Setting up application rule collections in a Firewall Policy
TypeScriptTo set up application rule collections in a Firewall Policy using Pulumi and Azure, you will need to use the
azure-native.network.FirewallPolicyRuleCollectionGroup
resource from the Azure Native Pulumi provider. This resource allows you to define a set of rules which can be associated with a firewall policy for controlling inbound and outbound access to and from your network.In the following program written in TypeScript, we are going to create a Firewall Policy and then define an Application Rule Collection Group to be associated with that policy. The Application Rule Collection Group contains an Application Rule Collection with predefined rules that specify which types of applications are allowed or denied.
Here's a step-by-step breakdown of the program:
- We begin by importing the necessary Pulumi and Azure Native packages.
- We define the Firewall Policy using
azure-native.network.Policy
. - We define the Firewall Policy Rule Collection Group, which includes details for the application rules.
- Finally, we export the Firewall Policy Rule Collection Group's ID for reference.
Now let's look at the Pulumi TypeScript code that accomplishes this task.
import * as pulumi from "@pulumi/pulumi"; import * as azureNative from "@pulumi/azure-native"; // Create an Azure resource group const resourceGroup = new azureNative.resources.ResourceGroup("resourceGroup"); // Define an Azure Firewall Policy const firewallPolicy = new azureNative.network.Policy("firewallPolicy", { // You might want to customize properties according to your requirement. // The `resourceGroupName` property is required to associate the policy with the created resource group. resourceGroupName: resourceGroup.name, // `location` will typically match the deployment region location: resourceGroup.location, // Additional properties like `tags` can be provided. Below is an example. tags: { Environment: "Development", }, }); // Define an Application Rule Collection Group inside the Firewall Policy const appRuleCollectionGroup = new azureNative.network.FirewallPolicyRuleCollectionGroup("appRuleCollectionGroup", { // The `resourceGroupName` and `firewallPolicyName` properties identify the Firewall Policy you're adding the rule collection to. resourceGroupName: resourceGroup.name, firewallPolicyName: firewallPolicy.name, // Specify priority for the rule collection group (lower numbers have higher priority). priority: 100, // Define the actual collection of application rules. ruleCollections: [ { // Each collection is named and can specify an action (`Allow` or `Deny`). name: "ExampleAppRuleCollection", // Define the rule type, `ApplicationRuleCollection` in this case. ruleCollectionType: "ApplicationRuleCollection", action: { type: "Allow", }, // Define an array of rules rules: [ { name: "AllowExampleApp", // Define protocols like `http` or `https`. Adding both for this example. protocols: [ { port: 80, protocolType: "Http", }, { port: 443, protocolType: "Https", }, ], // Define target FQDNs (fully qualified domain names) for this rule. // Replace `"example.com"` with the actual domain you want to allow. targetFqdns: ["example.com"], // Source addresses are typically specified in CIDR notation. // `"*"`, a wildcard, means the rule applies to all incoming traffic. sourceAddresses: ["*"], }, ], }, ], }); // Export the ID of the Firewall Policy Rule Collection Group so you can reference it for management and diagnostics. export const firewallPolicyRuleCollectionGroupId = appRuleCollectionGroup.id;
In this program:
- We create an instance of a Firewall Policy that could include additional settings such as threat intelligence and DNS settings, but for simplicity, we've only set the minimum required properties.
- Inside the firewall policy, we establish an Application Rule Collection Group and define the rules for allowing traffic. These rules are specified in an array where each rule determines the action to be taken (allow/deny), the protocols, the target FQDNs, and the source addresses from which the traffic originates.
Ensure that you replace
example.com
intargetFqdns
with the desired domain you wish to allow or deny. Likewise, adjust the source addresses according to your network design.After running this code with Pulumi, the Azure infrastructure will include a Firewall Policy with a defined set of application rules that control the traffic based on the rules we've specified.
For more information on the resources used in this program, you can refer to the Pulumi documentation: