New-AzFirewall
Creates a new Firewall in a resource group.
New-AzFirewall
-Name <String>
-ResourceGroupName <String>
-Location <String>
[-PublicIpAddress <PSPublicIpAddress[]>]
[-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
[-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
[-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>]
[-PrivateRange <String[]>]
[-EnableDnsProxy]
[-DnsServer <String[]>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-Zone <String[]>]
[-SkuName <String>]
[-SkuTier <String>]
[-VirtualHubId <String>]
[-HubIPAddress <PSAzureFirewallHubIpAddresses>]
[-FirewallPolicyId <String>]
[-AllowActiveFTP]
[-EnableFatFlowLogging]
[-EnableUDPLogOptimization]
[-RouteServerId <String>]
[-MinCapacity <Int32>]
[-MaxCapacity <Int32>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-AzFirewall
-Name <String>
-ResourceGroupName <String>
-Location <String>
-VirtualNetworkName <String>
[-PublicIpName <String>]
[-PublicIpAddress <PSPublicIpAddress[]>]
[-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
[-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
[-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>]
[-PrivateRange <String[]>]
[-EnableDnsProxy]
[-DnsServer <String[]>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-Zone <String[]>]
[-SkuName <String>]
[-SkuTier <String>]
[-VirtualHubId <String>]
[-HubIPAddress <PSAzureFirewallHubIpAddresses>]
[-FirewallPolicyId <String>]
[-AllowActiveFTP]
[-EnableFatFlowLogging]
[-EnableUDPLogOptimization]
[-RouteServerId <String>]
[-MinCapacity <Int32>]
[-MaxCapacity <Int32>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-AzFirewall
-Name <String>
-ResourceGroupName <String>
-Location <String>
-VirtualNetwork <PSVirtualNetwork>
[-PublicIpAddress <PSPublicIpAddress[]>]
[-ManagementPublicIpAddress <PSPublicIpAddress>]
[-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
[-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
[-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>]
[-PrivateRange <String[]>]
[-EnableDnsProxy]
[-DnsServer <String[]>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-Zone <String[]>]
[-SkuName <String>]
[-SkuTier <String>]
[-VirtualHubId <String>]
[-HubIPAddress <PSAzureFirewallHubIpAddresses>]
[-FirewallPolicyId <String>]
[-AllowActiveFTP]
[-EnableFatFlowLogging]
[-EnableUDPLogOptimization]
[-RouteServerId <String>]
[-MinCapacity <Int32>]
[-MaxCapacity <Int32>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
The New-AzFirewall cmdlet creates an Azure Firewall.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. Since no rules were specified, the firewall will block all traffic (default behavior). Threat Intel will also run in default mode - Alert - which means malicious traffic will be logged, but not denied.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "https:443" -TargetFqdn "*"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection
This example creates a Firewall which allows all HTTPS traffic on port 443. Threat Intel will run in default mode - Alert - which means malicious traffic will be logged, but not denied.
$rule = New-AzFirewallNatRule -Name "natRule" -Protocol "TCP" -SourceAddress "*" -DestinationAddress "10.1.2.3" -DestinationPort "80" -TranslatedAddress "10.2.3.4" -TranslatedPort "8080"
$ruleCollection = New-AzFirewallNatRuleCollection -Name "NatRuleCollection" -Priority 1000 -Rule $rule
New-AzFirewall -Name "azFw" -ResourceGroupName "rg" -Location centralus -NatRuleCollection $ruleCollection -ThreatIntelMode Off
This example created a Firewall which translated the destination IP and port of all packets destined to 10.1.2.3:80 to 10.2.3.4:8080 Threat Intel is turned off in this example.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ThreatIntelMode Alert
This example creates a Firewall which blocks all traffic (default behavior) and has Threat Intel running in Alert mode. This means alerting logs are emitted for malicious traffic before applying the other rules (in this case just the default rule - Deny All)
Example 5: Create a Firewall which allows all HTTP traffic on port 8080, but blocks malicious domains identified by Threat Intel
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "http:8080" -TargetFqdn "*"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny
This example creates a Firewall which allows all HTTP traffic on port 8080 unless it is considered malicious by Threat Intel. When running in Deny mode, unlike Alert, traffic considered malicious by Threat Intel is not just logged, but also blocked.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetworkName $vnet.Name -PublicIpName $pip.Name -Zone 1,2,3
This example creates a Firewall with all available availability zones.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -Name "vnet" -ResourceGroupName $rgName
$pip1 = New-AzPublicIpAddress -Name "AzFwPublicIp1" -ResourceGroupName "rg" -Sku "Basic" -Tier "Regional" -Location "centralus" -AllocationMethod Static
$pip2 = New-AzPublicIpAddress -Name "AzFwPublicIp2" -ResourceGroupName "rg" -Sku "Basic" -Tier "Regional" -Location "centralus" -AllocationMethod Static
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress @($pip1, $pip2)
This example creates a Firewall attached to virtual network "vnet" with two public IP addresses.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "mssql:1433" -TargetFqdn "sql1.database.windows.net"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny
This example creates a Firewall which allows MSSQL traffic on standard port 1433 to SQL database sql1.database.windows.net.
$rgName = "resourceGroupName"
$fp = Get-AzFirewallPolicy -ResourceGroupName $rgName -Name "fp"
$fpId = $fp.Id
$vHub = Get-AzVirtualHub -Name "hub"
$vHubId = $vHub.Id
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -SkuName AZFW_Hub -VirtualHubId $vHubId -FirewallPolicyId -$fpId
This example creates a Firewall attached to virtual hub "vHub". A firewall policy $fp will be attached to the firewall. This firewall allows/denies the traffic based on the rules mentioned in the firewall policy $fp. The virtual hub and the firewall should be in the same regions.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$tiWhitelist = New-AzFirewallThreatIntelWhitelist -FQDN @("www.microsoft.com") -IpAddress @("8.8.8.8")
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ThreatIntelWhitelist $tiWhitelist
This example creates a Firewall that allowlists "www.microsoft.com" and "8.8.8.8" from threat intelligence
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -PrivateRange @("99.99.99.0/24", "66.66.0.0/16")
This example creates a Firewall that treats "99.99.99.0/24" and "66.66.0.0/16" as private ip ranges and won't snat traffic to those addresses
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "managementPublicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ManagementPublicIpAddress $mgmtPip
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. Since no rules were specified, the firewall will block all traffic (default behavior). Threat Intel will also run in default mode - Alert - which means malicious traffic will be logged, but not denied.
To support "forced tunneling" scenarios, this firewall will use the subnet "AzureFirewallManagementSubnet" and the management public IP address for its management traffic
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$fp = Get-AzFirewallPolicy -ResourceGroupName $rgName -Name "fp"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -FirewallPolicyId $fp
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. The rules and threat intelligence that will be applied to the firewall will be taken from the firewall policy
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -DnsServer @("10.10.10.1", "20.20.20.2")
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. DNS Proxy is enabled for this firewall and 2 DNS Servers are provided. Also Require DNS Proxy for Network rules is set so if there are any Network rules with FQDNs then DNS proxy will be used for them too.
Example 15: Create a Firewall with multiple IPs. The Firewall can be associated with the Virtual Hub
$rgName = "resourceGroupName"
$vHub = Get-AzVirtualHub -Name "hub"
$vHubId = $vHub.Id
$fwpips = New-AzFirewallHubPublicIpAddress -Count 2
$hubIpAddresses = New-AzFirewallHubIpAddress -PublicIP $fwpips
$fw=New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location westus -SkuName AZFW_Hub -HubIPAddress $hubIpAddresses -VirtualHubId $vHubId
This example creates a Firewall attached to virtual hub "hub" in the same resource group as the firewall. The Firewall will be assigned 2 public IPs that are created implicitly.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -AllowActiveFTP
This example creates a Firewall with allow active FTP flag.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "managementPublicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -ManagementPublicIpAddress $mgmtPip
This example creates a "forced tunneling" Firewall that uses the subnet "AzureFirewallManagementSubnet" and the management public IP address for its management traffic. In this scenario, users do not have to specify a data Public IP if they are only using firewall for private traffic only.
Allows Active FTP on the Firewall. By default it is disabled.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the collections of application rules for the new Firewall.
Type: | PSAzureFirewallApplicationRuleCollection[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Run cmdlet in the background
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The credentials, account, tenant, and subscription used for communication with azure.
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The list of DNS Servers to be used for DNS resolution,
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Enable DNS Proxy. By default it is disabled.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Enable Fat Flow Logging. By default it is false.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Enable UDP Log Optimization. By default it is false.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The firewall policy attached to the firewall
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Forces the command to run without asking for user confirmation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The ip addresses for the firewall attached to a virtual hub
Type: | PSAzureFirewallHubIpAddresses |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the region for the Firewall.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
One or more Public IP Addresses to use for management traffic. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall.
Type: | PSPublicIpAddress |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The maximum number of capacity units for this azure firewall
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The minimum number of capacity units for this azure firewall
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the name of the Azure Firewall that this cmdlet creates.
Type: | String |
Aliases: | ResourceName |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The list of AzureFirewallNatRuleCollections
Type: | PSAzureFirewallNatRuleCollection[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The list of AzureFirewallNetworkRuleCollections
Type: | PSAzureFirewallNetworkRuleCollection[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The private IP ranges to which traffic won't be SNAT'ed
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall. No input needed for Forced Tunneling Firewalls.
Type: | PSPublicIpAddress[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Public Ip Name. The Public IP must use Standard SKU and must belong to the same resource group as the Firewall.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies the name of a resource group to contain the Firewall.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The Route Server Id for the firewall
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The sku name for firewall
Type: | String |
Aliases: | Sku |
Accepted values: | AZFW_Hub, AZFW_VNet |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The sku tier for firewall
Type: | String |
Accepted values: | Standard, Premium, Basic |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Key-value pairs in the form of a hash table. For example:
@{key0="value0";key1=$null;key2="value2"}
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies the operation mode for Threat Intelligence. Default mode is Alert, not Off.
Type: | String |
Accepted values: | Alert, Deny, Off |
Position: | Named |
Default value: | Alert |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The allowlist for Threat Intelligence
Type: | PSAzureFirewallThreatIntelWhitelist |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The virtual hub that a firewall is attached to
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Virtual Network
Type: | PSVirtualNetwork |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies the name of the virtual network for which the Firewall will be deployed. Virtual network and Firewall must belong to the same resource group.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
A list of availability zones denoting where the firewall needs to come from.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
PSAzureFirewallApplicationRuleCollection[]
PSAzureFirewallNatRuleCollection[]
Azure PowerShell feedback
Azure PowerShell is an open source project. Select a link to provide feedback: