Skip to content

Commit

Permalink
added firewalls policies for AzureCloud and MSFT Login (#442)
Browse files Browse the repository at this point in the history 
* added firewalls policies for AzureCloud and MSFT Login

* GitHub Action: Build Bicep to JSON

Co-authored-by: lisamurphy-msft <[email protected]>
Co-authored-by: github-actions <[email protected]>
  • Loading branch information
@shawngib @lisamurphy-msft
3 people authored Oct 8, 2021
1 parent a1c89ff commit d663cfc
Show file tree
Hide file tree
Showing 2 changed files with 185 additions and 4 deletions.
97 changes: 94 additions & 3 deletions src/bicep/mlz.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.613.9944",
"templateHash": "927222700136740996"
"templateHash": "11510952573722587231"
}
},
"parameters": {
Expand Down Expand Up @@ -1084,7 +1084,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.613.9944",
"templateHash": "11367184292724438005"
"templateHash": "16313594886672708691"
}
},
"parameters": {
Expand Down Expand Up @@ -1897,7 +1897,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.613.9944",
"templateHash": "14377085769738688639"
"templateHash": "16747839851109173015"
}
},
"parameters": {
Expand Down Expand Up @@ -1955,6 +1955,95 @@
}
}
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2021-02-01",
"name": "[format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName'))]",
"properties": {
"priority": 300,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "msftauth",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [],
"webCategories": [],
"targetFqdns": [
"aadcdn.msftauth.net",
"aadcdn.msauth.net"
],
"targetUrls": [],
"terminateTLS": false,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
}
],
"name": "AzureAuth",
"priority": 110
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
]
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2021-02-01",
"name": "[format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName'))]",
"properties": {
"priority": 200,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "AzureCloud",
"ipProtocols": [
"Any"
],
"sourceAddresses": [
"*"
],
"sourceIpGroups": [],
"destinationAddresses": [
"AzureCloud"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"*"
]
}
],
"name": "AllowAzureCloud",
"priority": 100
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]",
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
]
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2021-02-01",
Expand Down Expand Up @@ -1994,6 +2083,8 @@
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]",
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
]
}
Expand Down
92 changes: 91 additions & 1 deletion src/bicep/modules/firewall.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,101 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
}
}

resource firewallAppRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = {
name: '${firewallPolicyName}/DefaultApplicationRuleCollectionGroup'
dependsOn: [
firewallPolicy
]
properties: {
priority: 300
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'ApplicationRule'
name: 'msftauth'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: []
webCategories: []
targetFqdns: [
'aadcdn.msftauth.net'
'aadcdn.msauth.net'
]
targetUrls: []
terminateTLS: false
sourceAddresses: [
'*'
]
destinationAddresses: []
sourceIpGroups: []
}
]
name: 'AzureAuth'
priority: 110
}
]
}
}

resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = {
name: '${firewallPolicyName}/DefaultNetworkRuleCollectionGroup'
dependsOn: [
firewallPolicy
firewallAppRuleCollectionGroup
]
properties: {
priority: 200
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'NetworkRule'
name: 'AzureCloud'
ipProtocols: [
'Any'
]
sourceAddresses: [
'*'
]
sourceIpGroups: []
destinationAddresses: [
'AzureCloud'
]
destinationIpGroups: []
destinationFqdns: []
destinationPorts: [
'*'
]
}
]
name: 'AllowAzureCloud'
priority: 100
}
]
}
}

resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
name: name
location: location
tags: tags

dependsOn: [
firewallNetworkRuleCollectionGroup
firewallAppRuleCollectionGroup
]
properties: {
ipConfigurations: [
{
Expand Down

0 comments on commit d663cfc

Please sign in to comment.