Question 104838 in Azure Question posted in
The official documentation to get you started can be found here.

Using the Azure CAF Terraform Module: How to manage AZure Firewall Policies (or Classic Rules) using the module?

(for anyone who might be using the Hashicorp/Microsoft Azure CAF Module for enterprise infrastructure as code)

Azure provides a terraform module for implementing enterprise landing zones using infrastructure-as-code/data-as-code paradigm:

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale

However there is no indication or documentation on how to manage Azure Firewall Policies and Rules using the module (but deploy of AFW is possible).

Has anyone done this using the module (or should I consider doing it using a separate module) ?

Tags:

2

Answers


  1. 0

    In this part of the documentation have information related to Azure Firewall configuration
    Azure Firewall

    Login or Signup to reply.
  2. 0

    So first of all, Azure CAF (aztfmod) and Terraform enterprise scale are two different solutions. This Azure Landing Zone Comparison blog post explain the difference.

    When you say you want to deploy firewall rules, I assume you want to deploy a azurerm_firewall_policy_rule_collection_group, i.e. rules based on IP, Port, Protocol etc.

    Terraform Enterprise scale

    Does not include support for deploying these fine grained firewall_policy_rule_collection_group. You can however configure azurerm_firewall_policy via the exposed variables described here.

    If you want to deploy a firewall_policy_rule_collection_group your best bet is to deploy that in your own module and connect it to the policy deployed by the enterprise scale module via firewall_policy_id.

    Aztfmod

    In aztfmod, there’s two places firewall rules come into place, depending on which Level of Azure CAF modules you’re targeting

    • Level 2: Core platform connectivity -> this is where you’d want to configure rules for your central hub
    • Level 3: Application Landing zones vending machine -> if you offer e.g. on-premise connectivity to your subscription, you may need to configure additional firewall rules for each spoke network.

    Here’s an example how to configure the hub firewall rules in level 2
    examples/networking/firewall/103-firewall-policies/configuration.tfvars

    azurerm_firewall_policy_rule_collection_groups = {
  group1 = {
    #firewall_policy_id = "Azure Resource ID"
    firewall_policy_key = "policy1"
    name                = "example-fwpolicy-rcg"
    priority            = 500

    application_rule_collections = {
      rule1 = {
        name     = "app_rule_collection1"
        priority = 500
        action   = "Deny"
        rules = {
          rule1 = {
            name = "app_rule_collection1_rule1"
            protocols = {
              1 = {
                type = "Http"
                port = 80
              }
              2 = {
                type = "Https"
                port = 443
              }
            }
            source_addresses  = ["10.0.0.1"]
            destination_fqdns = ["*.microsoft.com"]
          }
        }
      }
    }

    network_rule_collections = {
      group1 = {
        name     = "network_rule_collection1"
        priority = 400
        action   = "Deny"
        rules = {
          rule1 = {
            name                  = "network_rule_collection1_rule1"
            protocols             = ["TCP", "UDP"]
            source_addresses      = ["10.0.0.1"]
            destination_addresses = ["192.168.1.1", "192.168.1.2"]
            destination_ports     = ["80", "1000-2000"]
          }
        }
      }
    }

    In general this seems to be closer to what you want.

    Some caveat about both Microsoft Landing Zone approaches here.

    Doing the integration between level 2 and 3 (in aztfmod language) is quite a bit complex and from my experience and can quickly become hard to keep track of doing manually which rules belong to which spoke. Consider implementing an automated (or at least semi-automated) virtual network self-service for spoke networks. This service can then build the firewall rule group variables for aztfmod dynamically for example.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search