The azure-native:network:AzureFirewall resource, part of the Pulumi Azure Native provider, defines an Azure Firewall instance: its SKU, network placement, rule collections, and operational mode. This guide focuses on three capabilities: rule collection configuration, management subnet separation, and Virtual WAN hub deployment.
Azure Firewalls require virtual networks with dedicated subnets (AzureFirewallSubnet, AzureFirewallManagementSubnet), public IP addresses, and optionally Virtual WAN hubs or firewall policies. The examples are intentionally small. Combine them with your own network infrastructure and security policies.
Deploy a firewall with application, NAT, and network rules
Most deployments define rule collections that control traffic flow: application rules filter by FQDN, NAT rules translate inbound traffic to internal addresses, and network rules filter by IP and port.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
The firewall evaluates traffic against three rule collection types in priority order. Application rules inspect HTTP/HTTPS traffic and match against target FQDNs. NAT rules perform destination NAT (DNAT) to redirect public traffic to internal addresses. Network rules filter Layer 4 traffic by source/destination IP and port ranges. The ipConfigurations property attaches the firewall to a subnet and public IP, while the sku property sets the tier (Standard or Premium) and deployment model (AZFW_VNet for traditional VNet placement).
Add custom properties for extended configuration
Some deployments require custom key-value properties beyond standard firewall configuration, such as integration settings or feature flags.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
additionalProperties: {
key1: "value1",
key2: "value2",
},
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
additional_properties={
"key1": "value1",
"key2": "value2",
},
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
AdditionalProperties: pulumi.StringMap{
"key1": pulumi.String("value1"),
"key2": pulumi.String("value2"),
},
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
AdditionalProperties =
{
{ "key1", "value1" },
{ "key2", "value2" },
},
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.additionalProperties(Map.ofEntries(
Map.entry("key1", "value1"),
Map.entry("key2", "value2")
))
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
additionalProperties:
key1: value1
key2: value2
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
The additionalProperties field stores arbitrary key-value pairs on the firewall resource. This extends the basic configuration with custom metadata that other systems or automation tools can reference.
Separate management traffic with a dedicated subnet
Production firewalls often isolate management traffic from data plane traffic by using a separate management subnet and public IP.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
managementIpConfiguration: {
name: "azureFirewallMgmtIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
management_ip_configuration={
"name": "azureFirewallMgmtIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
ManagementIpConfiguration: &network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallMgmtIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"),
},
},
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
ManagementIpConfiguration = new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallMgmtIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.managementIpConfiguration(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallMgmtIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet")
.build())
.build())
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
managementIpConfiguration:
name: azureFirewallMgmtIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
The managementIpConfiguration property creates a second IP configuration attached to AzureFirewallManagementSubnet. Azure routes management operations (health probes, logging, updates) through this dedicated path, keeping control plane traffic separate from application data flows.
Deploy a firewall in Azure Virtual WAN hub
Virtual WAN deployments use hub-based firewalls that integrate with the hub’s routing and connectivity model, rather than traditional VNet-based placement.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
azureFirewallName: "azurefirewall",
firewallPolicy: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
hubIPAddresses: {
publicIPs: {
addresses: [],
count: 1,
},
},
location: "West US",
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_Hub,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
virtualHub: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
zones: [],
});
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
azure_firewall_name="azurefirewall",
firewall_policy={
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
hub_ip_addresses={
"public_ips": {
"addresses": [],
"count": 1,
},
},
location="West US",
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_HUB,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
virtual_hub={
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
zones=[])
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
AzureFirewallName: pulumi.String("azurefirewall"),
FirewallPolicy: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
},
HubIPAddresses: &network.HubIPAddressesArgs{
PublicIPs: &network.HubPublicIPAddressesArgs{
Addresses: network.AzureFirewallPublicIPAddressArray{},
Count: pulumi.Int(1),
},
},
Location: pulumi.String("West US"),
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_Hub),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
VirtualHub: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
},
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
AzureFirewallName = "azurefirewall",
FirewallPolicy = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
HubIPAddresses = new AzureNative.Network.Inputs.HubIPAddressesArgs
{
PublicIPs = new AzureNative.Network.Inputs.HubPublicIPAddressesArgs
{
Addresses = new() { },
Count = 1,
},
},
Location = "West US",
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_Hub,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
VirtualHub = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
Zones = new[] {},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.HubIPAddressesArgs;
import com.pulumi.azurenative.network.inputs.HubPublicIPAddressesArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.azureFirewallName("azurefirewall")
.firewallPolicy(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1")
.build())
.hubIPAddresses(HubIPAddressesArgs.builder()
.publicIPs(HubPublicIPAddressesArgs.builder()
.addresses()
.count(1)
.build())
.build())
.location("West US")
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_Hub")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.virtualHub(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1")
.build())
.zones()
.build());
}
}
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
azureFirewallName: azurefirewall
firewallPolicy:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1
hubIPAddresses:
publicIPs:
addresses: []
count: 1
location: West US
resourceGroupName: rg1
sku:
name: AZFW_Hub
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
virtualHub:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1
zones: []
In this configuration, the firewall attaches to a Virtual WAN hub instead of a VNet subnet. The virtualHub property links to the hub resource, while hubIPAddresses allocates public IPs from the hub’s address pool. The sku must use AZFW_Hub (not AZFW_VNet), and the firewallPolicy property references a centralized policy resource that defines rules across multiple hub firewalls.
Beyond these examples
These snippets focus on specific firewall-level features: rule collections, management subnet separation, and Virtual WAN hub integration. They’re intentionally minimal rather than full network security architectures.
The examples may reference pre-existing infrastructure such as virtual networks and subnets, public IP addresses, and Virtual WAN hubs and firewall policies for hub deployments. They focus on configuring the firewall rather than provisioning the surrounding network.
To keep things focused, common firewall patterns are omitted, including:
- Availability zones configuration (zones property)
- IP Groups for rule source/destination management
- Autoscale configuration (autoscaleConfiguration)
- Threat intelligence mode tuning beyond Alert
These omissions are intentional: the goal is to illustrate how each firewall feature is wired, not provide drop-in security modules. See the Azure Firewall resource reference for all available configuration options.
Let's configure Azure Firewalls
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Deployment & Configuration
What subnet names are required for Azure Firewall?
The primary subnet must be named
AzureFirewallSubnet. If you’re using a management subnet for separated management traffic, it must be named AzureFirewallManagementSubnet.What's the difference between AZFW_VNet and AZFW_Hub SKUs?
AZFW_VNet deploys the firewall in a traditional VNet using ipConfigurations, while AZFW_Hub deploys in a Virtual Hub using virtualHub and hubIPAddresses. These are mutually exclusive deployment models.When should I use a management subnet?
Use
managementIpConfiguration with a separate management subnet when you need to isolate management traffic from data plane traffic. This is optional but recommended for production deployments.Rule Configuration
How do I specify port ranges in firewall rules?
Use hyphenated ranges like
443-444 or individual ports like 8443 in the destinationPorts array. You can mix both formats in the same rule.Can I use FQDNs in NAT rules?
Yes, NAT rules support both
translatedAddress (for IP addresses) and translatedFqdn (for FQDNs) as the translation target. Use whichever fits your backend configuration.How do rule collection priorities work?
Each rule collection (application, NAT, network) has a
priority value. Lower numbers are processed first. Examples show priorities like 110 and 112.High Availability & Scaling
How do I deploy Azure Firewall across availability zones?
Set the
zones property to an array of zone numbers like ['1', '2', '3'] for zone-redundant deployment. This requires a region that supports availability zones.API Versions & Compatibility
What changed in the API version between provider v2.x and current?
The default API version changed from 2023-02-01 (in provider v2.x) to 2024-05-01. Review your configurations when upgrading, as some properties or behaviors may differ.
How do I use a different API version?
Generate a local SDK package using
pulumi package add azure-native network [ApiVersion]. Available versions range from 2018-06-01 to 2024-10-01.