azure-native.network.AzureFirewall
Explore with Pulumi AI
Azure Firewall resource. Azure REST API version: 2023-02-01. Prior API version in Azure Native 1.x: 2020-11-01.
Other available API versions: 2020-04-01, 2023-04-01, 2023-05-01, 2023-06-01, 2023-09-01, 2023-11-01, 2024-01-01.
Example Usage
Create Azure Firewall
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
Create Azure Firewall With Additional Properties
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
AdditionalProperties =
{
{ "key1", "value1" },
{ "key2", "value2" },
},
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
AdditionalProperties: pulumi.StringMap{
"key1": pulumi.String("value1"),
"key2": pulumi.String("value2"),
},
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.additionalProperties(Map.ofEntries(
Map.entry("key1", "value1"),
Map.entry("key2", "value2")
))
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
additional_properties={
"key1": "value1",
"key2": "value2",
},
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
additionalProperties: {
key1: "value1",
key2: "value2",
},
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
additionalProperties:
key1: value1
key2: value2
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
Create Azure Firewall With IpGroups
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
Create Azure Firewall With Zones
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US 2",
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[]
{
"1",
"2",
"3",
},
});
});
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US 2"),
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{
pulumi.String("1"),
pulumi.String("2"),
pulumi.String("3"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US 2")
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones(
"1",
"2",
"3")
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US 2",
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[
"1",
"2",
"3",
])
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US 2",
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [
"1",
"2",
"3",
],
});
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US 2
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones:
- '1'
- '2'
- '3'
Create Azure Firewall With management subnet
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
Name = "apprulecoll",
Priority = 110,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "Deny inbound rule",
Name = "rule1",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 443,
ProtocolType = AzureNative.Network.AzureFirewallApplicationRuleProtocolType.Https,
},
},
SourceAddresses = new[]
{
"216.58.216.164",
"10.0.0.0/24",
},
TargetFqdns = new[]
{
"www.test.com",
},
},
},
},
},
AzureFirewallName = "azurefirewall",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
},
},
Location = "West US",
ManagementIpConfiguration = new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Name = "azureFirewallMgmtIpConfiguration",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = AzureNative.Network.AzureFirewallNatRCActionType.Dnat,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
Name = "natrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all outbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"443",
},
Name = "DNAT-HTTPS-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedAddress = "1.2.3.5",
TranslatedPort = "8443",
},
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "D-NAT all inbound web traffic for inspection",
DestinationAddresses = new[]
{
"1.2.3.4",
},
DestinationPorts = new[]
{
"80",
},
Name = "DNAT-HTTP-traffic-With-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"*",
},
TranslatedFqdn = "internalhttpserver",
TranslatedPort = "880",
},
},
},
},
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = AzureNative.Network.AzureFirewallRCActionType.Deny,
},
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
Name = "netrulecoll",
Priority = 112,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports",
DestinationAddresses = new[]
{
"*",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
},
},
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "Block traffic based on source IPs and ports to amazon",
DestinationFqdns = new[]
{
"www.amazon.com",
},
DestinationPorts = new[]
{
"443-444",
"8443",
},
Name = "L4-traffic-with-FQDN",
Protocols = new[]
{
AzureNative.Network.AzureFirewallNetworkRuleProtocol.TCP,
},
SourceAddresses = new[]
{
"10.2.4.12-10.2.4.255",
},
},
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_VNet,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
Zones = new[] {},
});
});
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll"),
Name: pulumi.String("apprulecoll"),
Priority: pulumi.Int(110),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("Deny inbound rule"),
Name: pulumi.String("rule1"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(443),
ProtocolType: pulumi.String(network.AzureFirewallApplicationRuleProtocolTypeHttps),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("216.58.216.164"),
pulumi.String("10.0.0.0/24"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("www.test.com"),
},
},
},
},
},
AzureFirewallName: pulumi.String("azurefirewall"),
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"),
},
},
},
Location: pulumi.String("West US"),
ManagementIpConfiguration: &network.AzureFirewallIPConfigurationArgs{
Name: pulumi.String("azureFirewallMgmtIpConfiguration"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"),
},
},
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String(network.AzureFirewallNatRCActionTypeDnat),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll"),
Name: pulumi.String("natrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all outbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443"),
},
Name: pulumi.String("DNAT-HTTPS-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedAddress: pulumi.String("1.2.3.5"),
TranslatedPort: pulumi.String("8443"),
},
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("D-NAT all inbound web traffic for inspection"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("80"),
},
Name: pulumi.String("DNAT-HTTP-traffic-With-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("*"),
},
TranslatedFqdn: pulumi.String("internalhttpserver"),
TranslatedPort: pulumi.String("880"),
},
},
},
},
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String(network.AzureFirewallRCActionTypeDeny),
},
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll"),
Name: pulumi.String("netrulecoll"),
Priority: pulumi.Int(112),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("*"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("192.168.1.1-192.168.1.12"),
pulumi.String("10.1.4.12-10.1.4.255"),
},
},
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("Block traffic based on source IPs and ports to amazon"),
DestinationFqdns: pulumi.StringArray{
pulumi.String("www.amazon.com"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("443-444"),
pulumi.String("8443"),
},
Name: pulumi.String("L4-traffic-with-FQDN"),
Protocols: pulumi.StringArray{
pulumi.String(network.AzureFirewallNetworkRuleProtocolTCP),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("10.2.4.12-10.2.4.255"),
},
},
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_VNet),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallApplicationRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNatRCActionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallNetworkRuleCollectionArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll")
.name("apprulecoll")
.priority(110)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("Deny inbound rule")
.name("rule1")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(443)
.protocolType("Https")
.build())
.sourceAddresses(
"216.58.216.164",
"10.0.0.0/24")
.targetFqdns("www.test.com")
.build())
.build())
.azureFirewallName("azurefirewall")
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet")
.build())
.build())
.location("West US")
.managementIpConfiguration(AzureFirewallIPConfigurationArgs.builder()
.name("azureFirewallMgmtIpConfiguration")
.publicIPAddress(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName")
.build())
.subnet(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet")
.build())
.build())
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("Dnat")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll")
.name("natrulecoll")
.priority(112)
.rules(
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all outbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("443")
.name("DNAT-HTTPS-traffic")
.protocols("TCP")
.sourceAddresses("*")
.translatedAddress("1.2.3.5")
.translatedPort("8443")
.build(),
AzureFirewallNatRuleArgs.builder()
.description("D-NAT all inbound web traffic for inspection")
.destinationAddresses("1.2.3.4")
.destinationPorts("80")
.name("DNAT-HTTP-traffic-With-FQDN")
.protocols("TCP")
.sourceAddresses("*")
.translatedFqdn("internalhttpserver")
.translatedPort("880")
.build())
.build())
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("Deny")
.build())
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll")
.name("netrulecoll")
.priority(112)
.rules(
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports")
.destinationAddresses("*")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic")
.protocols("TCP")
.sourceAddresses(
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255")
.build(),
AzureFirewallNetworkRuleArgs.builder()
.description("Block traffic based on source IPs and ports to amazon")
.destinationFqdns("www.amazon.com")
.destinationPorts(
"443-444",
"8443")
.name("L4-traffic-with-FQDN")
.protocols("TCP")
.sourceAddresses("10.2.4.12-10.2.4.255")
.build())
.build())
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_VNet")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.zones()
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
application_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
"name": "apprulecoll",
"priority": 110,
"rules": [{
"description": "Deny inbound rule",
"name": "rule1",
"protocols": [{
"port": 443,
"protocol_type": azure_native.network.AzureFirewallApplicationRuleProtocolType.HTTPS,
}],
"source_addresses": [
"216.58.216.164",
"10.0.0.0/24",
],
"target_fqdns": ["www.test.com"],
}],
}],
azure_firewall_name="azurefirewall",
ip_configurations=[{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location="West US",
management_ip_configuration={
"name": "azureFirewallMgmtIpConfiguration",
"public_ip_address": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
"subnet": {
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
nat_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallNatRCActionType.DNAT,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
"name": "natrulecoll",
"priority": 112,
"rules": [
{
"description": "D-NAT all outbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["443"],
"name": "DNAT-HTTPS-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_address": "1.2.3.5",
"translated_port": "8443",
},
{
"description": "D-NAT all inbound web traffic for inspection",
"destination_addresses": ["1.2.3.4"],
"destination_ports": ["80"],
"name": "DNAT-HTTP-traffic-With-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["*"],
"translated_fqdn": "internalhttpserver",
"translated_port": "880",
},
],
}],
network_rule_collections=[{
"action": {
"type": azure_native.network.AzureFirewallRCActionType.DENY,
},
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
"name": "netrulecoll",
"priority": 112,
"rules": [
{
"description": "Block traffic based on source IPs and ports",
"destination_addresses": ["*"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
"description": "Block traffic based on source IPs and ports to amazon",
"destination_fqdns": ["www.amazon.com"],
"destination_ports": [
"443-444",
"8443",
],
"name": "L4-traffic-with-FQDN",
"protocols": [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
"source_addresses": ["10.2.4.12-10.2.4.255"],
},
],
}],
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_V_NET,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
zones=[])
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
applicationRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
name: "apprulecoll",
priority: 110,
rules: [{
description: "Deny inbound rule",
name: "rule1",
protocols: [{
port: 443,
protocolType: azure_native.network.AzureFirewallApplicationRuleProtocolType.Https,
}],
sourceAddresses: [
"216.58.216.164",
"10.0.0.0/24",
],
targetFqdns: ["www.test.com"],
}],
}],
azureFirewallName: "azurefirewall",
ipConfigurations: [{
name: "azureFirewallIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet",
},
}],
location: "West US",
managementIpConfiguration: {
name: "azureFirewallMgmtIpConfiguration",
publicIPAddress: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName",
},
subnet: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet",
},
},
natRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallNatRCActionType.Dnat,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
name: "natrulecoll",
priority: 112,
rules: [
{
description: "D-NAT all outbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["443"],
name: "DNAT-HTTPS-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedAddress: "1.2.3.5",
translatedPort: "8443",
},
{
description: "D-NAT all inbound web traffic for inspection",
destinationAddresses: ["1.2.3.4"],
destinationPorts: ["80"],
name: "DNAT-HTTP-traffic-With-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["*"],
translatedFqdn: "internalhttpserver",
translatedPort: "880",
},
],
}],
networkRuleCollections: [{
action: {
type: azure_native.network.AzureFirewallRCActionType.Deny,
},
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
name: "netrulecoll",
priority: 112,
rules: [
{
description: "Block traffic based on source IPs and ports",
destinationAddresses: ["*"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: [
"192.168.1.1-192.168.1.12",
"10.1.4.12-10.1.4.255",
],
},
{
description: "Block traffic based on source IPs and ports to amazon",
destinationFqdns: ["www.amazon.com"],
destinationPorts: [
"443-444",
"8443",
],
name: "L4-traffic-with-FQDN",
protocols: [azure_native.network.AzureFirewallNetworkRuleProtocol.TCP],
sourceAddresses: ["10.2.4.12-10.2.4.255"],
},
],
}],
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_VNet,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
zones: [],
});
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
applicationRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll
name: apprulecoll
priority: 110
rules:
- description: Deny inbound rule
name: rule1
protocols:
- port: 443
protocolType: Https
sourceAddresses:
- 216.58.216.164
- 10.0.0.0/24
targetFqdns:
- www.test.com
azureFirewallName: azurefirewall
ipConfigurations:
- name: azureFirewallIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet
location: West US
managementIpConfiguration:
name: azureFirewallMgmtIpConfiguration
publicIPAddress:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName
subnet:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet
natRuleCollections:
- action:
type: Dnat
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll
name: natrulecoll
priority: 112
rules:
- description: D-NAT all outbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '443'
name: DNAT-HTTPS-traffic
protocols:
- TCP
sourceAddresses:
- '*'
translatedAddress: 1.2.3.5
translatedPort: '8443'
- description: D-NAT all inbound web traffic for inspection
destinationAddresses:
- 1.2.3.4
destinationPorts:
- '80'
name: DNAT-HTTP-traffic-With-FQDN
protocols:
- TCP
sourceAddresses:
- '*'
translatedFqdn: internalhttpserver
translatedPort: '880'
networkRuleCollections:
- action:
type: Deny
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll
name: netrulecoll
priority: 112
rules:
- description: Block traffic based on source IPs and ports
destinationAddresses:
- '*'
destinationPorts:
- 443-444
- '8443'
name: L4-traffic
protocols:
- TCP
sourceAddresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
- description: Block traffic based on source IPs and ports to amazon
destinationFqdns:
- www.amazon.com
destinationPorts:
- 443-444
- '8443'
name: L4-traffic-with-FQDN
protocols:
- TCP
sourceAddresses:
- 10.2.4.12-10.2.4.255
resourceGroupName: rg1
sku:
name: AZFW_VNet
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
zones: []
Create Azure Firewall in virtual Hub
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var azureFirewall = new AzureNative.Network.AzureFirewall("azureFirewall", new()
{
AzureFirewallName = "azurefirewall",
FirewallPolicy = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
HubIPAddresses = new AzureNative.Network.Inputs.HubIPAddressesArgs
{
PublicIPs = new AzureNative.Network.Inputs.HubPublicIPAddressesArgs
{
Addresses = new() { },
Count = 1,
},
},
Location = "West US",
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = AzureNative.Network.AzureFirewallSkuName.AZFW_Hub,
Tier = AzureNative.Network.AzureFirewallSkuTier.Standard,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
VirtualHub = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
Zones = new[] {},
});
});
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewAzureFirewall(ctx, "azureFirewall", &network.AzureFirewallArgs{
AzureFirewallName: pulumi.String("azurefirewall"),
FirewallPolicy: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"),
},
HubIPAddresses: &network.HubIPAddressesArgs{
PublicIPs: &network.HubPublicIPAddressesArgs{
Addresses: network.AzureFirewallPublicIPAddressArray{},
Count: pulumi.Int(1),
},
},
Location: pulumi.String("West US"),
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String(network.AzureFirewallSkuName_AZFW_Hub),
Tier: pulumi.String(network.AzureFirewallSkuTierStandard),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
VirtualHub: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"),
},
Zones: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.AzureFirewall;
import com.pulumi.azurenative.network.AzureFirewallArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.HubIPAddressesArgs;
import com.pulumi.azurenative.network.inputs.HubPublicIPAddressesArgs;
import com.pulumi.azurenative.network.inputs.AzureFirewallSkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azureFirewall = new AzureFirewall("azureFirewall", AzureFirewallArgs.builder()
.azureFirewallName("azurefirewall")
.firewallPolicy(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1")
.build())
.hubIPAddresses(HubIPAddressesArgs.builder()
.publicIPs(HubPublicIPAddressesArgs.builder()
.addresses()
.count(1)
.build())
.build())
.location("West US")
.resourceGroupName("rg1")
.sku(AzureFirewallSkuArgs.builder()
.name("AZFW_Hub")
.tier("Standard")
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.virtualHub(SubResourceArgs.builder()
.id("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1")
.build())
.zones()
.build());
}
}
import pulumi
import pulumi_azure_native as azure_native
azure_firewall = azure_native.network.AzureFirewall("azureFirewall",
azure_firewall_name="azurefirewall",
firewall_policy={
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
hub_ip_addresses={
"public_ips": {
"addresses": [],
"count": 1,
},
},
location="West US",
resource_group_name="rg1",
sku={
"name": azure_native.network.AzureFirewallSkuName.AZF_W_HUB,
"tier": azure_native.network.AzureFirewallSkuTier.STANDARD,
},
tags={
"key1": "value1",
},
threat_intel_mode=azure_native.network.AzureFirewallThreatIntelMode.ALERT,
virtual_hub={
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
zones=[])
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const azureFirewall = new azure_native.network.AzureFirewall("azureFirewall", {
azureFirewallName: "azurefirewall",
firewallPolicy: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1",
},
hubIPAddresses: {
publicIPs: {
addresses: [],
count: 1,
},
},
location: "West US",
resourceGroupName: "rg1",
sku: {
name: azure_native.network.AzureFirewallSkuName.AZFW_Hub,
tier: azure_native.network.AzureFirewallSkuTier.Standard,
},
tags: {
key1: "value1",
},
threatIntelMode: azure_native.network.AzureFirewallThreatIntelMode.Alert,
virtualHub: {
id: "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1",
},
zones: [],
});
resources:
azureFirewall:
type: azure-native:network:AzureFirewall
properties:
azureFirewallName: azurefirewall
firewallPolicy:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1
hubIPAddresses:
publicIPs:
addresses: []
count: 1
location: West US
resourceGroupName: rg1
sku:
name: AZFW_Hub
tier: Standard
tags:
key1: value1
threatIntelMode: Alert
virtualHub:
id: /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1
zones: []
Create AzureFirewall Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AzureFirewall(name: string, args: AzureFirewallArgs, opts?: CustomResourceOptions);
@overload
def AzureFirewall(resource_name: str,
args: AzureFirewallArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AzureFirewall(resource_name: str,
opts: Optional[ResourceOptions] = None,
resource_group_name: Optional[str] = None,
management_ip_configuration: Optional[AzureFirewallIPConfigurationArgs] = None,
location: Optional[str] = None,
firewall_policy: Optional[SubResourceArgs] = None,
hub_ip_addresses: Optional[HubIPAddressesArgs] = None,
nat_rule_collections: Optional[Sequence[AzureFirewallNatRuleCollectionArgs]] = None,
ip_configurations: Optional[Sequence[AzureFirewallIPConfigurationArgs]] = None,
azure_firewall_name: Optional[str] = None,
additional_properties: Optional[Mapping[str, str]] = None,
id: Optional[str] = None,
network_rule_collections: Optional[Sequence[AzureFirewallNetworkRuleCollectionArgs]] = None,
application_rule_collections: Optional[Sequence[AzureFirewallApplicationRuleCollectionArgs]] = None,
sku: Optional[AzureFirewallSkuArgs] = None,
tags: Optional[Mapping[str, str]] = None,
threat_intel_mode: Optional[Union[str, AzureFirewallThreatIntelMode]] = None,
virtual_hub: Optional[SubResourceArgs] = None,
zones: Optional[Sequence[str]] = None)
func NewAzureFirewall(ctx *Context, name string, args AzureFirewallArgs, opts ...ResourceOption) (*AzureFirewall, error)
public AzureFirewall(string name, AzureFirewallArgs args, CustomResourceOptions? opts = null)
public AzureFirewall(String name, AzureFirewallArgs args)
public AzureFirewall(String name, AzureFirewallArgs args, CustomResourceOptions options)
type: azure-native:network:AzureFirewall
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AzureFirewallArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AzureFirewallArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AzureFirewallArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AzureFirewallArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AzureFirewallArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var azureFirewallResource = new AzureNative.Network.AzureFirewall("azureFirewallResource", new()
{
ResourceGroupName = "string",
ManagementIpConfiguration = new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Id = "string",
Name = "string",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "string",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "string",
},
},
Location = "string",
FirewallPolicy = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "string",
},
HubIPAddresses = new AzureNative.Network.Inputs.HubIPAddressesArgs
{
PrivateIPAddress = "string",
PublicIPs = new AzureNative.Network.Inputs.HubPublicIPAddressesArgs
{
Addresses = new[]
{
new AzureNative.Network.Inputs.AzureFirewallPublicIPAddressArgs
{
Address = "string",
},
},
Count = 0,
},
},
NatRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallNatRCActionArgs
{
Type = "string",
},
Id = "string",
Name = "string",
Priority = 0,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNatRuleArgs
{
Description = "string",
DestinationAddresses = new[]
{
"string",
},
DestinationPorts = new[]
{
"string",
},
Name = "string",
Protocols = new[]
{
"string",
},
SourceAddresses = new[]
{
"string",
},
SourceIpGroups = new[]
{
"string",
},
TranslatedAddress = "string",
TranslatedFqdn = "string",
TranslatedPort = "string",
},
},
},
},
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.AzureFirewallIPConfigurationArgs
{
Id = "string",
Name = "string",
PublicIPAddress = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "string",
},
Subnet = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "string",
},
},
},
AzureFirewallName = "string",
AdditionalProperties =
{
{ "string", "string" },
},
Id = "string",
NetworkRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = "string",
},
Id = "string",
Name = "string",
Priority = 0,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallNetworkRuleArgs
{
Description = "string",
DestinationAddresses = new[]
{
"string",
},
DestinationFqdns = new[]
{
"string",
},
DestinationIpGroups = new[]
{
"string",
},
DestinationPorts = new[]
{
"string",
},
Name = "string",
Protocols = new[]
{
"string",
},
SourceAddresses = new[]
{
"string",
},
SourceIpGroups = new[]
{
"string",
},
},
},
},
},
ApplicationRuleCollections = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleCollectionArgs
{
Action = new AzureNative.Network.Inputs.AzureFirewallRCActionArgs
{
Type = "string",
},
Id = "string",
Name = "string",
Priority = 0,
Rules = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleArgs
{
Description = "string",
FqdnTags = new[]
{
"string",
},
Name = "string",
Protocols = new[]
{
new AzureNative.Network.Inputs.AzureFirewallApplicationRuleProtocolArgs
{
Port = 0,
ProtocolType = "string",
},
},
SourceAddresses = new[]
{
"string",
},
SourceIpGroups = new[]
{
"string",
},
TargetFqdns = new[]
{
"string",
},
},
},
},
},
Sku = new AzureNative.Network.Inputs.AzureFirewallSkuArgs
{
Name = "string",
Tier = "string",
},
Tags =
{
{ "string", "string" },
},
ThreatIntelMode = "string",
VirtualHub = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "string",
},
Zones = new[]
{
"string",
},
});
example, err := network.NewAzureFirewall(ctx, "azureFirewallResource", &network.AzureFirewallArgs{
ResourceGroupName: pulumi.String("string"),
ManagementIpConfiguration: &network.AzureFirewallIPConfigurationArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("string"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("string"),
},
},
Location: pulumi.String("string"),
FirewallPolicy: &network.SubResourceArgs{
Id: pulumi.String("string"),
},
HubIPAddresses: &network.HubIPAddressesArgs{
PrivateIPAddress: pulumi.String("string"),
PublicIPs: &network.HubPublicIPAddressesArgs{
Addresses: network.AzureFirewallPublicIPAddressArray{
&network.AzureFirewallPublicIPAddressArgs{
Address: pulumi.String("string"),
},
},
Count: pulumi.Int(0),
},
},
NatRuleCollections: network.AzureFirewallNatRuleCollectionArray{
&network.AzureFirewallNatRuleCollectionArgs{
Action: &network.AzureFirewallNatRCActionArgs{
Type: pulumi.String("string"),
},
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Priority: pulumi.Int(0),
Rules: network.AzureFirewallNatRuleArray{
&network.AzureFirewallNatRuleArgs{
Description: pulumi.String("string"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("string"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("string"),
},
SourceIpGroups: pulumi.StringArray{
pulumi.String("string"),
},
TranslatedAddress: pulumi.String("string"),
TranslatedFqdn: pulumi.String("string"),
TranslatedPort: pulumi.String("string"),
},
},
},
},
IpConfigurations: network.AzureFirewallIPConfigurationArray{
&network.AzureFirewallIPConfigurationArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
PublicIPAddress: &network.SubResourceArgs{
Id: pulumi.String("string"),
},
Subnet: &network.SubResourceArgs{
Id: pulumi.String("string"),
},
},
},
AzureFirewallName: pulumi.String("string"),
AdditionalProperties: pulumi.StringMap{
"string": pulumi.String("string"),
},
Id: pulumi.String("string"),
NetworkRuleCollections: network.AzureFirewallNetworkRuleCollectionArray{
&network.AzureFirewallNetworkRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String("string"),
},
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Priority: pulumi.Int(0),
Rules: network.AzureFirewallNetworkRuleArray{
&network.AzureFirewallNetworkRuleArgs{
Description: pulumi.String("string"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("string"),
},
DestinationFqdns: pulumi.StringArray{
pulumi.String("string"),
},
DestinationIpGroups: pulumi.StringArray{
pulumi.String("string"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("string"),
},
SourceIpGroups: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
ApplicationRuleCollections: network.AzureFirewallApplicationRuleCollectionArray{
&network.AzureFirewallApplicationRuleCollectionArgs{
Action: &network.AzureFirewallRCActionArgs{
Type: pulumi.String("string"),
},
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Priority: pulumi.Int(0),
Rules: network.AzureFirewallApplicationRuleArray{
&network.AzureFirewallApplicationRuleArgs{
Description: pulumi.String("string"),
FqdnTags: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
Protocols: network.AzureFirewallApplicationRuleProtocolArray{
&network.AzureFirewallApplicationRuleProtocolArgs{
Port: pulumi.Int(0),
ProtocolType: pulumi.String("string"),
},
},
SourceAddresses: pulumi.StringArray{
pulumi.String("string"),
},
SourceIpGroups: pulumi.StringArray{
pulumi.String("string"),
},
TargetFqdns: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
Sku: &network.AzureFirewallSkuArgs{
Name: pulumi.String("string"),
Tier: pulumi.String("string"),
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
ThreatIntelMode: pulumi.String("string"),
VirtualHub: &network.SubResourceArgs{
Id: pulumi.String("string"),
},
Zones: pulumi.StringArray{
pulumi.String("string"),
},
})
var azureFirewallResource = new AzureFirewall("azureFirewallResource", AzureFirewallArgs.builder()
.resourceGroupName("string")
.managementIpConfiguration(AzureFirewallIPConfigurationArgs.builder()
.id("string")
.name("string")
.publicIPAddress(SubResourceArgs.builder()
.id("string")
.build())
.subnet(SubResourceArgs.builder()
.id("string")
.build())
.build())
.location("string")
.firewallPolicy(SubResourceArgs.builder()
.id("string")
.build())
.hubIPAddresses(HubIPAddressesArgs.builder()
.privateIPAddress("string")
.publicIPs(HubPublicIPAddressesArgs.builder()
.addresses(AzureFirewallPublicIPAddressArgs.builder()
.address("string")
.build())
.count(0)
.build())
.build())
.natRuleCollections(AzureFirewallNatRuleCollectionArgs.builder()
.action(AzureFirewallNatRCActionArgs.builder()
.type("string")
.build())
.id("string")
.name("string")
.priority(0)
.rules(AzureFirewallNatRuleArgs.builder()
.description("string")
.destinationAddresses("string")
.destinationPorts("string")
.name("string")
.protocols("string")
.sourceAddresses("string")
.sourceIpGroups("string")
.translatedAddress("string")
.translatedFqdn("string")
.translatedPort("string")
.build())
.build())
.ipConfigurations(AzureFirewallIPConfigurationArgs.builder()
.id("string")
.name("string")
.publicIPAddress(SubResourceArgs.builder()
.id("string")
.build())
.subnet(SubResourceArgs.builder()
.id("string")
.build())
.build())
.azureFirewallName("string")
.additionalProperties(Map.of("string", "string"))
.id("string")
.networkRuleCollections(AzureFirewallNetworkRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("string")
.build())
.id("string")
.name("string")
.priority(0)
.rules(AzureFirewallNetworkRuleArgs.builder()
.description("string")
.destinationAddresses("string")
.destinationFqdns("string")
.destinationIpGroups("string")
.destinationPorts("string")
.name("string")
.protocols("string")
.sourceAddresses("string")
.sourceIpGroups("string")
.build())
.build())
.applicationRuleCollections(AzureFirewallApplicationRuleCollectionArgs.builder()
.action(AzureFirewallRCActionArgs.builder()
.type("string")
.build())
.id("string")
.name("string")
.priority(0)
.rules(AzureFirewallApplicationRuleArgs.builder()
.description("string")
.fqdnTags("string")
.name("string")
.protocols(AzureFirewallApplicationRuleProtocolArgs.builder()
.port(0)
.protocolType("string")
.build())
.sourceAddresses("string")
.sourceIpGroups("string")
.targetFqdns("string")
.build())
.build())
.sku(AzureFirewallSkuArgs.builder()
.name("string")
.tier("string")
.build())
.tags(Map.of("string", "string"))
.threatIntelMode("string")
.virtualHub(SubResourceArgs.builder()
.id("string")
.build())
.zones("string")
.build());
azure_firewall_resource = azure_native.network.AzureFirewall("azureFirewallResource",
resource_group_name="string",
management_ip_configuration={
"id": "string",
"name": "string",
"publicIPAddress": {
"id": "string",
},
"subnet": {
"id": "string",
},
},
location="string",
firewall_policy={
"id": "string",
},
hub_ip_addresses={
"privateIPAddress": "string",
"publicIPs": {
"addresses": [{
"address": "string",
}],
"count": 0,
},
},
nat_rule_collections=[{
"action": {
"type": "string",
},
"id": "string",
"name": "string",
"priority": 0,
"rules": [{
"description": "string",
"destinationAddresses": ["string"],
"destinationPorts": ["string"],
"name": "string",
"protocols": ["string"],
"sourceAddresses": ["string"],
"sourceIpGroups": ["string"],
"translatedAddress": "string",
"translatedFqdn": "string",
"translatedPort": "string",
}],
}],
ip_configurations=[{
"id": "string",
"name": "string",
"publicIPAddress": {
"id": "string",
},
"subnet": {
"id": "string",
},
}],
azure_firewall_name="string",
additional_properties={
"string": "string",
},
id="string",
network_rule_collections=[{
"action": {
"type": "string",
},
"id": "string",
"name": "string",
"priority": 0,
"rules": [{
"description": "string",
"destinationAddresses": ["string"],
"destinationFqdns": ["string"],
"destinationIpGroups": ["string"],
"destinationPorts": ["string"],
"name": "string",
"protocols": ["string"],
"sourceAddresses": ["string"],
"sourceIpGroups": ["string"],
}],
}],
application_rule_collections=[{
"action": {
"type": "string",
},
"id": "string",
"name": "string",
"priority": 0,
"rules": [{
"description": "string",
"fqdnTags": ["string"],
"name": "string",
"protocols": [{
"port": 0,
"protocolType": "string",
}],
"sourceAddresses": ["string"],
"sourceIpGroups": ["string"],
"targetFqdns": ["string"],
}],
}],
sku={
"name": "string",
"tier": "string",
},
tags={
"string": "string",
},
threat_intel_mode="string",
virtual_hub={
"id": "string",
},
zones=["string"])
const azureFirewallResource = new azure_native.network.AzureFirewall("azureFirewallResource", {
resourceGroupName: "string",
managementIpConfiguration: {
id: "string",
name: "string",
publicIPAddress: {
id: "string",
},
subnet: {
id: "string",
},
},
location: "string",
firewallPolicy: {
id: "string",
},
hubIPAddresses: {
privateIPAddress: "string",
publicIPs: {
addresses: [{
address: "string",
}],
count: 0,
},
},
natRuleCollections: [{
action: {
type: "string",
},
id: "string",
name: "string",
priority: 0,
rules: [{
description: "string",
destinationAddresses: ["string"],
destinationPorts: ["string"],
name: "string",
protocols: ["string"],
sourceAddresses: ["string"],
sourceIpGroups: ["string"],
translatedAddress: "string",
translatedFqdn: "string",
translatedPort: "string",
}],
}],
ipConfigurations: [{
id: "string",
name: "string",
publicIPAddress: {
id: "string",
},
subnet: {
id: "string",
},
}],
azureFirewallName: "string",
additionalProperties: {
string: "string",
},
id: "string",
networkRuleCollections: [{
action: {
type: "string",
},
id: "string",
name: "string",
priority: 0,
rules: [{
description: "string",
destinationAddresses: ["string"],
destinationFqdns: ["string"],
destinationIpGroups: ["string"],
destinationPorts: ["string"],
name: "string",
protocols: ["string"],
sourceAddresses: ["string"],
sourceIpGroups: ["string"],
}],
}],
applicationRuleCollections: [{
action: {
type: "string",
},
id: "string",
name: "string",
priority: 0,
rules: [{
description: "string",
fqdnTags: ["string"],
name: "string",
protocols: [{
port: 0,
protocolType: "string",
}],
sourceAddresses: ["string"],
sourceIpGroups: ["string"],
targetFqdns: ["string"],
}],
}],
sku: {
name: "string",
tier: "string",
},
tags: {
string: "string",
},
threatIntelMode: "string",
virtualHub: {
id: "string",
},
zones: ["string"],
});
type: azure-native:network:AzureFirewall
properties:
additionalProperties:
string: string
applicationRuleCollections:
- action:
type: string
id: string
name: string
priority: 0
rules:
- description: string
fqdnTags:
- string
name: string
protocols:
- port: 0
protocolType: string
sourceAddresses:
- string
sourceIpGroups:
- string
targetFqdns:
- string
azureFirewallName: string
firewallPolicy:
id: string
hubIPAddresses:
privateIPAddress: string
publicIPs:
addresses:
- address: string
count: 0
id: string
ipConfigurations:
- id: string
name: string
publicIPAddress:
id: string
subnet:
id: string
location: string
managementIpConfiguration:
id: string
name: string
publicIPAddress:
id: string
subnet:
id: string
natRuleCollections:
- action:
type: string
id: string
name: string
priority: 0
rules:
- description: string
destinationAddresses:
- string
destinationPorts:
- string
name: string
protocols:
- string
sourceAddresses:
- string
sourceIpGroups:
- string
translatedAddress: string
translatedFqdn: string
translatedPort: string
networkRuleCollections:
- action:
type: string
id: string
name: string
priority: 0
rules:
- description: string
destinationAddresses:
- string
destinationFqdns:
- string
destinationIpGroups:
- string
destinationPorts:
- string
name: string
protocols:
- string
sourceAddresses:
- string
sourceIpGroups:
- string
resourceGroupName: string
sku:
name: string
tier: string
tags:
string: string
threatIntelMode: string
virtualHub:
id: string
zones:
- string
AzureFirewall Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AzureFirewall resource accepts the following input properties:
- Resource
Group stringName - The name of the resource group.
- Additional
Properties Dictionary<string, string> - The additional properties used to further config this azure firewall.
- Application
Rule List<Pulumi.Collections Azure Native. Network. Inputs. Azure Firewall Application Rule Collection> - Collection of application rule collections used by Azure Firewall.
- Azure
Firewall stringName - The name of the Azure Firewall.
- Firewall
Policy Pulumi.Azure Native. Network. Inputs. Sub Resource - The firewallPolicy associated with this azure firewall.
- Hub
IPAddresses Pulumi.Azure Native. Network. Inputs. Hub IPAddresses - IP addresses associated with AzureFirewall.
- Id string
- Resource ID.
- Ip
Configurations List<Pulumi.Azure Native. Network. Inputs. Azure Firewall IPConfiguration> - IP configuration of the Azure Firewall resource.
- Location string
- Resource location.
- Management
Ip Pulumi.Configuration Azure Native. Network. Inputs. Azure Firewall IPConfiguration - IP configuration of the Azure Firewall used for management traffic.
- Nat
Rule List<Pulumi.Collections Azure Native. Network. Inputs. Azure Firewall Nat Rule Collection> - Collection of NAT rule collections used by Azure Firewall.
- Network
Rule List<Pulumi.Collections Azure Native. Network. Inputs. Azure Firewall Network Rule Collection> - Collection of network rule collections used by Azure Firewall.
- Sku
Pulumi.
Azure Native. Network. Inputs. Azure Firewall Sku - The Azure Firewall Resource SKU.
- Dictionary<string, string>
- Resource tags.
- Threat
Intel string | Pulumi.Mode Azure Native. Network. Azure Firewall Threat Intel Mode - The operation mode for Threat Intelligence.
- Virtual
Hub Pulumi.Azure Native. Network. Inputs. Sub Resource - The virtualHub to which the firewall belongs.
- Zones List<string>
- A list of availability zones denoting where the resource needs to come from.
- Resource
Group stringName - The name of the resource group.
- Additional
Properties map[string]string - The additional properties used to further config this azure firewall.
- Application
Rule []AzureCollections Firewall Application Rule Collection Args - Collection of application rule collections used by Azure Firewall.
- Azure
Firewall stringName - The name of the Azure Firewall.
- Firewall
Policy SubResource Args - The firewallPolicy associated with this azure firewall.
- Hub
IPAddresses HubIPAddresses Args - IP addresses associated with AzureFirewall.
- Id string
- Resource ID.
- Ip
Configurations []AzureFirewall IPConfiguration Args - IP configuration of the Azure Firewall resource.
- Location string
- Resource location.
- Management
Ip AzureConfiguration Firewall IPConfiguration Args - IP configuration of the Azure Firewall used for management traffic.
- Nat
Rule []AzureCollections Firewall Nat Rule Collection Args - Collection of NAT rule collections used by Azure Firewall.
- Network
Rule []AzureCollections Firewall Network Rule Collection Args - Collection of network rule collections used by Azure Firewall.
- Sku
Azure
Firewall Sku Args - The Azure Firewall Resource SKU.
- map[string]string
- Resource tags.
- Threat
Intel string | AzureMode Firewall Threat Intel Mode - The operation mode for Threat Intelligence.
- Virtual
Hub SubResource Args - The virtualHub to which the firewall belongs.
- Zones []string
- A list of availability zones denoting where the resource needs to come from.
- resource
Group StringName - The name of the resource group.
- additional
Properties Map<String,String> - The additional properties used to further config this azure firewall.
- application
Rule List<AzureCollections Firewall Application Rule Collection> - Collection of application rule collections used by Azure Firewall.
- azure
Firewall StringName - The name of the Azure Firewall.
- firewall
Policy SubResource - The firewallPolicy associated with this azure firewall.
- hub
IPAddresses HubIPAddresses - IP addresses associated with AzureFirewall.
- id String
- Resource ID.
- ip
Configurations List<AzureFirewall IPConfiguration> - IP configuration of the Azure Firewall resource.
- location String
- Resource location.
- management
Ip AzureConfiguration Firewall IPConfiguration - IP configuration of the Azure Firewall used for management traffic.
- nat
Rule List<AzureCollections Firewall Nat Rule Collection> - Collection of NAT rule collections used by Azure Firewall.
- network
Rule List<AzureCollections Firewall Network Rule Collection> - Collection of network rule collections used by Azure Firewall.
- sku
Azure
Firewall Sku - The Azure Firewall Resource SKU.
- Map<String,String>
- Resource tags.
- threat
Intel String | AzureMode Firewall Threat Intel Mode - The operation mode for Threat Intelligence.
- virtual
Hub SubResource - The virtualHub to which the firewall belongs.
- zones List<String>
- A list of availability zones denoting where the resource needs to come from.
- resource
Group stringName - The name of the resource group.
- additional
Properties {[key: string]: string} - The additional properties used to further config this azure firewall.
- application
Rule AzureCollections Firewall Application Rule Collection[] - Collection of application rule collections used by Azure Firewall.
- azure
Firewall stringName - The name of the Azure Firewall.
- firewall
Policy SubResource - The firewallPolicy associated with this azure firewall.
- hub
IPAddresses HubIPAddresses - IP addresses associated with AzureFirewall.
- id string
- Resource ID.
- ip
Configurations AzureFirewall IPConfiguration[] - IP configuration of the Azure Firewall resource.
- location string
- Resource location.
- management
Ip AzureConfiguration Firewall IPConfiguration - IP configuration of the Azure Firewall used for management traffic.
- nat
Rule AzureCollections Firewall Nat Rule Collection[] - Collection of NAT rule collections used by Azure Firewall.
- network
Rule AzureCollections Firewall Network Rule Collection[] - Collection of network rule collections used by Azure Firewall.
- sku
Azure
Firewall Sku - The Azure Firewall Resource SKU.
- {[key: string]: string}
- Resource tags.
- threat
Intel string | AzureMode Firewall Threat Intel Mode - The operation mode for Threat Intelligence.
- virtual
Hub SubResource - The virtualHub to which the firewall belongs.
- zones string[]
- A list of availability zones denoting where the resource needs to come from.
- resource_
group_ strname - The name of the resource group.
- additional_
properties Mapping[str, str] - The additional properties used to further config this azure firewall.
- application_
rule_ Sequence[Azurecollections Firewall Application Rule Collection Args] - Collection of application rule collections used by Azure Firewall.
- azure_
firewall_ strname - The name of the Azure Firewall.
- firewall_
policy SubResource Args - The firewallPolicy associated with this azure firewall.
- hub_
ip_ Hubaddresses IPAddresses Args - IP addresses associated with AzureFirewall.
- id str
- Resource ID.
- ip_
configurations Sequence[AzureFirewall IPConfiguration Args] - IP configuration of the Azure Firewall resource.
- location str
- Resource location.
- management_
ip_ Azureconfiguration Firewall IPConfiguration Args - IP configuration of the Azure Firewall used for management traffic.
- nat_
rule_ Sequence[Azurecollections Firewall Nat Rule Collection Args] - Collection of NAT rule collections used by Azure Firewall.
- network_
rule_ Sequence[Azurecollections Firewall Network Rule Collection Args] - Collection of network rule collections used by Azure Firewall.
- sku
Azure
Firewall Sku Args - The Azure Firewall Resource SKU.
- Mapping[str, str]
- Resource tags.
- threat_
intel_ str | Azuremode Firewall Threat Intel Mode - The operation mode for Threat Intelligence.
- virtual_
hub SubResource Args - The virtualHub to which the firewall belongs.
- zones Sequence[str]
- A list of availability zones denoting where the resource needs to come from.
- resource
Group StringName - The name of the resource group.
- additional
Properties Map<String> - The additional properties used to further config this azure firewall.
- application
Rule List<Property Map>Collections - Collection of application rule collections used by Azure Firewall.
- azure
Firewall StringName - The name of the Azure Firewall.
- firewall
Policy Property Map - The firewallPolicy associated with this azure firewall.
- hub
IPAddresses Property Map - IP addresses associated with AzureFirewall.
- id String
- Resource ID.
- ip
Configurations List<Property Map> - IP configuration of the Azure Firewall resource.
- location String
- Resource location.
- management
Ip Property MapConfiguration - IP configuration of the Azure Firewall used for management traffic.
- nat
Rule List<Property Map>Collections - Collection of NAT rule collections used by Azure Firewall.
- network
Rule List<Property Map>Collections - Collection of network rule collections used by Azure Firewall.
- sku Property Map
- The Azure Firewall Resource SKU.
- Map<String>
- Resource tags.
- threat
Intel String | "Alert" | "Deny" | "Off"Mode - The operation mode for Threat Intelligence.
- virtual
Hub Property Map - The virtualHub to which the firewall belongs.
- zones List<String>
- A list of availability zones denoting where the resource needs to come from.
Outputs
All input properties are implicitly available as output properties. Additionally, the AzureFirewall resource produces the following output properties:
- Etag string
- A unique read-only string that changes whenever the resource is updated.
- Id string
- The provider-assigned unique ID for this managed resource.
- Ip
Groups List<Pulumi.Azure Native. Network. Outputs. Azure Firewall Ip Groups Response> - IpGroups associated with AzureFirewall.
- Name string
- Resource name.
- Provisioning
State string - The provisioning state of the Azure firewall resource.
- Type string
- Resource type.
- Etag string
- A unique read-only string that changes whenever the resource is updated.
- Id string
- The provider-assigned unique ID for this managed resource.
- Ip
Groups []AzureFirewall Ip Groups Response - IpGroups associated with AzureFirewall.
- Name string
- Resource name.
- Provisioning
State string - The provisioning state of the Azure firewall resource.
- Type string
- Resource type.
- etag String
- A unique read-only string that changes whenever the resource is updated.
- id String
- The provider-assigned unique ID for this managed resource.
- ip
Groups List<AzureFirewall Ip Groups Response> - IpGroups associated with AzureFirewall.
- name String
- Resource name.
- provisioning
State String - The provisioning state of the Azure firewall resource.
- type String
- Resource type.
- etag string
- A unique read-only string that changes whenever the resource is updated.
- id string
- The provider-assigned unique ID for this managed resource.
- ip
Groups AzureFirewall Ip Groups Response[] - IpGroups associated with AzureFirewall.
- name string
- Resource name.
- provisioning
State string - The provisioning state of the Azure firewall resource.
- type string
- Resource type.
- etag str
- A unique read-only string that changes whenever the resource is updated.
- id str
- The provider-assigned unique ID for this managed resource.
- ip_
groups Sequence[AzureFirewall Ip Groups Response] - IpGroups associated with AzureFirewall.
- name str
- Resource name.
- provisioning_
state str - The provisioning state of the Azure firewall resource.
- type str
- Resource type.
- etag String
- A unique read-only string that changes whenever the resource is updated.
- id String
- The provider-assigned unique ID for this managed resource.
- ip
Groups List<Property Map> - IpGroups associated with AzureFirewall.
- name String
- Resource name.
- provisioning
State String - The provisioning state of the Azure firewall resource.
- type String
- Resource type.
Supporting Types
AzureFirewallApplicationRule, AzureFirewallApplicationRuleArgs
- Description string
- Description of the rule.
- List<string>
- List of FQDN Tags for this rule.
- Name string
- Name of the application rule.
- Protocols
List<Pulumi.
Azure Native. Network. Inputs. Azure Firewall Application Rule Protocol> - Array of ApplicationRuleProtocols.
- Source
Addresses List<string> - List of source IP addresses for this rule.
- Source
Ip List<string>Groups - List of source IpGroups for this rule.
- Target
Fqdns List<string> - List of FQDNs for this rule.
- Description string
- Description of the rule.
- []string
- List of FQDN Tags for this rule.
- Name string
- Name of the application rule.
- Protocols
[]Azure
Firewall Application Rule Protocol - Array of ApplicationRuleProtocols.
- Source
Addresses []string - List of source IP addresses for this rule.
- Source
Ip []stringGroups - List of source IpGroups for this rule.
- Target
Fqdns []string - List of FQDNs for this rule.
- description String
- Description of the rule.
- List<String>
- List of FQDN Tags for this rule.
- name String
- Name of the application rule.
- protocols
List<Azure
Firewall Application Rule Protocol> - Array of ApplicationRuleProtocols.
- source
Addresses List<String> - List of source IP addresses for this rule.
- source
Ip List<String>Groups - List of source IpGroups for this rule.
- target
Fqdns List<String> - List of FQDNs for this rule.
- description string
- Description of the rule.
- string[]
- List of FQDN Tags for this rule.
- name string
- Name of the application rule.
- protocols
Azure
Firewall Application Rule Protocol[] - Array of ApplicationRuleProtocols.
- source
Addresses string[] - List of source IP addresses for this rule.
- source
Ip string[]Groups - List of source IpGroups for this rule.
- target
Fqdns string[] - List of FQDNs for this rule.
- description str
- Description of the rule.
- Sequence[str]
- List of FQDN Tags for this rule.
- name str
- Name of the application rule.
- protocols
Sequence[Azure
Firewall Application Rule Protocol] - Array of ApplicationRuleProtocols.
- source_
addresses Sequence[str] - List of source IP addresses for this rule.
- source_
ip_ Sequence[str]groups - List of source IpGroups for this rule.
- target_
fqdns Sequence[str] - List of FQDNs for this rule.
- description String
- Description of the rule.
- List<String>
- List of FQDN Tags for this rule.
- name String
- Name of the application rule.
- protocols List<Property Map>
- Array of ApplicationRuleProtocols.
- source
Addresses List<String> - List of source IP addresses for this rule.
- source
Ip List<String>Groups - List of source IpGroups for this rule.
- target
Fqdns List<String> - List of FQDNs for this rule.
AzureFirewallApplicationRuleCollection, AzureFirewallApplicationRuleCollectionArgs
- Action
Pulumi.
Azure Native. Network. Inputs. Azure Firewall RCAction - The action type of a rule collection.
- Id string
- Resource ID.
- Name string
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- Priority int
- Priority of the application rule collection resource.
- Rules
List<Pulumi.
Azure Native. Network. Inputs. Azure Firewall Application Rule> - Collection of rules used by a application rule collection.
- Action
Azure
Firewall RCAction - The action type of a rule collection.
- Id string
- Resource ID.
- Name string
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- Priority int
- Priority of the application rule collection resource.
- Rules
[]Azure
Firewall Application Rule - Collection of rules used by a application rule collection.
- action
Azure
Firewall RCAction - The action type of a rule collection.
- id String
- Resource ID.
- name String
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority Integer
- Priority of the application rule collection resource.
- rules
List<Azure
Firewall Application Rule> - Collection of rules used by a application rule collection.
- action
Azure
Firewall RCAction - The action type of a rule collection.
- id string
- Resource ID.
- name string
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority number
- Priority of the application rule collection resource.
- rules
Azure
Firewall Application Rule[] - Collection of rules used by a application rule collection.
- action
Azure
Firewall RCAction - The action type of a rule collection.
- id str
- Resource ID.
- name str
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority int
- Priority of the application rule collection resource.
- rules
Sequence[Azure
Firewall Application Rule] - Collection of rules used by a application rule collection.
- action Property Map
- The action type of a rule collection.
- id String
- Resource ID.
- name String
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority Number
- Priority of the application rule collection resource.
- rules List<Property Map>
- Collection of rules used by a application rule collection.
AzureFirewallApplicationRuleCollectionResponse, AzureFirewallApplicationRuleCollectionResponseArgs
- Etag string
- A unique read-only string that changes whenever the resource is updated.
- Provisioning
State string - The provisioning state of the application rule collection resource.
- Action
Pulumi.
Azure Native. Network. Inputs. Azure Firewall RCAction Response - The action type of a rule collection.
- Id string
- Resource ID.
- Name string
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- Priority int
- Priority of the application rule collection resource.
- Rules
List<Pulumi.
Azure Native. Network. Inputs. Azure Firewall Application Rule Response> - Collection of rules used by a application rule collection.
- Etag string
- A unique read-only string that changes whenever the resource is updated.
- Provisioning
State string - The provisioning state of the application rule collection resource.
- Action
Azure
Firewall RCAction Response - The action type of a rule collection.
- Id string
- Resource ID.
- Name string
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- Priority int
- Priority of the application rule collection resource.
- Rules
[]Azure
Firewall Application Rule Response - Collection of rules used by a application rule collection.
- etag String
- A unique read-only string that changes whenever the resource is updated.
- provisioning
State String - The provisioning state of the application rule collection resource.
- action
Azure
Firewall RCAction Response - The action type of a rule collection.
- id String
- Resource ID.
- name String
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority Integer
- Priority of the application rule collection resource.
- rules
List<Azure
Firewall Application Rule Response> - Collection of rules used by a application rule collection.
- etag string
- A unique read-only string that changes whenever the resource is updated.
- provisioning
State string - The provisioning state of the application rule collection resource.
- action
Azure
Firewall RCAction Response - The action type of a rule collection.
- id string
- Resource ID.
- name string
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority number
- Priority of the application rule collection resource.
- rules
Azure
Firewall Application Rule Response[] - Collection of rules used by a application rule collection.
- etag str
- A unique read-only string that changes whenever the resource is updated.
- provisioning_
state str - The provisioning state of the application rule collection resource.
- action
Azure
Firewall RCAction Response - The action type of a rule collection.
- id str
- Resource ID.
- name str
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority int
- Priority of the application rule collection resource.
- rules
Sequence[Azure
Firewall Application Rule Response] - Collection of rules used by a application rule collection.
- etag String
- A unique read-only string that changes whenever the resource is updated.
- provisioning
State String - The provisioning state of the application rule collection resource.
- action Property Map
- The action type of a rule collection.
- id String
- Resource ID.
- name String
- The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.
- priority Number
- Priority of the application rule collection resource.
- rules List<Property Map>
- Collection of rules used by a application rule collection.