Support for Source & Destination IpGroups in AzureFirewall Rules

[ssripadham]

Resource Provider

Microsoft.Network

Description of Feature or Work Requested

We are building a facility in Azure Networking that will allow Azure customers to group of Ip Address prefixes to define rules in Azure Networking. This will help customers manage & minimize the overall complexity for security rules creation.

Customer will create an IpGroups (new top-level resource) and specify a set of IP addresses to include within the tag. These tags will then be used by existing resources as Azure Firewall. 

IpGroups Changes

We will need to add CLI support for a new top-level resource in Microsoft.Network based on the
swagger described in the Swagger section below.

AzureFirewall Changes

Azure Firewall will support IpGroups can be used in the network/application/dnat rules as described below.

• As a source or destination address in AZFW network rules
• As a source address in AZFW application rules
• As a source address in DNAT rules.

Need support for following 2 things:

1. Azure Firewall Application Rules

     "AzureFirewallApplicationRule": {
         "properties": {
           "name": {
             "type": "string",
             "description": "Name of the application rule."
           },
           "description": {
             "type": "string",
             "description": "Description of the rule."
           },
           ...
           "sourceIpGroups": {
             "type": "array",
             "description": "List of source IP Groups for this rule.",
             "items": {
               "type": "string"
             }
           },
       ...
     }
    }

2. Azure Firewall NAT Rules

   "AzureFirewallNatRule": {
         "properties": {
           "name": {
             "type": "string",
             "description": "Name of the NAT rule."
           },
           "description": {
             "type": "string",
             "description": "Description of the rule."
           },
          ...

    "sourceIpGroups": {
      "type": "array",
      "description": "List of source IP Groups for this rule.",
      "items": {
        "type": "string"
      }
    }
       …
   }
   }

3. Azure Firewall Network Rules

    "AzureFirewallNetworkRule": {
         "properties": {
           "name": {
             "type": "string",
             "description": "Name of the network rule."
           },
           "description": {
             "type": "string",
             "description": "Description of the rule."
           },
          ...
           "sourceIpGroups": {
             "type": "array",
             "description": "List of source IP Groups for this rule.",
             "items": {
               "type": "string"
             }
           },
           "destinationIpGroups": {
             "type": "array",
             "description": "List of destination IP Groups for this rule.",
             "items": {
               "type": "string"
             }
           },
       ...
    }
   }

Minimum API Version Required

2019-09-01

Swagger Link

The Swagger Changes will be in

Swagger from reviewed branch:

IpTags Swagger

Azure Firewall Swagger

Target Date

We are targetting this feature for Ignite. So it will help us if you make the CLI available by 3rd week of October.

[mmyyrroonn]

@ssripadham Hello. Thanks. We will plan for Ignite. We have a release just before Ignite.

[ssripadham]

This is marked as Service Request correct?

[mmyyrroonn]

@ssripadham Hello. They are almost same for us. Don't worry.

[mmyyrroonn]

@ssripadham Hello. I have a question for this issue. Here is the public link for firewallPolicy. I cannot find IpTags in it. I want to know the relationship between this one and the swagger you provided.

[ssripadham]

Please refer to the latest swagger - Azure/azure-rest-api-specs#7397
The reference is in AzureFirewall and the changes are included in the swagger spec above