# Deploy Azure Firewall and a Firewall Policy This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. ## Resources | Terraform Resource Type | Description | | - | - | | `azurerm_resource_group` | The resource group all the deployed resources.| | `azurerm_virtual_network` | The virtual network for the firewall. | | `azurerm_subnet` |The firewall subnet.| | `azurerm_public_ip` | The firewall public IP address. | | `azurerm_firewall` | The premium Azure Firewall. | | `azurerm_firewall_policy` | The policy associated to the Firewall | | `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | | `azurerm_ip_group` | The IP group for source addresses. | ## Variables | Name | Description | |-|-| | `location` | location for your resources | | `tags` | tags to organize your resources | | `fw_sku` | Sku size for your Firewall and Firewall Policy | ## Example ```powershell terraform plan -out main.tfplan # azurerm_firewall.fw will be created + resource "azurerm_firewall" "fw" { + firewall_policy_id = (known after apply) + id = (known after apply) + location = "eastus" + name = "azfw" + resource_group_name = "azfw-rg" + sku_name = "AZFW_VNet" + sku_tier = "Premium" + threat_intel_mode = (known after apply) + ip_configuration { + name = "azfw-ipconfig" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # azurerm_firewall_policy.azfw_policy will be created + resource "azurerm_firewall_policy" "azfw_policy" { + child_policies = (known after apply) + firewalls = (known after apply) + id = (known after apply) + location = "eastus" + name = "azfw-policy" + resource_group_name = "azfw-rg" + rule_collection_groups = (known after apply) + sku = "Premium" + threat_intelligence_mode = "Alert" } # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + firewall_policy_id = (known after apply) + id = (known after apply) + name = "DefaulApplicationtRuleCollectionGroup" + priority = 300 + application_rule_collection { + action = "Allow" + name = "DefaultApplicationRuleCollection" + priority = 500 + rule { + description = "Allow Windows Update" + destination_fqdn_tags = [ + "WindowsUpdate", ] + name = "AllowWindowsUpdate" + source_ip_groups = (known after apply) + protocols { + port = 80 + type = "Http" } + protocols { + port = 443 + type = "Https" } } + rule { + description = "Allow access to Microsoft.com" + destination_fqdns = [ + "*.microsoft.com", ] + name = "Global Rule" + source_ip_groups = (known after apply) + terminate_tls = false + protocols { + port = 443 + type = "Https" } } } } # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + firewall_policy_id = (known after apply) + id = (known after apply) + name = "DefaultNetworkRuleCollectionGroup" + priority = 200 + network_rule_collection { + action = "Allow" + name = "DefaultNetworkRuleCollection" + priority = 200 + rule { + destination_addresses = [ + "132.86.101.172", ] + destination_ports = [ + "123", ] + name = "time-windows" + protocols = [ + "UDP", ] + source_ip_groups = (known after apply) } } } # azurerm_ip_group.infra_ip_group will be created + resource "azurerm_ip_group" "infra_ip_group" { + cidrs = [ + "10.40.0.0/24", + "10.50.0.0/24", ] + firewall_ids = (known after apply) + firewall_policy_ids = (known after apply) + id = (known after apply) + location = "eastus" + name = "infra-ip-group" + resource_group_name = "azfw-rg" } # azurerm_ip_group.workload_ip_group will be created + resource "azurerm_ip_group" "workload_ip_group" { + cidrs = [ + "10.20.0.0/24", + "10.30.0.0/24", ] + firewall_ids = (known after apply) + firewall_policy_ids = (known after apply) + id = (known after apply) + location = "eastus" + name = "workload-ip-group" + resource_group_name = "azfw-rg" } # azurerm_public_ip.pip_azfw will be created + resource "azurerm_public_ip" "pip_azfw" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "eastus" + name = "pip-azfw" + resource_group_name = "azfw-rg" + sku = "Standard" + sku_tier = "Regional" + tags = { + "costcenter" = "1234556677" + "environment" = "dev" + "owner" = "cloud team" + "workload" = "azure firewall" } } # azurerm_resource_group.azfw_rg will be created + resource "azurerm_resource_group" "azfw_rg" { + id = (known after apply) + location = "eastus" + name = "azfw-rg" + tags = { + "costcenter" = "1234556677" + "environment" = "dev" + "owner" = "cloud team" + "workload" = "azure firewall" } } # azurerm_subnet.azfw_subnet will be created + resource "azurerm_subnet" "azfw_subnet" { + address_prefixes = [ + "10.10.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "azfw-rg" + virtual_network_name = "azfw-vnet" } # azurerm_virtual_network.azfw_vnet will be created + resource "azurerm_virtual_network" "azfw_vnet" { + address_space = [ + "10.10.0.0/24", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "eastus" + name = "azfw-vnet" + resource_group_name = "azfw-rg" + subnet = (known after apply) } Plan: 10 to add, 0 to change, 0 to destroy. ``````