authorized_keys'
keyData: adminPasswordOrKey
}
]
}
patchSettings: {
patchMode: 'AutomaticByPlatform'
}
}
var networkSecurityGroupName = '${serversSubnetName}-nsg'
var azureFirewallIpConfigurations = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: 'IpConf${i}'
properties: {
subnet: {
id: (i == 0) ? azureFirewallSubnetId : null
}
publicIPAddress: {
id: publicIP[i].id
}
}
}]
resource ipgroup1 'Microsoft.Network/ipGroups@2023-09-01' = {
name: ipgroups_name1
location: location
properties: {
ipAddresses: [
'13.73.64.64/26'
'13.73.208.128/25'
'52.126.194.0/23'
]
}
}
resource ipgroup2 'Microsoft.Network/ipGroups@2023-09-01' = {
name: ipgroups_name2
location: location
properties: {
ipAddresses: [
'12.0.0.0/24'
'13.9.0.0/24'
]
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {}
}
resource azfwRouteTable 'Microsoft.Network/routeTables@2023-09-01' = {
name: azfwRouteTableName
location: location
properties: {
disableBgpRoutePropagation: false
routes: [
{
name: 'AzfwDefaultRoute'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: nextHopIP
}
}
]
}
}
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
name: networkSecurityGroupName
location: location
properties: {}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-09-01' = {
name: virtualNetworkName
location: location
tags: {
displayName: virtualNetworkName
}
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: jumpBoxSubnetName
properties: {
addressPrefix: jumpboxSubnetPrefix
}
}
{
name: azureFirewallSubnetName
properties: {
addressPrefix: azureFirewallSubnetPrefix
}
}
{
name: serversSubnetName
properties: {
addressPrefix: serversSubnetPrefix
routeTable: {
id: azfwRouteTable.id
}
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
]
}
}
resource publicIP 'Microsoft.Network/publicIPAddresses@2023-09-01' = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: '${publicIPNamePrefix}${i + 1}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
publicIPAddressVersion: 'IPv4'
}
}]
resource jumpBoxPublicIPAddress 'Microsoft.Network/publicIPAddresses@2023-09-01' = {
name: jumpBoxPublicIPAddressName
location: location
properties: {
publicIPAllocationMethod: 'Dynamic'
}
}
resource jumpBoxNsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
name: jumpBoxNsgName
location: location
properties: {
securityRules: [
{
name: 'myNetworkSecurityGroupRuleSSH'
properties: {
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '22'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
access: 'Allow'
priority: 1000
direction: 'Inbound'
}
}
]
}
}
resource JumpBoxNic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: jumpBoxNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: jumpBoxPublicIPAddress.id
}
subnet: {
id: jumpBoxSubnetId
}
}
}
]
networkSecurityGroup: {
id: jumpBoxNsg.id
}
}
dependsOn: [
virtualNetwork
]
}
resource ServerNic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: serverNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: serverSubnetId
}
}
}
]
}
dependsOn: [
virtualNetwork
]
}
resource JumpBoxVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'JumpBox'
location: location
tags: {
AzSecPackAutoConfigReady: true
}
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftCBLMariner'
offer: 'cbl-mariner'
sku: 'cbl-mariner-2-gen2'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
}
}
osProfile: {
computerName: 'JumpBox'
adminUsername: adminUsername
adminPassword: adminPasswordOrKey
linuxConfiguration: ((authenticationType == 'password') ? json('null') : linuxConfiguration)
}
networkProfile: {
networkInterfaces: [
{
id: JumpBoxNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource ServerVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'Server'
location: location
tags: {
AzSecPackAutoConfigReady: true
}
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftCBLMariner'
offer: 'cbl-mariner'
sku: 'cbl-mariner-2-gen2'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
}
}
osProfile: {
computerName: 'Server'
adminUsername: adminUsername
adminPassword: adminPasswordOrKey
linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration)
}
networkProfile: {
networkInterfaces: [
{
id: ServerNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2023-09-01' = {
name: firewallName
location: location
dependsOn: [
virtualNetwork
publicIP
]
properties: {
ipConfigurations: azureFirewallIpConfigurations
applicationRuleCollections: [
{
name: 'appRc1'
properties: {
priority: 101
action: {
type: 'Allow'
}
rules: [
{
name: 'someAppRule'
protocols: [
{
protocolType: 'Http'
port: 8080
}
]
targetFqdns: [
'*bing.com'
]
sourceIpGroups: [
ipgroup1.id
]
}
{
name: 'someOtherAppRule'
protocols: [
{
protocolType: 'Mssql'
port: 1433
}
]
targetFqdns: [
'sql1${environment().suffixes.sqlServerHostname}'
]
sourceIpGroups: [
ipgroup1.id
ipgroup2.id
]
}
]
}
}
]
networkRuleCollections: [
{
name: 'netRc1'
properties: {
priority: 200
action: {
type: 'Allow'
}
rules: [
{
name: 'networkRule'
description: 'desc1'
protocols: [
'UDP'
'TCP'
'ICMP'
]
sourceAddresses: [
'10.0.0.0'
'111.1.0.0/23'
]
sourceIpGroups: [
ipgroup1.id
]
destinationIpGroups: [
ipgroup2.id
]
destinationPorts: [
'90'
]
}
]
}
}
]
}
}
output location string = location
output name string = firewall.name
output resourceGroupName string = resourceGroup().name
output resourceId string = firewall.id
Multiple Azure resources are defined in the Bicep file:
- Microsoft.Network/ipGroups
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
Deploy the Bicep file
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name exampleRG --location eastus az deployment group create --resource-group exampleRG --template-file main.bicep
You'll be prompted to enter the following values:
- Admin Username: Type username for the administrator user account
- Admin Password: Type an administrator password or key
When the deployment finishes, you should see a message indicating the deployment succeeded.
Review deployed resources
Use the Azure portal, Azure CLI, or Azure PowerShell to validate the deployment and review the deployed resources.
az resource list --resource-group exampleRG
To learn about the Bicep syntax and properties for a firewall in a Bicep file, see Microsoft.Network azureFirewalls template reference.
Clean up resources
When you no longer need them, use the Azure portal, Azure CLI, or Azure PowerShell to remove the resource group, firewall, and all related resources.
az group delete --name exampleRG