diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 5656d50a4..4eb1a8584 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.613.9944", - "templateHash": "927222700136740996" + "templateHash": "11510952573722587231" } }, "parameters": { @@ -1084,7 +1084,7 @@ "_generator": { "name": "bicep", "version": "0.4.613.9944", - "templateHash": "11367184292724438005" + "templateHash": "16313594886672708691" } }, "parameters": { @@ -1897,7 +1897,7 @@ "_generator": { "name": "bicep", "version": "0.4.613.9944", - "templateHash": "14377085769738688639" + "templateHash": "16747839851109173015" } }, "parameters": { @@ -1955,6 +1955,95 @@ } } }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2021-02-01", + "name": "[format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName'))]", + "properties": { + "priority": 300, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "ApplicationRule", + "name": "msftauth", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "aadcdn.msftauth.net", + "aadcdn.msauth.net" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [], + "sourceIpGroups": [] + } + ], + "name": "AzureAuth", + "priority": 110 + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" + ] + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2021-02-01", + "name": "[format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName'))]", + "properties": { + "priority": 200, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "AzureCloud", + "ipProtocols": [ + "Any" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "AzureCloud" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "*" + ] + } + ], + "name": "AllowAzureCloud", + "priority": 100 + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", + "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" + ] + }, { "type": "Microsoft.Network/azureFirewalls", "apiVersion": "2021-02-01", @@ -1994,6 +2083,8 @@ } }, "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] } diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index f223a1fd8..4ba1547b1 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -27,11 +27,101 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { } } +resource firewallAppRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = { + name: '${firewallPolicyName}/DefaultApplicationRuleCollectionGroup' + dependsOn: [ + firewallPolicy + ] + properties: { + priority: 300 + ruleCollections: [ + { + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'ApplicationRule' + name: 'msftauth' + protocols: [ + { + protocolType: 'Https' + port: 443 + } + ] + fqdnTags: [] + webCategories: [] + targetFqdns: [ + 'aadcdn.msftauth.net' + 'aadcdn.msauth.net' + ] + targetUrls: [] + terminateTLS: false + sourceAddresses: [ + '*' + ] + destinationAddresses: [] + sourceIpGroups: [] + } + ] + name: 'AzureAuth' + priority: 110 + } + ] + } +} + +resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = { + name: '${firewallPolicyName}/DefaultNetworkRuleCollectionGroup' + dependsOn: [ + firewallPolicy + firewallAppRuleCollectionGroup + ] + properties: { + priority: 200 + ruleCollections: [ + { + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'NetworkRule' + name: 'AzureCloud' + ipProtocols: [ + 'Any' + ] + sourceAddresses: [ + '*' + ] + sourceIpGroups: [] + destinationAddresses: [ + 'AzureCloud' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '*' + ] + } + ] + name: 'AllowAzureCloud' + priority: 100 + } + ] + } +} + resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { name: name location: location tags: tags - + dependsOn: [ + firewallNetworkRuleCollectionGroup + firewallAppRuleCollectionGroup + ] properties: { ipConfigurations: [ {