Azure Firewalls - Create Or Update
Creates or updates the specified Azure Firewall.
In this article
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{azureFirewallName}?api-version=2023-05-01URI Parameters
Name
In
Required
Type
Description
azureFirewallName
path
True
string
The name of the Azure Firewall.
resourceGroupName
path
True
string
The name of the resource group.
subscriptionId
path
True
string
The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
api-version
query
True
string
Client API version.
Request Body
Name
Type
Description
id
string
Resource ID.
location
string
Resource location.
properties.additionalProperties
object
The additional properties used to further config this azure firewall.
properties.applicationRuleCollections
AzureFirewallApplicationRuleCollection []
Collection of application rule collections used by Azure Firewall.
properties.firewallPolicy
SubResource
The firewallPolicy associated with this azure firewall.
properties.hubIPAddresses
HubIPAddresses
IP addresses associated with AzureFirewall.
properties.ipConfigurations
AzureFirewallIPConfiguration []
IP configuration of the Azure Firewall resource.
properties.managementIpConfiguration
AzureFirewallIPConfiguration
IP configuration of the Azure Firewall used for management traffic.
properties.natRuleCollections
AzureFirewallNatRuleCollection []
Collection of NAT rule collections used by Azure Firewall.
properties.networkRuleCollections
AzureFirewallNetworkRuleCollection []
Collection of network rule collections used by Azure Firewall.
properties.sku
AzureFirewallSku
The Azure Firewall Resource SKU.
properties.threatIntelMode
AzureFirewallThreatIntelMode
The operation mode for Threat Intelligence.
properties.virtualHub
SubResource
The virtualHub to which the firewall belongs.
tags
object
Resource tags.
zones
string[]
A list of availability zones denoting where the resource needs to come from.
Responses
Name
Type
Description
200 OK
AzureFirewall
Update successful. The operation returns the resulting AzureFirewall resource.
201 Created
AzureFirewall
Create successful. The operation returns the resulting AzureFirewall resource.
Other Status Codes
CloudError
Error response describing why the operation failed.
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2Flow:
implicitAuthorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name
Description
user_impersonation
impersonate your user account
Examples
Create Azure Firewall
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-05-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/** Samples for AzureFirewalls CreateOrUpdate. */
public final class Main {
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPut.json
*/
/**
* Sample code: Create Azure Firewall.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewall(com.azure.resourcemanager.AzureResourceManager azure) {
azure
.networks()
.manager()
.serviceClient()
.getAzureFirewalls()
.createOrUpdate(
"rg1",
"azurefirewall",
new AzureFirewallInner()
.withLocation("West US")
.withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(
Arrays
.asList(
new AzureFirewallApplicationRuleCollection()
.withName("apprulecoll")
.withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallApplicationRule()
.withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(
Arrays
.asList(
new AzureFirewallApplicationRuleProtocol()
.withProtocolType(
AzureFirewallApplicationRuleProtocolType.HTTPS)
.withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection()
.withName("natrulecoll")
.withPriority(112)
.withAction(
new AzureFirewallNatRCAction().withType(AzureFirewallNatRCActionType.DNAT))
.withRules(
Arrays
.asList(
new AzureFirewallNatRule()
.withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5")
.withTranslatedPort("8443"),
new AzureFirewallNatRule()
.withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880")
.withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays
.asList(
new AzureFirewallNetworkRuleCollection()
.withName("netrulecoll")
.withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallNetworkRule()
.withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays
.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule()
.withName("L4-traffic-with-FQDN")
.withDescription(
"Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(
Arrays
.asList(
new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(
new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPut.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/80c21c17b4a7aa57f637ee594f7cfd653255a7e0/specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPut.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewall() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// IPGroups: []*armnetwork.AzureFirewallIPGroups{
// },
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPut.json
*/
async function createAzureFirewall() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPut.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"ipGroups": [],
"additionalProperties": {}
}
}{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {}
}
}
Create Azure Firewall in virtual Hub
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-05-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {
"publicIPs": {
"addresses": [],
"count": 1
}
}
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import com.azure.resourcemanager.network.models.HubIpAddresses;
import com.azure.resourcemanager.network.models.HubPublicIpAddresses;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/** Samples for AzureFirewalls CreateOrUpdate. */
public final class Main {
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutInHub.json
*/
/**
* Sample code: Create Azure Firewall in virtual Hub.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallInVirtualHub(com.azure.resourcemanager.AzureResourceManager azure) {
azure
.networks()
.manager()
.serviceClient()
.getAzureFirewalls()
.createOrUpdate(
"rg1",
"azurefirewall",
new AzureFirewallInner()
.withLocation("West US")
.withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withVirtualHub(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"))
.withFirewallPolicy(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"))
.withHubIpAddresses(
new HubIpAddresses()
.withPublicIPs(new HubPublicIpAddresses().withAddresses(Arrays.asList()).withCount(1)))
.withSku(
new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_HUB)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_in_hub.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {"publicIPs": {"addresses": [], "count": 1}},
"sku": {"name": "AZFW_Hub", "tier": "Standard"},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutInHub.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/80c21c17b4a7aa57f637ee594f7cfd653255a7e0/specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutInHub.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallInVirtualHub() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
FirewallPolicy: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
},
HubIPAddresses: &armnetwork.HubIPAddresses{
PublicIPs: &armnetwork.HubPublicIPAddresses{
Addresses: []*armnetwork.AzureFirewallPublicIPAddress{},
Count: to.Ptr[int32](1),
},
},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWHub),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
VirtualHub: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
},
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// FirewallPolicy: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
// },
// HubIPAddresses: &armnetwork.HubIPAddresses{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// PublicIPs: &armnetwork.HubPublicIPAddresses{
// Addresses: []*armnetwork.AzureFirewallPublicIPAddress{
// {
// Address: to.Ptr("13.73.240.12"),
// }},
// Count: to.Ptr[int32](1),
// },
// },
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWHub),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// VirtualHub: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
// },
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutInHub.json
*/
async function createAzureFirewallInVirtualHub() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
firewallPolicy: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
hubIPAddresses: { publicIPs: { addresses: [], count: 1 } },
location: "West US",
sku: { name: "AZFW_Hub", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
virtualHub: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutInHub.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
VirtualHubId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
FirewallPolicyId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
HubIPAddresses = new HubIPAddresses()
{
PublicIPs = new HubPublicIPAddresses()
{
Addresses =
{
},
Count = 1,
},
},
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwHub,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {
"publicIPs": {
"addresses": [
{
"address": "13.73.240.12"
}
],
"count": 1
},
"privateIPAddress": "10.0.0.0"
},
"additionalProperties": {}
}
}{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"virtualHub": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
},
"firewallPolicy": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
},
"hubIPAddresses": {
"publicIPs": {
"addresses": [
{
"address": "13.73.240.12"
}
],
"count": 1
},
"privateIPAddress": "10.0.0.0"
},
"ipGroups": [],
"additionalProperties": {}
}
}
Create Azure Firewall With Additional Properties
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-05-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"ipGroups": [],
"additionalProperties": {
"key1": "value1",
"key2": "value2"
}
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/** Samples for AzureFirewalls CreateOrUpdate. */
public final class Main {
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithAdditionalProperties.json
*/
/**
* Sample code: Create Azure Firewall With Additional Properties.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithAdditionalProperties(
com.azure.resourcemanager.AzureResourceManager azure) {
azure
.networks()
.manager()
.serviceClient()
.getAzureFirewalls()
.createOrUpdate(
"rg1",
"azurefirewall",
new AzureFirewallInner()
.withLocation("West US")
.withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(
Arrays
.asList(
new AzureFirewallApplicationRuleCollection()
.withName("apprulecoll")
.withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallApplicationRule()
.withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(
Arrays
.asList(
new AzureFirewallApplicationRuleProtocol()
.withProtocolType(
AzureFirewallApplicationRuleProtocolType.HTTPS)
.withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection()
.withName("natrulecoll")
.withPriority(112)
.withAction(
new AzureFirewallNatRCAction().withType(AzureFirewallNatRCActionType.DNAT))
.withRules(
Arrays
.asList(
new AzureFirewallNatRule()
.withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5")
.withTranslatedPort("8443"),
new AzureFirewallNatRule()
.withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880")
.withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays
.asList(
new AzureFirewallNetworkRuleCollection()
.withName("netrulecoll")
.withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallNetworkRule()
.withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays
.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule()
.withName("L4-traffic-with-FQDN")
.withDescription(
"Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(
Arrays
.asList(
new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(
new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD))
.withAdditionalProperties(mapOf("key1", "fakeTokenPlaceholder", "key2", "fakeTokenPlaceholder")),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_additional_properties.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"additionalProperties": {"key1": "value1", "key2": "value2"},
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"ipGroups": [],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithAdditionalProperties.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/80c21c17b4a7aa57f637ee594f7cfd653255a7e0/specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithAdditionalProperties.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithAdditionalProperties() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
AdditionalProperties: map[string]*string{
"key1": to.Ptr("value1"),
"key2": to.Ptr("value2"),
},
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
IPGroups: []*armnetwork.AzureFirewallIPGroups{},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// "key1": to.Ptr("value1"),
// "key2": to.Ptr("value2"),
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithAdditionalProperties.json
*/
async function createAzureFirewallWithAdditionalProperties() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
additionalProperties: { key1: "value1", key2: "value2" },
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
ipGroups: [],
location: "West US",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithAdditionalProperties.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
AdditionalProperties =
{
["key1"] = "value1",
["key2"] = "value2",
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"additionalProperties": {
"key1": "value1",
"key2": "value2"
}
}
}{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {
"key1": "value1",
"key2": "value2"
}
}
}
Create Azure Firewall With IpGroups
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-05-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/** Samples for AzureFirewalls CreateOrUpdate. */
public final class Main {
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithIpGroups.json
*/
/**
* Sample code: Create Azure Firewall With IpGroups.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithIpGroups(com.azure.resourcemanager.AzureResourceManager azure) {
azure
.networks()
.manager()
.serviceClient()
.getAzureFirewalls()
.createOrUpdate(
"rg1",
"azurefirewall",
new AzureFirewallInner()
.withLocation("West US")
.withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(
Arrays
.asList(
new AzureFirewallApplicationRuleCollection()
.withName("apprulecoll")
.withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallApplicationRule()
.withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(
Arrays
.asList(
new AzureFirewallApplicationRuleProtocol()
.withProtocolType(
AzureFirewallApplicationRuleProtocolType.HTTPS)
.withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection()
.withName("natrulecoll")
.withPriority(112)
.withAction(
new AzureFirewallNatRCAction().withType(AzureFirewallNatRCActionType.DNAT))
.withRules(
Arrays
.asList(
new AzureFirewallNatRule()
.withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5")
.withTranslatedPort("8443"),
new AzureFirewallNatRule()
.withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880")
.withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays
.asList(
new AzureFirewallNetworkRuleCollection()
.withName("netrulecoll")
.withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallNetworkRule()
.withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays
.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule()
.withName("L4-traffic-with-FQDN")
.withDescription(
"Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(
Arrays
.asList(
new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(
new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_ip_groups.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithIpGroups.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/80c21c17b4a7aa57f637ee594f7cfd653255a7e0/specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithIpGroups.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithIpGroups() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithIpGroups.json
*/
async function createAzureFirewallWithIPGroups() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithIpGroups.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"additionalProperties": {}
}
}{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceIpGroups": [
"/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceIpGroups": [
"/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationIpGroups": [
"/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups2"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"ipGroups": [
{
"id": "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1",
"changeNumber": "5"
},
{
"id": "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups2",
"changeNumber": "4"
}
],
"additionalProperties": {}
}
}
Create Azure Firewall With management subnet
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-05-01
{
"tags": {
"key1": "value1"
},
"location": "West US",
"zones": [],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"managementIpConfiguration": {
"name": "azureFirewallMgmtIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"
}
}
},
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/** Samples for AzureFirewalls CreateOrUpdate. */
public final class Main {
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithMgmtSubnet.json
*/
/**
* Sample code: Create Azure Firewall With management subnet.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithManagementSubnet(com.azure.resourcemanager.AzureResourceManager azure) {
azure
.networks()
.manager()
.serviceClient()
.getAzureFirewalls()
.createOrUpdate(
"rg1",
"azurefirewall",
new AzureFirewallInner()
.withLocation("West US")
.withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList())
.withApplicationRuleCollections(
Arrays
.asList(
new AzureFirewallApplicationRuleCollection()
.withName("apprulecoll")
.withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallApplicationRule()
.withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(
Arrays
.asList(
new AzureFirewallApplicationRuleProtocol()
.withProtocolType(
AzureFirewallApplicationRuleProtocolType.HTTPS)
.withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection()
.withName("natrulecoll")
.withPriority(112)
.withAction(
new AzureFirewallNatRCAction().withType(AzureFirewallNatRCActionType.DNAT))
.withRules(
Arrays
.asList(
new AzureFirewallNatRule()
.withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5")
.withTranslatedPort("8443"),
new AzureFirewallNatRule()
.withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880")
.withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays
.asList(
new AzureFirewallNetworkRuleCollection()
.withName("netrulecoll")
.withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallNetworkRule()
.withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays
.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule()
.withName("L4-traffic-with-FQDN")
.withDescription(
"Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(
Arrays
.asList(
new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withManagementIpConfiguration(
new AzureFirewallIpConfiguration()
.withName("azureFirewallMgmtIpConfiguration")
.withSubnet(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"))
.withPublicIpAddress(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName")))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(
new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_mgmt_subnet.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"managementIpConfiguration": {
"name": "azureFirewallMgmtIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"
},
},
},
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": [],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithMgmtSubnet.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/80c21c17b4a7aa57f637ee594f7cfd653255a7e0/specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithMgmtSubnet.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithManagementSubnet() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
ManagementIPConfiguration: &armnetwork.AzureFirewallIPConfiguration{
Name: to.Ptr("azureFirewallMgmtIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"),
},
},
},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// },
// }
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithMgmtSubnet.json
*/
async function createAzureFirewallWithManagementSubnet() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US",
managementIpConfiguration: {
name: "azureFirewallMgmtIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: [],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithMgmtSubnet.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ManagementIPConfiguration = new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"),
Name = "azureFirewallMgmtIpConfiguration",
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedPort": "880",
"translatedFqdn": "internalhttpserver"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"protocols": [
"TCP"
],
"destinationFqdns": [
"www.amazon.com"
]
}
]
}
}
],
"additionalProperties": {}
}
}{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US",
"zones": [],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {}
}
}
Create Azure Firewall With Zones
Sample Request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2023-05-01
{
"location": "West US 2",
"tags": {
"key1": "value1"
},
"zones": [
"1",
"2",
"3"
],
"properties": {
"threatIntelMode": "Alert",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
]
}
}
import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.AzureFirewallInner;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRule;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallApplicationRuleProtocolType;
import com.azure.resourcemanager.network.models.AzureFirewallIpConfiguration;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallNatRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallNatRule;
import com.azure.resourcemanager.network.models.AzureFirewallNatRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRule;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleCollection;
import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallRCAction;
import com.azure.resourcemanager.network.models.AzureFirewallRCActionType;
import com.azure.resourcemanager.network.models.AzureFirewallSku;
import com.azure.resourcemanager.network.models.AzureFirewallSkuName;
import com.azure.resourcemanager.network.models.AzureFirewallSkuTier;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/** Samples for AzureFirewalls CreateOrUpdate. */
public final class Main {
/*
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithZones.json
*/
/**
* Sample code: Create Azure Firewall With Zones.
*
* @param azure The entry point for accessing resource management APIs in Azure.
*/
public static void createAzureFirewallWithZones(com.azure.resourcemanager.AzureResourceManager azure) {
azure
.networks()
.manager()
.serviceClient()
.getAzureFirewalls()
.createOrUpdate(
"rg1",
"azurefirewall",
new AzureFirewallInner()
.withLocation("West US 2")
.withTags(mapOf("key1", "fakeTokenPlaceholder"))
.withZones(Arrays.asList("1", "2", "3"))
.withApplicationRuleCollections(
Arrays
.asList(
new AzureFirewallApplicationRuleCollection()
.withName("apprulecoll")
.withPriority(110)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallApplicationRule()
.withName("rule1")
.withDescription("Deny inbound rule")
.withSourceAddresses(Arrays.asList("216.58.216.164", "10.0.0.0/24"))
.withProtocols(
Arrays
.asList(
new AzureFirewallApplicationRuleProtocol()
.withProtocolType(
AzureFirewallApplicationRuleProtocolType.HTTPS)
.withPort(443)))
.withTargetFqdns(Arrays.asList("www.test.com"))))))
.withNatRuleCollections(
Arrays
.asList(
new AzureFirewallNatRuleCollection()
.withName("natrulecoll")
.withPriority(112)
.withAction(
new AzureFirewallNatRCAction().withType(AzureFirewallNatRCActionType.DNAT))
.withRules(
Arrays
.asList(
new AzureFirewallNatRule()
.withName("DNAT-HTTPS-traffic")
.withDescription("D-NAT all outbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("443"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedAddress("1.2.3.5")
.withTranslatedPort("8443"),
new AzureFirewallNatRule()
.withName("DNAT-HTTP-traffic-With-FQDN")
.withDescription("D-NAT all inbound web traffic for inspection")
.withSourceAddresses(Arrays.asList("*"))
.withDestinationAddresses(Arrays.asList("1.2.3.4"))
.withDestinationPorts(Arrays.asList("80"))
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withTranslatedPort("880")
.withTranslatedFqdn("internalhttpserver")))))
.withNetworkRuleCollections(
Arrays
.asList(
new AzureFirewallNetworkRuleCollection()
.withName("netrulecoll")
.withPriority(112)
.withAction(new AzureFirewallRCAction().withType(AzureFirewallRCActionType.DENY))
.withRules(
Arrays
.asList(
new AzureFirewallNetworkRule()
.withName("L4-traffic")
.withDescription("Block traffic based on source IPs and ports")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(
Arrays
.asList("192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"))
.withDestinationAddresses(Arrays.asList("*"))
.withDestinationPorts(Arrays.asList("443-444", "8443")),
new AzureFirewallNetworkRule()
.withName("L4-traffic-with-FQDN")
.withDescription(
"Block traffic based on source IPs and ports to amazon")
.withProtocols(Arrays.asList(AzureFirewallNetworkRuleProtocol.TCP))
.withSourceAddresses(Arrays.asList("10.2.4.12-10.2.4.255"))
.withDestinationPorts(Arrays.asList("443-444", "8443"))
.withDestinationFqdns(Arrays.asList("www.amazon.com"))))))
.withIpConfigurations(
Arrays
.asList(
new AzureFirewallIpConfiguration()
.withName("azureFirewallIpConfiguration")
.withSubnet(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"))
.withPublicIpAddress(
new SubResource()
.withId(
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"))))
.withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
.withSku(
new AzureFirewallSku()
.withName(AzureFirewallSkuName.AZFW_VNET)
.withTier(AzureFirewallSkuTier.STANDARD)),
com.azure.core.util.Context.NONE);
}
// Use "Map.of" if available
@SuppressWarnings("unchecked")
private static <T> Map<String, T> mapOf(Object... inputs) {
Map<String, T> map = new HashMap<>();
for (int i = 0; i < inputs.length; i += 2) {
String key = (String) inputs[i];
T value = (T) inputs[i + 1];
map.put(key, value);
}
return map;
}
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-network
# USAGE
python azure_firewall_put_with_zones.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = NetworkManagementClient(
credential=DefaultAzureCredential(),
subscription_id="subid",
)
response = client.azure_firewalls.begin_create_or_update(
resource_group_name="rg1",
azure_firewall_name="azurefirewall",
parameters={
"location": "West US 2",
"properties": {
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 110,
"rules": [
{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{"port": 443, "protocolType": "Https"}],
"sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
"targetFqdns": ["www.test.com"],
}
],
},
}
],
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
},
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"action": {"type": "Dnat"},
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destinationAddresses": ["1.2.3.4"],
"destinationPorts": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880",
},
],
},
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"action": {"type": "Deny"},
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": ["*"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic",
"protocols": ["TCP"],
"sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destinationFqdns": ["www.amazon.com"],
"destinationPorts": ["443-444", "8443"],
"name": "L4-traffic-with-FQDN",
"protocols": ["TCP"],
"sourceAddresses": ["10.2.4.12-10.2.4.255"],
},
],
},
}
],
"sku": {"name": "AZFW_VNet", "tier": "Standard"},
"threatIntelMode": "Alert",
},
"tags": {"key1": "value1"},
"zones": ["1", "2", "3"],
},
).result()
print(response)
# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithZones.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
package armnetwork_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/80c21c17b4a7aa57f637ee594f7cfd653255a7e0/specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithZones.json
func ExampleAzureFirewallsClient_BeginCreateOrUpdate_createAzureFirewallWithZones() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
poller, err := clientFactory.NewAzureFirewallsClient().BeginCreateOrUpdate(ctx, "rg1", "azurefirewall", armnetwork.AzureFirewall{
Location: to.Ptr("West US 2"),
Tags: map[string]*string{
"key1": to.Ptr("value1"),
},
Properties: &armnetwork.AzureFirewallPropertiesFormat{
ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
{
Name: to.Ptr("apprulecoll"),
Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](110),
Rules: []*armnetwork.AzureFirewallApplicationRule{
{
Name: to.Ptr("rule1"),
Description: to.Ptr("Deny inbound rule"),
Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
{
Port: to.Ptr[int32](443),
ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
}},
SourceAddresses: []*string{
to.Ptr("216.58.216.164"),
to.Ptr("10.0.0.0/24")},
TargetFqdns: []*string{
to.Ptr("www.test.com")},
}},
},
}},
IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
{
Name: to.Ptr("azureFirewallIpConfiguration"),
Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
PublicIPAddress: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &armnetwork.SubResource{
ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
}},
NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
{
Name: to.Ptr("natrulecoll"),
Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
Action: &armnetwork.AzureFirewallNatRCAction{
Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNatRule{
{
Name: to.Ptr("DNAT-HTTPS-traffic"),
Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedAddress: to.Ptr("1.2.3.5"),
TranslatedPort: to.Ptr("8443"),
},
{
Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: []*string{
to.Ptr("1.2.3.4")},
DestinationPorts: []*string{
to.Ptr("80")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("*")},
TranslatedFqdn: to.Ptr("internalhttpserver"),
TranslatedPort: to.Ptr("880"),
}},
},
}},
NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
{
Name: to.Ptr("netrulecoll"),
Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
Action: &armnetwork.AzureFirewallRCAction{
Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
},
Priority: to.Ptr[int32](112),
Rules: []*armnetwork.AzureFirewallNetworkRule{
{
Name: to.Ptr("L4-traffic"),
Description: to.Ptr("Block traffic based on source IPs and ports"),
DestinationAddresses: []*string{
to.Ptr("*")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("192.168.1.1-192.168.1.12"),
to.Ptr("10.1.4.12-10.1.4.255")},
},
{
Name: to.Ptr("L4-traffic-with-FQDN"),
Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: []*string{
to.Ptr("www.amazon.com")},
DestinationPorts: []*string{
to.Ptr("443-444"),
to.Ptr("8443")},
Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
SourceAddresses: []*string{
to.Ptr("10.2.4.12-10.2.4.255")},
}},
},
}},
SKU: &armnetwork.AzureFirewallSKU{
Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
},
ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
},
Zones: []*string{
to.Ptr("1"),
to.Ptr("2"),
to.Ptr("3")},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
res, err := poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to pull the result: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.AzureFirewall = armnetwork.AzureFirewall{
// Name: to.Ptr("azurefirewall"),
// Type: to.Ptr("Microsoft.Network/azureFirewalls"),
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall"),
// Location: to.Ptr("West US 2"),
// Tags: map[string]*string{
// "key1": to.Ptr("value1"),
// },
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallPropertiesFormat{
// AdditionalProperties: map[string]*string{
// },
// ApplicationRuleCollections: []*armnetwork.AzureFirewallApplicationRuleCollection{
// {
// Name: to.Ptr("apprulecoll"),
// Properties: &armnetwork.AzureFirewallApplicationRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](110),
// Rules: []*armnetwork.AzureFirewallApplicationRule{
// {
// Name: to.Ptr("rule1"),
// Description: to.Ptr("Deny inbound rule"),
// Protocols: []*armnetwork.AzureFirewallApplicationRuleProtocol{
// {
// Port: to.Ptr[int32](443),
// ProtocolType: to.Ptr(armnetwork.AzureFirewallApplicationRuleProtocolTypeHTTPS),
// }},
// SourceAddresses: []*string{
// to.Ptr("216.58.216.164"),
// to.Ptr("10.0.0.0/24")},
// TargetFqdns: []*string{
// to.Ptr("www.test.com")},
// }},
// },
// }},
// IPConfigurations: []*armnetwork.AzureFirewallIPConfiguration{
// {
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration"),
// Name: to.Ptr("azureFirewallIpConfiguration"),
// Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
// Properties: &armnetwork.AzureFirewallIPConfigurationPropertiesFormat{
// PrivateIPAddress: to.Ptr("10.0.0.0"),
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// PublicIPAddress: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
// },
// Subnet: &armnetwork.SubResource{
// ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
// },
// },
// }},
// IPGroups: []*armnetwork.AzureFirewallIPGroups{
// },
// NatRuleCollections: []*armnetwork.AzureFirewallNatRuleCollection{
// {
// Name: to.Ptr("natrulecoll"),
// Properties: &armnetwork.AzureFirewallNatRuleCollectionProperties{
// Action: &armnetwork.AzureFirewallNatRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallNatRCActionTypeDnat),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNatRule{
// {
// Name: to.Ptr("DNAT-HTTPS-traffic"),
// Description: to.Ptr("D-NAT all outbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedAddress: to.Ptr("1.2.3.5"),
// TranslatedPort: to.Ptr("8443"),
// },
// {
// Name: to.Ptr("DNAT-HTTP-traffic-With-FQDN"),
// Description: to.Ptr("D-NAT all inbound web traffic for inspection"),
// DestinationAddresses: []*string{
// to.Ptr("1.2.3.4")},
// DestinationPorts: []*string{
// to.Ptr("80")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("*")},
// TranslatedFqdn: to.Ptr("internalhttpserver"),
// TranslatedPort: to.Ptr("880"),
// }},
// },
// }},
// NetworkRuleCollections: []*armnetwork.AzureFirewallNetworkRuleCollection{
// {
// Name: to.Ptr("netrulecoll"),
// Properties: &armnetwork.AzureFirewallNetworkRuleCollectionPropertiesFormat{
// Action: &armnetwork.AzureFirewallRCAction{
// Type: to.Ptr(armnetwork.AzureFirewallRCActionTypeDeny),
// },
// Priority: to.Ptr[int32](112),
// Rules: []*armnetwork.AzureFirewallNetworkRule{
// {
// Name: to.Ptr("L4-traffic"),
// Description: to.Ptr("Block traffic based on source IPs and ports"),
// DestinationAddresses: []*string{
// to.Ptr("*")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("192.168.1.1-192.168.1.12"),
// to.Ptr("10.1.4.12-10.1.4.255")},
// },
// {
// Name: to.Ptr("L4-traffic-with-FQDN"),
// Description: to.Ptr("Block traffic based on source IPs and ports to amazon"),
// DestinationFqdns: []*string{
// to.Ptr("www.amazon.com")},
// DestinationPorts: []*string{
// to.Ptr("443-444"),
// to.Ptr("8443")},
// Protocols: []*armnetwork.AzureFirewallNetworkRuleProtocol{
// to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolTCP)},
// SourceAddresses: []*string{
// to.Ptr("10.2.4.12-10.2.4.255")},
// }},
// },
// }},
// ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
// SKU: &armnetwork.AzureFirewallSKU{
// Name: to.Ptr(armnetwork.AzureFirewallSKUNameAZFWVnet),
// Tier: to.Ptr(armnetwork.AzureFirewallSKUTierStandard),
// },
// ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
// },
// Zones: []*string{
// to.Ptr("1"),
// to.Ptr("2"),
// to.Ptr("3")},
// }
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Creates or updates the specified Azure Firewall.
*
* @summary Creates or updates the specified Azure Firewall.
* x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithZones.json
*/
async function createAzureFirewallWithZones() {
const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
const azureFirewallName = "azurefirewall";
const parameters = {
applicationRuleCollections: [
{
name: "apprulecoll",
action: { type: "Deny" },
priority: 110,
rules: [
{
name: "rule1",
description: "Deny inbound rule",
protocols: [{ port: 443, protocolType: "Https" }],
sourceAddresses: ["216.58.216.164", "10.0.0.0/24"],
targetFqdns: ["www.test.com"],
},
],
},
],
ipConfigurations: [
{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
],
location: "West US 2",
natRuleCollections: [
{
name: "natrulecoll",
action: { type: "Dnat" },
priority: 112,
rules: [
{
name: "DNAT-HTTPS-traffic",
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
name: "DNAT-HTTP-traffic-With-FQDN",
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
protocols: ["TCP"],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
},
],
networkRuleCollections: [
{
name: "netrulecoll",
action: { type: "Deny" },
priority: 112,
rules: [
{
name: "L4-traffic",
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
},
{
name: "L4-traffic-with-FQDN",
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: ["443-444", "8443"],
protocols: ["TCP"],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
},
],
sku: { name: "AZFW_VNet", tier: "Standard" },
tags: { key1: "value1" },
threatIntelMode: "Alert",
zones: ["1", "2", "3"],
};
const credential = new DefaultAzureCredential();
const client = new NetworkManagementClient(credential, subscriptionId);
const result = await client.azureFirewalls.beginCreateOrUpdateAndWait(
resourceGroupName,
azureFirewallName,
parameters
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-05-01/examples/AzureFirewallPutWithZones.json
// this example is just showing the usage of "AzureFirewalls_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this AzureFirewallResource
AzureFirewallCollection collection = resourceGroupResource.GetAzureFirewalls();
// invoke the operation
string azureFirewallName = "azurefirewall";
AzureFirewallData data = new AzureFirewallData()
{
Zones =
{
"1","2","3"
},
ApplicationRuleCollections =
{
new AzureFirewallApplicationRuleCollectionData()
{
Priority = 110,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallApplicationRule()
{
Name = "rule1",
Description = "Deny inbound rule",
SourceAddresses =
{
"216.58.216.164","10.0.0.0/24"
},
Protocols =
{
new AzureFirewallApplicationRuleProtocol()
{
ProtocolType = AzureFirewallApplicationRuleProtocolType.Https,
Port = 443,
}
},
TargetFqdns =
{
"www.test.com"
},
}
},
Name = "apprulecoll",
}
},
NatRuleCollections =
{
new AzureFirewallNatRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallNatRCActionType.Dnat,
Rules =
{
new AzureFirewallNatRule()
{
Name = "DNAT-HTTPS-traffic",
Description = "D-NAT all outbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"443"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},new AzureFirewallNatRule()
{
Name = "DNAT-HTTP-traffic-With-FQDN",
Description = "D-NAT all inbound web traffic for inspection",
SourceAddresses =
{
"*"
},
DestinationAddresses =
{
"1.2.3.4"
},
DestinationPorts =
{
"80"
},
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
TranslatedPort = "880",
TranslatedFqdn = "internalhttpserver",
}
},
Name = "natrulecoll",
}
},
NetworkRuleCollections =
{
new AzureFirewallNetworkRuleCollectionData()
{
Priority = 112,
ActionType = AzureFirewallRCActionType.Deny,
Rules =
{
new AzureFirewallNetworkRule()
{
Name = "L4-traffic",
Description = "Block traffic based on source IPs and ports",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"192.168.1.1-192.168.1.12","10.1.4.12-10.1.4.255"
},
DestinationAddresses =
{
"*"
},
DestinationPorts =
{
"443-444","8443"
},
},new AzureFirewallNetworkRule()
{
Name = "L4-traffic-with-FQDN",
Description = "Block traffic based on source IPs and ports to amazon",
Protocols =
{
AzureFirewallNetworkRuleProtocol.Tcp
},
SourceAddresses =
{
"10.2.4.12-10.2.4.255"
},
DestinationPorts =
{
"443-444","8443"
},
DestinationFqdns =
{
"www.amazon.com"
},
}
},
Name = "netrulecoll",
}
},
IPConfigurations =
{
new AzureFirewallIPConfiguration()
{
SubnetId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
PublicIPAddressId = new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
Name = "azureFirewallIpConfiguration",
}
},
ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
Sku = new AzureFirewallSku()
{
Name = AzureFirewallSkuName.AzfwVnet,
Tier = AzureFirewallSkuTier.Standard,
},
Location = new AzureLocation("West US 2"),
Tags =
{
["key1"] = "value1",
},
};
ArmOperation<AzureFirewallResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, azureFirewallName, data);
AzureFirewallResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
AzureFirewallData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample Response
{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US 2",
"zones": [
"1",
"2",
"3"
],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"ipGroups": [],
"additionalProperties": {}
}
}{
"name": "azurefirewall",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
"type": "Microsoft.Network/azureFirewalls",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"location": "West US 2",
"zones": [
"1",
"2",
"3"
],
"tags": {
"key1": "value1"
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": [
{
"name": "azureFirewallIpConfiguration",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
"etag": "w/\\00000000-0000-0000-0000-000000000000\\",
"properties": {
"provisioningState": "Succeeded",
"privateIPAddress": "10.0.0.0",
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
},
"publicIPAddress": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
}
}
}
],
"applicationRuleCollections": [
{
"name": "apprulecoll",
"properties": {
"priority": 110,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "rule1",
"description": "Deny inbound rule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.test.com"
],
"sourceAddresses": [
"216.58.216.164",
"10.0.0.0/24"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "natrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "DNAT-HTTPS-traffic",
"description": "D-NAT all outbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"443"
],
"protocols": [
"TCP"
],
"translatedAddress": "1.2.3.5",
"translatedPort": "8443"
},
{
"name": "DNAT-HTTP-traffic-With-FQDN",
"description": "D-NAT all inbound web traffic for inspection",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.2.3.4"
],
"destinationPorts": [
"80"
],
"protocols": [
"TCP"
],
"translatedFqdn": "internalhttpserver",
"translatedPort": "880"
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netrulecoll",
"properties": {
"priority": 112,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "L4-traffic",
"description": "Block traffic based on source IPs and ports",
"sourceAddresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationAddresses": [
"*"
],
"protocols": [
"TCP"
]
},
{
"name": "L4-traffic-with-FQDN",
"description": "Block traffic based on source IPs and ports to amazon",
"sourceAddresses": [
"10.2.4.12-10.2.4.255"
],
"destinationPorts": [
"443-444",
"8443"
],
"destinationFqdns": [
"www.amazon.com"
],
"protocols": [
"TCP"
]
}
]
}
}
],
"additionalProperties": {}
}
}
Definitions
AzureFirewall
Azure Firewall resource.
Name
Type
Description
etag
string
A unique read-only string that changes whenever the resource is updated.
id
string
Resource ID.
location
string
Resource location.
name
string
Resource name.
properties.additionalProperties
object
The additional properties used to further config this azure firewall.
properties.applicationRuleCollections
AzureFirewallApplicationRuleCollection []
Collection of application rule collections used by Azure Firewall.
properties.firewallPolicy
SubResource
The firewallPolicy associated with this azure firewall.
properties.hubIPAddresses
HubIPAddresses
IP addresses associated with AzureFirewall.
properties.ipConfigurations
AzureFirewallIPConfiguration []
IP configuration of the Azure Firewall resource.
properties.ipGroups
AzureFirewallIpGroups []
IpGroups associated with AzureFirewall.
properties.managementIpConfiguration
AzureFirewallIPConfiguration
IP configuration of the Azure Firewall used for management traffic.
properties.natRuleCollections
AzureFirewallNatRuleCollection []
Collection of NAT rule collections used by Azure Firewall.
properties.networkRuleCollections
AzureFirewallNetworkRuleCollection []
Collection of network rule collections used by Azure Firewall.
properties.provisioningState
ProvisioningState
The provisioning state of the Azure firewall resource.
properties.sku
AzureFirewallSku
The Azure Firewall Resource SKU.
properties.threatIntelMode
AzureFirewallThreatIntelMode
The operation mode for Threat Intelligence.
properties.virtualHub
SubResource
The virtualHub to which the firewall belongs.
tags
object
Resource tags.
type
string
Resource type.
zones
string[]
A list of availability zones denoting where the resource needs to come from.
AzureFirewallApplicationRule
Properties of an application rule.
Name
Type
Description
description
string
Description of the rule.
fqdnTags
string[]
List of FQDN Tags for this rule.
name
string
Name of the application rule.
protocols
AzureFirewallApplicationRuleProtocol []
Array of ApplicationRuleProtocols.
sourceAddresses
string[]
List of source IP addresses for this rule.
sourceIpGroups
string[]
List of source IpGroups for this rule.
targetFqdns
string[]
List of FQDNs for this rule.
AzureFirewallApplicationRuleCollection
Application rule collection resource.
Name
Type
Description
etag
string
A unique read-only string that changes whenever the resource is updated.
id
string
Resource ID.
name
string
The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
properties.action
AzureFirewallRCAction
The action type of a rule collection.
properties.priority
integer
Priority of the application rule collection resource.
properties.provisioningState
ProvisioningState
The provisioning state of the application rule collection resource.
properties.rules
AzureFirewallApplicationRule []
Collection of rules used by a application rule collection.
AzureFirewallApplicationRuleProtocol
Properties of the application rule protocol.
AzureFirewallApplicationRuleProtocolType
The protocol type of a Application Rule resource.
Name
Type
Description
Http
string
Https
string
Mssql
string
AzureFirewallIPConfiguration
IP configuration of an Azure Firewall.
Name
Type
Description
etag
string
A unique read-only string that changes whenever the resource is updated.
id
string
Resource ID.
name
string
Name of the resource that is unique within a resource group. This name can be used to access the resource.
properties.privateIPAddress
string
The Firewall Internal Load Balancer IP to be used as the next hop in User Defined Routes.
properties.provisioningState
ProvisioningState
The provisioning state of the Azure firewall IP configuration resource.
properties.publicIPAddress
SubResource
Reference to the PublicIP resource. This field is a mandatory input if subnet is not null.
properties.subnet
SubResource
Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'.
type
string
Type of the resource.
AzureFirewallIpGroups
IpGroups associated with azure firewall.
Name
Type
Description
changeNumber
string
The iteration number.
id
string
Resource ID.
AzureFirewallNatRCAction
AzureFirewall NAT Rule Collection Action.
AzureFirewallNatRCActionType
The action type of a NAT rule collection.
Name
Type
Description
Dnat
string
Snat
string
AzureFirewallNatRule
Properties of a NAT rule.
Name
Type
Description
description
string
Description of the rule.
destinationAddresses
string[]
List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags.
destinationPorts
string[]
List of destination ports.
name
string
Name of the NAT rule.
protocols
AzureFirewallNetworkRuleProtocol []
Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule.
sourceAddresses
string[]
List of source IP addresses for this rule.
sourceIpGroups
string[]
List of source IpGroups for this rule.
translatedAddress
string
The translated address for this NAT rule.
translatedFqdn
string
The translated FQDN for this NAT rule.
translatedPort
string
The translated port for this NAT rule.
AzureFirewallNatRuleCollection
NAT rule collection resource.
Name
Type
Description
etag
string
A unique read-only string that changes whenever the resource is updated.
id
string
Resource ID.
name
string
The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
properties.action
AzureFirewallNatRCAction
The action type of a NAT rule collection.
properties.priority
integer
Priority of the NAT rule collection resource.
properties.provisioningState
ProvisioningState
The provisioning state of the NAT rule collection resource.
properties.rules
AzureFirewallNatRule []
Collection of rules used by a NAT rule collection.
AzureFirewallNetworkRule
Properties of the network rule.
Name
Type
Description
description
string
Description of the rule.
destinationAddresses
string[]
List of destination IP addresses.
destinationFqdns
string[]
List of destination FQDNs.
destinationIpGroups
string[]
List of destination IpGroups for this rule.
destinationPorts
string[]
List of destination ports.
name
string
Name of the network rule.
protocols
AzureFirewallNetworkRuleProtocol []
Array of AzureFirewallNetworkRuleProtocols.
sourceAddresses
string[]
List of source IP addresses for this rule.
sourceIpGroups
string[]
List of source IpGroups for this rule.
AzureFirewallNetworkRuleCollection
Network rule collection resource.
Name
Type
Description
etag
string
A unique read-only string that changes whenever the resource is updated.
id
string
Resource ID.
name
string
The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
properties.action
AzureFirewallRCAction
The action type of a rule collection.
properties.priority
integer
Priority of the network rule collection resource.
properties.provisioningState
ProvisioningState
The provisioning state of the network rule collection resource.
properties.rules
AzureFirewallNetworkRule []
Collection of rules used by a network rule collection.
AzureFirewallNetworkRuleProtocol
The protocol of a Network Rule resource.
Name
Type
Description
Any
string
ICMP
string
TCP
string
UDP
string
AzureFirewallPublicIPAddress
Public IP Address associated with azure firewall.
Name
Type
Description
address
string
Public IP Address value.
AzureFirewallRCAction
Properties of the AzureFirewallRCAction.
AzureFirewallRCActionType
The action type of a rule collection.
Name
Type
Description
Allow
string
Deny
string
AzureFirewallSku
SKU of an Azure Firewall.
AzureFirewallSkuName
Name of an Azure Firewall SKU.
Name
Type
Description
AZFW_Hub
string
AZFW_VNet
string
AzureFirewallSkuTier
Tier of an Azure Firewall.
Name
Type
Description
Basic
string
Premium
string
Standard
string
AzureFirewallThreatIntelMode
The operation mode for Threat Intel.
Name
Type
Description
Alert
string
Deny
string
Off
string
CloudError
An error response from the service.
CloudErrorBody
An error response from the service.
Name
Type
Description
code
string
An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
details
CloudErrorBody []
A list of additional details about the error.
message
string
A message describing the error, intended to be suitable for display in a user interface.
target
string
The target of the particular error. For example, the name of the property in error.
HubIPAddresses
IP addresses associated with azure firewall.
Name
Type
Description
privateIPAddress
string
Private IP Address associated with azure firewall.
publicIPs
HubPublicIPAddresses
Public IP addresses associated with azure firewall.
HubPublicIPAddresses
Public IP addresses associated with azure firewall.
Name
Type
Description
addresses
AzureFirewallPublicIPAddress []
The list of Public IP addresses associated with azure firewall or IP addresses to be retained.
count
integer
The number of Public IP addresses associated with azure firewall.
ProvisioningState
The current provisioning state.
Name
Type
Description
Deleting
string
Failed
string
Succeeded
string
Updating
string
SubResource
Reference to another subresource.
Name
Type
Description
id
string
Resource ID.