Home > Software engineering >  Azure Firewall with Policy Rule collection loop
Azure Firewall with Policy Rule collection loop

Time:07-12

I am trying to deploy the Azure Firewall Premium with Policies enabled and need to add a load of network rule collections.

I have the rule collections in the parameters file and need to cycle through each and add to the policy.

"FirewallSettings": {
            "value": {
                "firewallPrefix": "efw",
                "numberOfPublicIPAddresses": 2,
                "threatIntelMode": "Deny",
                "networkRuleCollections": [
                    {
                        "name": "allowPing",
                        "priority": 200,
                        "type": "Allow",
                        "rules": [
                            {
                                "name": "Ping",
                                "protocols": [
                                    "ICMP"
                                ],
                                "sourceAddresses": [
                                    "*"
                                ],
                                "destinationAddresses": [
                                    "*"
                                ],
                                "sourceIpGroups": [],
                                "destinationIpGroups": [],
                                "destinationFqdns": [],
                                "destinationPorts": [
                                    "*"
                                ]
                            }
                        ]
                    },
                    {
                        "name": "allowEventHub",
                        "priority": 301,
                        "type": "Allow",
                        "rules": [
                            {
                                "name": "eventHubOut",
                                "protocols": [
                                    "TCP"
                                ],
                                "sourceAddresses": [
                                    "10.4.1.4"
                                ],
                                "destinationAddresses": [
                                    "*"
                                ],
                                "sourceIpGroups": [],
                                "destinationIpGroups": [],
                                "destinationFqdns": [],
                                "destinationPorts": [
                                    "*"
                                ]
                            }
                        ]
                    },
...

and within my template i am trying:

resource networkRules 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-08-01' = {
  name: 'firewallNetworkPolicies'
  parent: azureFirewallPolicy
  properties: {
    priority: 100
    ruleCollections: [for i in range(0, length(firewallSettings.networkRuleCollections)): {
      
        name: '${firewallSettings.networkRuleCollections[i].name}'
        priority: '${firewallSettings.networkRuleCollections[i].priority}'
        ruleCollectionType: 'NetworkRule'
        destinationAddresses: [
          '${firewallSettings.networkRuleCollections[i].rules.destinationAddresses}'
        ]
        destinationFqdns: [
          '${firewallSettings.networkRuleCollections[i].rules.destinationFqdns}'
        ]
        destinationIpGroups: [
          '${firewallSettings.networkRuleCollections[i].rules.destinationIpGroups}'
        ]
        destinationPorts: [
          '${firewallSettings.networkRuleCollections[i].rules.destinationPorts}'
        ]
        ipProtocols: [
          '${firewallSettings.networkRuleCollections[i].rules.protocols}'
        ]
        sourceAddresses: [
          '${firewallSettings.networkRuleCollections[i].rules.sourceAddresses}'
        ]
        sourceIpGroups: [
          '${firewallSettings.networkRuleCollections[i].rules.sourceIpGroups}'
        ]
      }]
  }
}

But it throws an error

The language expression property 'destinationAddresses' has an invalid array index which I think is because it's expected an array of destinationAddresses but i don't cant work out the syntax to specify the array?

Any ideas?

CodePudding user response:

Few things here:

  • The rules property inside networkRuleCollections is defined as an array. So you would need to query it like that: ${firewallSettings.networkRuleCollections[i].rules[0] (assuming there is only one rule).

  • The rule properties defined in the parameters file are already arrays (i.e.: protocols, sourceAddresses ...) so you could just assign the property directly: destinationAddresses: firewallSettings.networkRuleCollections[i].rules[0].destinationAddresses.

Full sample based on your parameters files:

resource networkRules 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-08-01' = {
  name: 'firewallNetworkPolicies'
  parent: azureFirewallPolicy
  properties: {
    priority: 100
    ruleCollections: [for i in range(0, length(firewallSettings.networkRuleCollections)): {
      name: '${firewallSettings.networkRuleCollections[i].name}'
      priority: '${firewallSettings.networkRuleCollections[i].priority}'
      ruleCollectionType: 'NetworkRule'
      destinationAddresses: firewallSettings.networkRuleCollections[i].rules[0].destinationAddresses
      destinationFqdns: firewallSettings.networkRuleCollections[i].rules[0].destinationFqdns
      destinationIpGroups: firewallSettings.networkRuleCollections[i].rules[0].destinationIpGroups
      destinationPorts: firewallSettings.networkRuleCollections[i].rules[0].destinationPorts
      ipProtocols: firewallSettings.networkRuleCollections[i].rules[0].protocols
      sourceAddresses: firewallSettings.networkRuleCollections[i].rules[0].sourceAddresses
      sourceIpGroups: firewallSettings.networkRuleCollections[i].rules[0].sourceIpGroups
    }]
  }
}
  • Related