Skip to content

Instantly share code, notes, and snippets.

@azMantas

azMantas/main.bicep

Created October 25, 2021 20:34
Show Gist options
  • Save azMantas/7f72cb220fa6ec3b2fa22e61cebaa5e6 to your computer and use it in GitHub Desktop.
Save azMantas/7f72cb220fa6ec3b2fa22e61cebaa5e6 to your computer and use it in GitHub Desktop.
Download ZIP
creating Azure firewall policies with Bicep
Raw
main.bicep
param policyName string = 'afwp-fw'
var Rules = [
json(loadTextContent('./workload-1.json'))
json(loadTextContent('./workload-2.json'))
json(loadTextContent('./workload-3.json'))
]
resource fwPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' existing = {
name: policyName
}
@batchSize(1)
resource collectionGroups 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = [for rule in Rules: {
name: rule.name
parent: fwPolicy
properties: rule.properties
}]
Raw
workload-1.json
{
"name": "workload-1",
"properties": {
"priority": 1000,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "network-allow",
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "w1-r1",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.10"
],
"destinationAddresses": [
"10.10.20.20"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
},
{
"ruleType": "NetworkRule",
"name": "w1-r2",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.1"
],
"destinationAddresses": [
"10.10.20.2"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
},
{
"ruleType": "NetworkRule",
"name": "w1-r3",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.1"
],
"destinationAddresses": [
"10.10.20.2"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
}
]
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "application-allow",
"priority": 300,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "w1-r1",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [
"WindowsUpdate"
],
"webCategories": [],
"targetFqdns": [],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
},
{
"ruleType": "ApplicationRule",
"name": "w1-r2",
"protocols": [
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"ActionGroup"
],
"webCategories": [],
"targetFqdns": [
"motd.ubuntu.com"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
},
{
"ruleType": "ApplicationRule",
"name": "w1-r3",
"protocols": [
{
"protocolType": "Https",
"port": 443
},
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"ActionGroup"
],
"webCategories": [],
"targetFqdns": [
"motd.ubuntu.com"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
}
]
}
]
}
}
Raw
workload-2.json
{
"name": "workload-2",
"properties": {
"priority": 1100,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "network-allow",
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "w2-r1",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.10"
],
"destinationAddresses": [
"10.10.20.20"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
},
{
"ruleType": "NetworkRule",
"name": "w2-r2",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.1"
],
"destinationAddresses": [
"10.10.20.2"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
},
{
"ruleType": "NetworkRule",
"name": "w2-r3",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.1"
],
"destinationAddresses": [
"10.10.20.2"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
}
]
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "application-allow",
"priority": 300,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "w2-r1",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [
"WindowsUpdate"
],
"webCategories": [],
"targetFqdns": [],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
},
{
"ruleType": "ApplicationRule",
"name": "w2-r2",
"protocols": [
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"ActionGroup"
],
"webCategories": [],
"targetFqdns": [
"motd.ubuntu.com"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
},
{
"ruleType": "ApplicationRule",
"name": "w2-r3",
"protocols": [
{
"protocolType": "Https",
"port": 443
},
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"ActionGroup"
],
"webCategories": [],
"targetFqdns": [
"motd.ubuntu.com"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
}
]
}
]
}
}
Raw
workload-3.json
{
"name": "workload-3",
"properties": {
"priority": 1200,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "network-allow",
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "w3-r1",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.10"
],
"destinationAddresses": [
"10.10.20.20"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
},
{
"ruleType": "NetworkRule",
"name": "w3-r2",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.1"
],
"destinationAddresses": [
"10.10.20.2"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
},
{
"ruleType": "NetworkRule",
"name": "w3-r3",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.10.10.1"
],
"destinationAddresses": [
"10.10.20.2"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"3389"
]
}
]
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "application-allow",
"priority": 300,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "w3-r1",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [
"WindowsUpdate"
],
"webCategories": [],
"targetFqdns": [],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
},
{
"ruleType": "ApplicationRule",
"name": "w3-r2",
"protocols": [
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"ActionGroup"
],
"webCategories": [],
"targetFqdns": [
"motd.ubuntu.com"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
},
{
"ruleType": "ApplicationRule",
"name": "w3-r3",
"protocols": [
{
"protocolType": "Https",
"port": 443
},
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"ActionGroup"
],
"webCategories": [],
"targetFqdns": [
"motd.ubuntu.com"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
}
]
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment