Tips-Of-Mine/terraform-azure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
terraform-azure/quickstart/101-azfw-with-fwpolicy/README.md
Charles Shea ed29f3c468 adding azfw quickstarts
2023-08-22 19:02:39 -04:00

230 lines
8.2 KiB
Markdown
Raw Blame History

# Deploy Azure Firewall and a Firewall Policy
This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall.
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all the deployed resources.|
| `azurerm_virtual_network` | The virtual network for the firewall. |
| `azurerm_subnet` |The firewall subnet.|
| `azurerm_public_ip` | The firewall public IP address. |
| `azurerm_firewall` | The premium Azure Firewall. |
| `azurerm_firewall_policy` | The policy associated to the Firewall |
| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy |
| `azurerm_ip_group` | The IP group for source addresses. |
## Variables
| Name | Description |
|-|-|
| `location` | location for your resources |
| `tags` | tags to organize your resources |
| `fw_sku` | Sku size for your Firewall and Firewall Policy |
## Example
```powershell
terraform plan -out main.tfplan
# azurerm_firewall.fw will be created
+ resource "azurerm_firewall" "fw" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw"
+ resource_group_name = "azfw-rg"
+ sku_name = "AZFW_VNet"
+ sku_tier = "Premium"
+ threat_intel_mode = (known after apply)
+ ip_configuration {
+ name = "azfw-ipconfig"
+ private_ip_address = (known after apply)
+ public_ip_address_id = (known after apply)
+ subnet_id = (known after apply)
}
}
# azurerm_firewall_policy.azfw_policy will be created
+ resource "azurerm_firewall_policy" "azfw_policy" {
+ child_policies = (known after apply)
+ firewalls = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-policy"
+ resource_group_name = "azfw-rg"
+ rule_collection_groups = (known after apply)
+ sku = "Premium"
+ threat_intelligence_mode = "Alert"
}
# azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created
+ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ name = "DefaulApplicationtRuleCollectionGroup"
+ priority = 300
+ application_rule_collection {
+ action = "Allow"
+ name = "DefaultApplicationRuleCollection"
+ priority = 500
+ rule {
+ description = "Allow Windows Update"
+ destination_fqdn_tags = [
+ "WindowsUpdate",
]
+ name = "AllowWindowsUpdate"
+ source_ip_groups = (known after apply)
+ protocols {
+ port = 80
+ type = "Http"
}
+ protocols {
+ port = 443
+ type = "Https"
}
}
+ rule {
+ description = "Allow access to Microsoft.com"
+ destination_fqdns = [
+ "*.microsoft.com",
]
+ name = "Global Rule"
+ source_ip_groups = (known after apply)
+ terminate_tls = false
+ protocols {
+ port = 443
+ type = "Https"
}
}
}
}
# azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created
+ resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ name = "DefaultNetworkRuleCollectionGroup"
+ priority = 200
+ network_rule_collection {
+ action = "Allow"
+ name = "DefaultNetworkRuleCollection"
+ priority = 200
+ rule {
+ destination_addresses = [
+ "132.86.101.172",
]
+ destination_ports = [
+ "123",
]
+ name = "time-windows"
+ protocols = [
+ "UDP",
]
+ source_ip_groups = (known after apply)
}
}
}
# azurerm_ip_group.infra_ip_group will be created
+ resource "azurerm_ip_group" "infra_ip_group" {
+ cidrs = [
+ "10.40.0.0/24",
+ "10.50.0.0/24",
]
+ firewall_ids = (known after apply)
+ firewall_policy_ids = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "infra-ip-group"
+ resource_group_name = "azfw-rg"
}
# azurerm_ip_group.workload_ip_group will be created
+ resource "azurerm_ip_group" "workload_ip_group" {
+ cidrs = [
+ "10.20.0.0/24",
+ "10.30.0.0/24",
]
+ firewall_ids = (known after apply)
+ firewall_policy_ids = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "workload-ip-group"
+ resource_group_name = "azfw-rg"
}
# azurerm_public_ip.pip_azfw will be created
+ resource "azurerm_public_ip" "pip_azfw" {
+ allocation_method = "Static"
+ ddos_protection_mode = "VirtualNetworkInherited"
+ fqdn = (known after apply)
+ id = (known after apply)
+ idle_timeout_in_minutes = 4
+ ip_address = (known after apply)
+ ip_version = "IPv4"
+ location = "eastus"
+ name = "pip-azfw"
+ resource_group_name = "azfw-rg"
+ sku = "Standard"
+ sku_tier = "Regional"
+ tags = {
+ "costcenter" = "1234556677"
+ "environment" = "dev"
+ "owner" = "cloud team"
+ "workload" = "azure firewall"
}
}
# azurerm_resource_group.azfw_rg will be created
+ resource "azurerm_resource_group" "azfw_rg" {
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-rg"
+ tags = {
+ "costcenter" = "1234556677"
+ "environment" = "dev"
+ "owner" = "cloud team"
+ "workload" = "azure firewall"
}
}
# azurerm_subnet.azfw_subnet will be created
+ resource "azurerm_subnet" "azfw_subnet" {
+ address_prefixes = [
+ "10.10.0.0/26",
]
+ enforce_private_link_endpoint_network_policies = (known after apply)
+ enforce_private_link_service_network_policies = (known after apply)
+ id = (known after apply)
+ name = "AzureFirewallSubnet"
+ private_endpoint_network_policies_enabled = (known after apply)
+ private_link_service_network_policies_enabled = (known after apply)
+ resource_group_name = "azfw-rg"
+ virtual_network_name = "azfw-vnet"
}
# azurerm_virtual_network.azfw_vnet will be created
+ resource "azurerm_virtual_network" "azfw_vnet" {
+ address_space = [
+ "10.10.0.0/24",
]
+ dns_servers = (known after apply)
+ guid = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-vnet"
+ resource_group_name = "azfw-rg"
+ subnet = (known after apply)
}
Plan: 10 to add, 0 to change, 0 to destroy.
``````
Reference in New Issue View Git Blame Copy Permalink