1+ # ----------------------------------------------------------------------------------
2+
3+ #
4+ # Copyright Microsoft Corporation
5+ # Licensed under the Apache License, Version 2.0 (the "License");
6+ # you may not use this file except in compliance with the License.
7+ # You may obtain a copy of the License at
8+ # http://www.apache.org/licenses/LICENSE-2.0
9+ # Unless required by applicable law or agreed to in writing, software
10+ # distributed under the License is distributed on an "AS IS" BASIS,
11+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+ # See the License for the specific language governing permissions and
13+ # limitations under the License.
14+ # ----------------------------------------------------------------------------------
15+
16+ function Check-CmdletReturnType
17+ {
18+ param ($cmdletName , $cmdletReturn )
19+
20+ $cmdletData = Get-Command $cmdletName
21+ Assert-NotNull $cmdletData
22+ [array ]$cmdletReturnTypes = $cmdletData.OutputType.Name | Foreach-Object { return ($_ -replace " Microsoft.Azure.Commands.Network.Models." , " "
23+ [array ]$cmdletReturnTypes = $cmdletReturnTypes | Foreach-Object { return ($_ -replace " System." , " "
24+ $realReturnType = $cmdletReturn.GetType ().Name -replace " Microsoft.Azure.Commands.Network.Models." , " "
25+ return $cmdletReturnTypes -contains $realReturnType
26+ }
27+
28+
29+ <#
30+ . SYNOPSIS
31+ Test creating new IpGroups
32+ #>
33+ function Test-AzureFirewallIpGroup
34+ {
35+ # Setup
36+ $rgname = Get-ResourceGroupName
37+ $rglocation = Get-ProviderLocation ResourceManagement " southcentralus"
38+ $location = Get-ProviderLocation ResourceManagement " southcentralus"
39+ $ipGroupLocation = Get-ProviderLocation ResourceManagement " southcentralus"
40+ $ipGroupName1 = Get-ResourceName
41+ $ipGroupName2 = Get-ResourceName
42+
43+ $azureFirewallName = Get-ResourceName
44+ # $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
45+ # $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
46+
47+ $vnetName = Get-ResourceName
48+ $subnetName = " AzureFirewallSubnet"
49+ $publicIpName = Get-ResourceName
50+
51+ # AzureFirewallApplicationRuleCollection
52+ $someAppRuleCollectionName = " someAppRuleCollection"
53+ $someAppRuleCollectionPriority = 100
54+ $someAppRuleCollectionActionType = " Allow"
55+
56+ # AzureFirewallApplicationRule 1
57+ $someAppRuleName = " someAppRule"
58+ $someAppRuleFqdn1 = " *bing.com"
59+ $someAppRuleProtocol1 = " http:8080"
60+ $someAppRulePort1 = 8080
61+ $someAppRuleProtocolType1 = " http"
62+
63+ # AzureFirewallApplicationRule 2
64+ $someOtherAppRuleName = " someOtherAppRule"
65+ $someOtherAppRuleFqdn1 = " sql1.database.windows.net"
66+ $someOtherAppRuleProtocol1 = " mssql:1433"
67+ $someOtherAppRulePort1 = 1433
68+ $someOtherAppRuleProtocolType1 = " mssql"
69+
70+ # AzureFirewallNetworkRuleCollection
71+ $networkRcName = " networkRc"
72+ $networkRcPriority = 200
73+ $networkRcActionType = " Deny"
74+
75+
76+ # AzureFirewallNetworkRule 1
77+ $someNetworkRuleName = " networkRule"
78+ $someNetworkRuleDesc = " desc1"
79+ $someNetworkRuleSourceAddress1 = " 10.0.0.0"
80+ $someNetworkRuleSourceAddress2 = " 111.1.0.0/24"
81+ $someNetworkRuleDestinationAddress1 = " *"
82+ $someNetworkRuleProtocol1 = " UDP"
83+ $someNetworkRuleProtocol2 = " TCP"
84+ $someNetworkRuleProtocol3 = " ICMP"
85+ $someNetworkRuleDestinationPort1 = " 90"
86+
87+ # AzureFirewallNatRuleCollection
88+ $someNatRuleCollectionName = " natRc"
89+ $someNatRuleCollectionPriority = 200
90+
91+ # AzureFirewallNatRule 2
92+ $someNatRuleName = " natRule2"
93+ $someNatRuleDesc = " desc2"
94+ $someNatRuleSourceAddress1 = " 10.0.0.0"
95+ $someNatRuleSourceAddress2 = " 111.1.0.0/24"
96+ $someNatRuleProtocol1 = " UDP"
97+ $someNatRuleProtocol2 = " TCP"
98+ $someNatRuleDestinationPort1 = " 95"
99+ $someNatRuleTranslatedFqdn = " server1.internal.com"
100+ $someNatRuleTranslatedPort = " 96"
101+
102+ try
103+ {
104+ # Create the resource group
105+ New-AzResourceGroup - Name $rgname - Location $rglocation - Tags @ { testtag = " testval"
106+
107+ # Create IpGroup
108+ $ipGroup1 = New-AzIpGroup - ResourceGroupName $rgname - location $ipgroupLocation - Name $ipGroupName1 - IpAddress 10.0 .0.0 / 24 , 11.9 .0.0 / 24
109+ $returnedIpGroup1 = Get-AzIpGroup - ResourceGroupName $rgname - Name $ipGroupName1
110+ Assert-AreEqual $returnedIpGroup1.ResourceGroupName $ipGroup1.ResourceGroupName
111+ Assert-AreEqual $returnedIpGroup1.Name $ipGroup1.Name
112+
113+ $ipGroup2 = New-AzIpGroup - ResourceGroupName $rgname - location $ipgroupLocation - Name $ipGroupName2 - IpAddress 12.0 .0.0 / 24 , 13.9 .0.0 / 24
114+ $returnedIpGroup2 = Get-AzIpGroup - ResourceGroupName $rgname - Name $ipGroupName2
115+ Assert-AreEqual $returnedIpGroup2.ResourceGroupName $ipGroup2.ResourceGroupName
116+ Assert-AreEqual $returnedIpGroup2.Name $ipGroup2.Name
117+
118+ # Create the Virtual Network
119+ $subnet = New-AzVirtualNetworkSubnetConfig - Name $subnetName - AddressPrefix 10.0 .0.0 / 24
120+ $vnet = New-AzVirtualNetwork - Name $vnetName - ResourceGroupName $rgname - Location $ipGroupLocation - AddressPrefix 10.0 .0.0 / 16 - Subnet $subnet
121+ # Get full subnet details
122+ $subnet = Get-AzVirtualNetworkSubnetConfig - VirtualNetwork $vnet - Name $subnetName
123+
124+ # Create public ip
125+ $publicip = New-AzPublicIpAddress - ResourceGroupName $rgname - name $publicIpName - location $location - AllocationMethod Static - Sku Standard
126+
127+ # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default)
128+ $azureFirewall = New-AzFirewall –Name $azureFirewallName - ResourceGroupName $rgname - Location $location - VirtualNetworkName $vnetName - PublicIpName $publicIpName
129+
130+ #
131+ # Application Rule Section
132+ #
133+
134+ # Create Application Rules
135+ $someAppRule = New-AzFirewallApplicationRule - Name $someAppRuleName - SourceIpGroup $ipGroup1.Id - Protocol $someAppRuleProtocol1 - TargetFqdn $someAppRuleFqdn1
136+
137+ $someOtherAppRule = New-AzFirewallApplicationRule - Name $someOtherAppRuleName - SourceIpGroup $ipGroup1.Id , $ipGroup2.Id - Protocol $someOtherAppRuleProtocol1 - TargetFqdn $someOtherAppRuleFqdn1
138+
139+ # Create Application Rule Collection with 1 rule
140+ $someAppRuleCollection = New-AzFirewallApplicationRuleCollection - Name $someAppRuleCollectionName - Priority $someAppRuleCollectionPriority - Rule $someAppRule - ActionType $someAppRuleCollectionActionType
141+
142+ # Add a rule to the rule collection using AddRule method
143+ $someAppRuleCollection.AddRule ($someOtherAppRule )
144+
145+ # Add ApplicationRuleCollections to the Firewall using method AddApplicationRuleCollection
146+ $azureFirewall.AddApplicationRuleCollection ($someAppRuleCollection )
147+
148+
149+ #
150+ # Network Rule Section
151+ #
152+
153+ # Create Network Rule
154+
155+ $someNetworkRule = New-AzFirewallNetworkRule - Name $someNetworkRuleName - Description $someNetworkRuleDesc - Protocol $someNetworkRuleProtocol1 , $someNetworkRuleProtocol2 - SourceAddress $someNetworkRuleSourceAddress1 , $someNetworkRuleSourceAddress2 - SourceIpGroup $ipGroup1.Id - DestinationIpGroup $ipGroup2.Id - DestinationPort $someNetworkRuleDestinationPort1
156+ $someNetworkRule.AddProtocol ($someNetworkRuleProtocol3 )
157+
158+ # Create Network Rule Collection
159+ $someNetworkRuleCollection = New-AzFirewallNetworkRuleCollection - Name $networkRcName - Priority $networkRcPriority - Rule $someNetworkRule - ActionType $networkRcActionType
160+
161+ # Add this Network Rule to the rule collection
162+ # $someNetworkRuleCollection.AddRule($someNetworkRule)
163+
164+ # Add NetworkRuleCollections to the Firewall using method AddNetworkRuleCollection
165+ $azureFirewall.AddNetworkRuleCollection ($someNetworkRuleCollection )
166+
167+ #
168+ # NAT Rule Section
169+ #
170+
171+ # Create NAT rule
172+ $someNatRule = New-AzFirewallNatRule - Name $someNatRuleName - Description $someNatRuleDesc - Protocol $someNatRuleProtocol1 - SourceIpGroup $ipGroup1.Id , $ipGroup2.Id - DestinationAddress $publicip.IpAddress - DestinationPort $someNatRuleDestinationPort1 - TranslatedFqdn $someNatRuleTranslatedFqdn - TranslatedPort $someNatRuleTranslatedPort
173+ $someNatRule.AddProtocol ($someNatRuleProtocol2 )
174+
175+ # Create a NAT Rule Collection
176+ $someNatRuleCollection = New-AzFirewallNatRuleCollection - Name $someNatRuleCollectionName - Priority $someNatRuleCollectionPriority - Rule $someNatRule
177+
178+ # Add NAT Rule to rule Collection
179+ # $someNatRuleCollection.AddRule($someNatRule)
180+
181+ # Add NatRuleCollections to the Firewall using method AddNatRuleCollection
182+ $azureFirewall.AddNatRuleCollection ($someNatRuleCollection )
183+
184+ # Set AzureFirewall
185+ # Set-AzFirewall -AzureFirewall $azureFirewall
186+
187+ # Get AzureFirewall
188+ # $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName
189+
190+ $getAzureFirewall = $azureFirewall
191+
192+ #
193+ # Verification - Application Rule
194+ #
195+
196+ # Verify application rule collection 2
197+ $someAppRuleCollection2 = $getAzureFirewall.GetApplicationRuleCollectionByName ($someAppRuleCollectionName )
198+
199+ # Verify application rule
200+ $getSomeAppRule = $someAppRuleCollection2.GetRuleByName ($someAppRule.Name )
201+ Assert-AreEqual 1 $getSomeAppRule.SourceIpGroups.Count
202+
203+ $getSomeOtherAppRule = $someAppRuleCollection2.GetRuleByName ($someOtherAppRule.Name )
204+ Assert-AreEqual 2 $getSomeOtherAppRule.SourceIpGroups.Count
205+
206+ #
207+ # Verification - Network Rule
208+ #
209+
210+ # Verify Network rule collection 2
211+ $someNetworkRuleCollection2 = $getAzureFirewall.GetNetworkRuleCollectionByName ($someNetworkRuleCollection.Name )
212+
213+ # Verify Network rule
214+ $getSomeNetworkRule = $someNetworkRuleCollection2.GetRuleByName ($someNetworkRule.Name )
215+ Assert-AreEqual 1 $getSomeNetworkRule.SourceIpGroups.Count
216+ Assert-AreEqual 1 $getSomeNetworkRule.DestinationIpGroups.Count
217+
218+ #
219+ # Verification - NAT Rule
220+ #
221+ $someNatRuleCollection2 = $getAzureFirewall.GetNatRuleCollectionByName ($someNatRuleCollection.Name )
222+ $getSomeNatRule = $someNatRuleCollection2.GetRuleByName ($someNatRule.Name )
223+ Assert-AreEqual 2 $getSomeNatRule.SourceIpGroups.Count
224+
225+ # Delete IpGroup
226+ $deleteIpGroup = Remove-AzIpGroup - ResourceGroupName $rgname - Name $ipGroupName1 - PassThru - Force
227+ Assert-AreEqual true $deleteIpGroup
228+
229+ $deleteIpGroup = Remove-AzIpGroup - ResourceGroupName $rgname - Name $ipGroupName2 - PassThru - Force
230+ Assert-AreEqual true $deleteIpGroup
231+
232+ # Delete AzureFirewall
233+ $delete = Remove-AzFirewall - ResourceGroupName $rgname - name $azureFirewallName - PassThru - Force
234+ Assert-AreEqual true $delete
235+
236+ # Delete VirtualNetwork
237+ $delete = Remove-AzVirtualNetwork - ResourceGroupName $rgname - name $vnetName - PassThru - Force
238+ Assert-AreEqual true $delete
239+
240+ }
241+ finally
242+ {
243+ # Cleanup
244+ Clean - ResourceGroup $rgname
245+ }
246+
247+
248+ }
0 commit comments