Skip to content

Commit

Permalink
Add Firewall Option for SKU Azure#794 (Azure#839)
Browse files Browse the repository at this point in the history 
* update firewall sku tier options to allow for standard and basic

* update allowed values

* build json

* build json and update readme

* set dnssettings as conditional based on SKU

* add dns settings for Standard tier condition

* update dns optoins based on SKU type

* update test values

* test values

* test dns values

* update

* test updates

* test updates with conditionals

* build json
  • Loading branch information
Mike Dzikowski authored Feb 6, 2024
1 parent a791803 commit bc7f251
Show file tree
Hide file tree
Showing 9 changed files with 93 additions and 28 deletions.
4 changes: 2 additions & 2 deletions docs/deployment-guide-bicep.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,11 +129,11 @@ Parameter name | Default Value | Description

By default, MLZ deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.

You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `firewallSkuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `firewallSkuTier` parameter. This parameter only accepts values of `Standard` or `Premium` or `Basic`.

Parameter name | Default Value | Description
-------------- | ------------- | -----------
`firewallSkuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
`firewallSkuTier` | 'Premium' | [Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium".

If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.

Expand Down
2 changes: 1 addition & 1 deletion src/bicep/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Parameter name | Required | Description
`operationsSubnetAddressPrefix` | No | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
`sharedServicesVirtualNetworkAddressPrefix` | No | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
`sharedServicesSubnetAddressPrefix` | No | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
`firewallSkuTier` | No | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
`firewallSkuTier` | No | [Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium".
`firewallThreatIntelMode` | No | [Alert/Deny/Off] The Azure Firewall Threat Intelligence Rule triggered logging behavior. Valid values are "Alert", "Deny", or "Off". The default value is "Alert".
`firewallIntrusionDetectionMode` | No | [Alert/Deny/Off] The Azure Firewall Intrusion Detection mode. Valid values are "Alert", "Deny", or "Off". The default value is "Alert".
`firewallDiagnosticsLogs` | No | An array of Firewall Diagnostic Logs categories to collect. See "https://docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal" for valid values.
Expand Down
3 changes: 2 additions & 1 deletion src/bicep/core/hub-network.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,8 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
name: virtualNetworkName
subnets: subnets
tags: tags
vNetDnsServers: vNetDnsServers
vNetDnsServers: vNetDnsServers
firewallSkuTier: firewallSkuTier
}
dependsOn: [
networkWatcher
Expand Down
3 changes: 2 additions & 1 deletion src/bicep/core/spoke-network.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Copyright (c) Microsoft Corporation.
Licensed under the MIT License.
*/

param firewallSkuTier string
param location string
param networkSecurityGroupName string
param networkSecurityGroupRules array
Expand Down Expand Up @@ -67,6 +67,7 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
]
tags: tags
vNetDnsServers: vNetDnsServers
firewallSkuTier: firewallSkuTier
}
}

Expand Down
36 changes: 36 additions & 0 deletions src/bicep/form/mlz.portal.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,41 @@
}
]
}
},
{
"name": "firewallSkuTier",
"type": "Microsoft.Common.DropDown",
"label": "Firewall SKU",
"placeholder": "",
"defaultValue": ["Premium"],
"toolTip": "Selecting a value other than Premium will reduce the security of the MLZ environment and your environment no longer be SCCA compliant. The Premium SKU is recommended for all production environments that require TLS inspection and SCCA.",
"multiselect": false,
"selectAll": false,
"filter": false,
"filterPlaceholder": "Filter items ...",
"multiLine": false,
"defaultDescription": "Firewall SKU",
"constraints": {
"allowedValues": [
{
"label": "Premium",
"description": "Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). It supports advanced threat protection capabilities like malware and TLS inspection.",
"value": "Premium"
},
{
"label": "Standard",
"description": "Azure Firewall Standard is recommended for customers looking for Layer 3 through Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. It supports enterprise features like threat intelligence, DNS proxy, custom DNS, and web categories.",
"value": "Standard"
},
{
"label": "Basic",
"description": "Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps.",
"value": "Basic"
}
],
"required": true
},
"visible": true
}
]
},
Expand Down Expand Up @@ -1011,6 +1046,7 @@
"firewallClientSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallClientSubnetAddressCidrRange]",
"firewallManagementSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallManagementSubnetAddressCidrRange]",
"firewallSupernetIPAddress": "[steps('networking').hubVirtualNetwork.superNetworkAddressCidrRange]",
"firewallSkuTier": "[steps('networking').hubVirtualNetwork.firewallSkuTier]",
"hubSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.subnetAddressCidrRange]",
"hubSubscriptionId": "[replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', '')]",
"hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]",
Expand Down
7 changes: 5 additions & 2 deletions src/bicep/mlz.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,10 @@ param sharedServicesSubnetAddressPrefix string = '10.0.120.0/27'
@allowed([
'Standard'
'Premium'
'Basic'
])
@description('[Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".')
param firewallSkuTier string = 'Premium'
@description('[Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium". Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant.' )
param firewallSkuTier string

@allowed([
'Alert'
Expand Down Expand Up @@ -846,6 +847,8 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: {
tags: calculatedTags
virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix
virtualNetworkName: spoke.virtualNetworkName

firewallSkuTier: firewallSkuTier
vNetDnsServers: [ hubNetwork.outputs.firewallPrivateIPAddress ]
}
dependsOn: [
Expand Down
52 changes: 36 additions & 16 deletions src/bicep/mlz.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "9000107242870608619"
"templateHash": "9930725311433878151"
}
},
"parameters": {
Expand Down Expand Up @@ -163,13 +163,13 @@
},
"firewallSkuTier": {
"type": "string",
"defaultValue": "Premium",
"allowedValues": [
"Standard",
"Premium"
"Premium",
"Basic"
],
"metadata": {
"description": "[Standard/Premium] The SKU for Azure Firewall. It defaults to \"Premium\"."
"description": "[Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to \"Premium\". Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant."
}
},
"firewallThreatIntelMode": {
Expand Down Expand Up @@ -1852,7 +1852,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "15296079850903192633"
"templateHash": "8914523087490010027"
}
},
"parameters": {
Expand Down Expand Up @@ -2243,6 +2243,9 @@
},
"vNetDnsServers": {
"value": "[parameters('vNetDnsServers')]"
},
"firewallSkuTier": {
"value": "[parameters('firewallSkuTier')]"
}
},
"template": {
Expand All @@ -2252,7 +2255,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "12638783015880972122"
"templateHash": "4828957538822254305"
}
},
"parameters": {
Expand All @@ -2273,6 +2276,9 @@
},
"vNetDnsServers": {
"type": "array"
},
"firewallSkuTier": {
"type": "string"
}
},
"resources": [
Expand All @@ -2289,7 +2295,7 @@
]
},
"subnets": "[parameters('subnets')]",
"dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]"
"dhcpOptions": "[if(and(not(equals(parameters('vNetDnsServers'), null())), or(equals(parameters('firewallSkuTier'), 'Premium'), equals(parameters('firewallSkuTier'), 'Standard'))), createObject('dnsServers', parameters('vNetDnsServers')), null())]"
}
}
],
Expand Down Expand Up @@ -2553,7 +2559,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "11702995579311223719"
"templateHash": "1302706933422554098"
}
},
"parameters": {
Expand Down Expand Up @@ -2605,7 +2611,8 @@
"type": "string",
"allowedValues": [
"Standard",
"Premium"
"Premium",
"Basic"
]
},
"tags": {
Expand All @@ -2624,6 +2631,10 @@
"variables": {
"intrusionDetectionObject": {
"mode": "[parameters('intrusionDetectionMode')]"
},
"dnsSettings": {
"enableProxy": "[parameters('enableProxy')]",
"servers": "[parameters('dnsServers')]"
}
},
"resources": [
Expand All @@ -2639,10 +2650,7 @@
"sku": {
"tier": "[parameters('skuTier')]"
},
"dnsSettings": {
"enableProxy": "[parameters('enableProxy')]",
"servers": "[parameters('dnsServers')]"
}
"dnsSettings": "[if(or(equals(parameters('skuTier'), 'Premium'), equals(parameters('skuTier'), 'Standard')), variables('dnsSettings'), null())]"
}
},
{
Expand Down Expand Up @@ -2927,6 +2935,9 @@
"virtualNetworkName": {
"value": "[variables('spokes')[copyIndex()].virtualNetworkName]"
},
"firewallSkuTier": {
"value": "[parameters('firewallSkuTier')]"
},
"vNetDnsServers": {
"value": [
"[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]"
Expand All @@ -2940,10 +2951,13 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "9456730802221898162"
"templateHash": "3122366333892461351"
}
},
"parameters": {
"firewallSkuTier": {
"type": "string"
},
"location": {
"type": "string"
},
Expand Down Expand Up @@ -3210,6 +3224,9 @@
},
"vNetDnsServers": {
"value": "[parameters('vNetDnsServers')]"
},
"firewallSkuTier": {
"value": "[parameters('firewallSkuTier')]"
}
},
"template": {
Expand All @@ -3219,7 +3236,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "12638783015880972122"
"templateHash": "4828957538822254305"
}
},
"parameters": {
Expand All @@ -3240,6 +3257,9 @@
},
"vNetDnsServers": {
"type": "array"
},
"firewallSkuTier": {
"type": "string"
}
},
"resources": [
Expand All @@ -3256,7 +3276,7 @@
]
},
"subnets": "[parameters('subnets')]",
"dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]"
"dhcpOptions": "[if(and(not(equals(parameters('vNetDnsServers'), null())), or(equals(parameters('firewallSkuTier'), 'Premium'), equals(parameters('firewallSkuTier'), 'Standard'))), createObject('dnsServers', parameters('vNetDnsServers')), null())]"
}
}
],
Expand Down
11 changes: 7 additions & 4 deletions src/bicep/modules/firewall.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ param name string
@allowed([
'Standard'
'Premium'
'Basic'
])
param skuTier string
param tags object = {}
Expand All @@ -38,6 +39,11 @@ var intrusionDetectionObject = {
mode: intrusionDetectionMode
}

var dnsSettings = {
enableProxy: enableProxy
servers: dnsServers
}

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
name: firewallPolicyName
location: location
Expand All @@ -48,10 +54,7 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
sku: {
tier: skuTier
}
dnsSettings: {
enableProxy: enableProxy
servers: dnsServers
}
dnsSettings: ((skuTier == 'Premium' || skuTier == 'Standard') ? dnsSettings : null)
}
}

Expand Down
3 changes: 2 additions & 1 deletion src/bicep/modules/virtual-network.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ param name string
param subnets array
param tags object
param vNetDnsServers array
param firewallSkuTier string

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = {
name: name
Expand All @@ -22,7 +23,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = {
]
}
subnets: subnets
dhcpOptions: vNetDnsServers != null ? {
dhcpOptions: (vNetDnsServers != null && (firewallSkuTier == 'Premium' || firewallSkuTier == 'Standard')) ? {
dnsServers: vNetDnsServers
} : null
}
Expand Down

0 comments on commit bc7f251

Please sign in to comment.