Azure Firewall - Data PIP removal for FT firewal (#14138)

* validation pip

* help msg

* remove data pip validation

* add log

* logic for add & remote pip

* change pip config name

* comments & tests

* add test recording

* update new-azfw help for no data pip feature

* update new-azfw doc, -PublicIpName cmd

Author: tinawu6

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -112,5 +112,13 @@ public void TestAzureFirewallCRUDWithAllowActiveFTP()
         {
             TestRunner.RunTestScript("Test-AzureFirewallCRUDAllowActiveFTP");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallNoDataPip()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallNoDataPip");
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -1527,4 +1527,90 @@ function Test-AzureFirewallCRUDAllowActiveFTP {
         # Cleanup
         Clean-ResourceGroup $rgname
     }
+}
+
+<#
+.SYNOPSIS
+Tests AzureFirewall NoDataPip
+#>
+function Test-AzureFirewallNoDataPip {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "centraluseuap"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+	$mgmtSubnetName = "AzureFirewallManagementSubnet"
+    $mgmtPublicIpName = Get-ResourceName
+    $publicIp1Name = Get-ResourceName
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $mgmtSubnet = New-AzVirtualNetworkSubnetConfig -Name $mgmtSubnetName -AddressPrefix 10.0.100.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet,$mgmtSubnet
+        
+        # Get full subnet details
+        $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
+        $mgmtSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $mgmtSubnetName
+
+        # Create mgmt public ip
+        $mgmtPublicIp = New-AzPublicIpAddress -ResourceGroupName $rgname -name $mgmtPublicIpName -location $location -AllocationMethod Static -Sku Standard
+
+        # Create AzureFirewall with a management IP, without data PIP
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -ManagementPublicIpAddress $mgmtPublicIp
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+
+        # Verify creating firewall without data PIP
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location
+        Assert-NotNull $getAzureFirewall.Etag
+        Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
+        Assert-Null $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress
+        Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-NotNull $getAzureFirewall.ManagementIpConfiguration
+        Assert-NotNull $getAzureFirewall.ManagementIpConfiguration.Subnet.Id
+        Assert-NotNull $getAzureFirewall.ManagementIpConfiguration.PublicIpAddress.Id
+        Assert-AreEqual $mgmtSubnet.Id $getAzureFirewall.ManagementIpConfiguration.Subnet.Id
+        Assert-AreEqual $mgmtPublicIp.Id $getAzureFirewall.ManagementIpConfiguration.PublicIpAddress.Id
+
+        # Verify adding a data PIP to firewall
+        $publicip1 = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIp1Name -location $location -AllocationMethod Static -Sku Standard
+        $getAzureFirewall.AddPublicIpAddress($publicip1)
+        Set-AzFirewall -AzureFirewall $getAzureFirewall
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+        Assert-AreEqual $publicip1.Id $getAzureFirewall.IpConfigurations.PublicIpAddress.Id
+
+        # Verify removing data PIP from exisiting FT firewall
+        $getAzureFirewall.RemovePublicIpAddress($publicip1)
+        Set-AzFirewall -AzureFirewall $getAzureFirewall
+        Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
+        Assert-Null $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+
+        # Delete AzureFirewall
+        $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        # Delete VirtualNetwork 
+        $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        $list = Get-AzFirewall -ResourceGroupName $rgname
+        Assert-AreEqual 0 @($list).Count
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
 }

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallNoDataPip.json

@@ -83,7 +83,7 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
             NewParameterTypeName = "List<PSPublicIpAddress>",
             ReplaceMentCmdletParameterName = "PublicIpAddress")]
         [Parameter(
-            Mandatory = true,
+            Mandatory = false,
             ValueFromPipelineByPropertyName = true,
             ParameterSetName = "OldIpConfigurationParameterValues",
             HelpMessage = "Public IP address name. The Public IP must use Standard SKU and must belong to the same resource group as the Firewall.")]
@@ -99,7 +99,7 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
         public PSVirtualNetwork VirtualNetwork { get; set; }
 
         [Parameter(
-            Mandatory = true,
+            Mandatory = false,
             ValueFromPipelineByPropertyName = true,
             ParameterSetName = "IpConfigurationParameterValues",
             HelpMessage = "One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall.")]

src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs

@@ -52,6 +52,7 @@
     - Added deprecation attribute warning to the old cmdlets.
 * Bug fix in ExpressRouteLink MacSecConfig. Added new property `SciState` to `PSExpressRouteLinkMacSecConfig`
 * Updated format list and format table views for Get-AzVirtualNetworkGatewayConnectionIkeSa
+* Updated New-AzFirewall to no longer require data public IP for force tunneling firewall (with management IP and subnet)
 
 ## Version 4.5.0
 * Added new cmdlets for CRUD of VpnGatewayNATRule.

src/Network/Network/ChangeLog.md

@@ -137,9 +137,12 @@ public void Allocate(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] public
                 throw new ArgumentNullException(nameof(virtualNetwork), "Virtual Network cannot be null!");
             }
 
-            if (publicIpAddresses == null || publicIpAddresses.Count() == 0)
+            if (ManagementPublicIpAddress == null)
             {
-                throw new ArgumentNullException(nameof(publicIpAddresses), "Public IP Addresses cannot be null or empty!");
+                if (publicIpAddresses == null || publicIpAddresses.Count() == 0)
+                {
+                    throw new ArgumentNullException(nameof(publicIpAddresses), "Public IP Addresses cannot be null or empty!");
+                }
             }
 
             PSSubnet firewallSubnet = null;
@@ -151,7 +154,7 @@ public void Allocate(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] public
             {
                 throw new ArgumentException($"Virtual Network {virtualNetwork.Name} should contain a Subnet named {AzureFirewallSubnetName}");
             }
-
+           
             PSSubnet firewallMgmtSubnet = null;
             if (ManagementPublicIpAddress != null)
             {
@@ -174,14 +177,21 @@ public void Allocate(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] public
 
             this.IpConfigurations = new List<PSAzureFirewallIpConfiguration>();
 
-            for (var i = 0; i < publicIpAddresses.Count(); i++)
+            if (publicIpAddresses != null && publicIpAddresses.Count() > 0)
             {
-                this.IpConfigurations.Add(
-                    new PSAzureFirewallIpConfiguration
-                    {
-                        Name = $"{AzureFirewallIpConfigurationName}{i}",
-                        PublicIpAddress = new PSResourceId { Id = publicIpAddresses[i].Id }
-                    });
+                for (var i = 0; i < publicIpAddresses.Count(); i++)
+                {
+                    this.IpConfigurations.Add(
+                        new PSAzureFirewallIpConfiguration
+                        {
+                            Name = $"{AzureFirewallIpConfigurationName}{i}",
+                            PublicIpAddress = new PSResourceId { Id = publicIpAddresses[i].Id }
+                        });
+                }
+            }
+            else
+            {
+                this.IpConfigurations.Add(new PSAzureFirewallIpConfiguration{Name = $"{AzureFirewallIpConfigurationName}{0}"});
             }
 
             this.IpConfigurations[0].Subnet = new PSResourceId { Id = firewallSubnet.Id };
@@ -217,24 +227,33 @@ public void AddPublicIpAddress(PSPublicIpAddress publicIpAddress)
                 throw new InvalidOperationException($"Please invoke {nameof(Allocate)} to attach the firewall to a Virtual Network");
             }
 
-            var i = 0;
-            conflictingIpConfig = null;
-            var newIpConfigName = "";
+            PSAzureFirewallIpConfiguration configWithoutIP = this.IpConfigurations.SingleOrDefault
+                    (ipConfig => (ipConfig.Subnet != null && ipConfig.PublicIpAddress == null));
 
-            do
+            if (configWithoutIP != null)
             {
-                newIpConfigName = $"{AzureFirewallIpConfigurationName}{this.IpConfigurations.Count + i}";
-                conflictingIpConfig = this.IpConfigurations.SingleOrDefault
-                    (ipConfig => string.Equals(ipConfig.Name, newIpConfigName, System.StringComparison.CurrentCultureIgnoreCase));
-                i++;
-            } while (conflictingIpConfig != null);
-
-            this.IpConfigurations.Add(
-                new PSAzureFirewallIpConfiguration
+                configWithoutIP.PublicIpAddress = new PSResourceId { Id = publicIpAddress.Id };
+            }
+            else
+            {
+                var i = 0;
+                conflictingIpConfig = null;
+                var newIpConfigName = "";
+                do
                 {
-                    Name = newIpConfigName,
-                    PublicIpAddress = new PSResourceId { Id = publicIpAddress.Id }
-                });
+                    newIpConfigName = $"{AzureFirewallIpConfigurationName}{this.IpConfigurations.Count + i}";
+                    conflictingIpConfig = this.IpConfigurations.SingleOrDefault
+                        (ipConfig => string.Equals(ipConfig.Name, newIpConfigName, System.StringComparison.CurrentCultureIgnoreCase));
+                    i++;
+                } while (conflictingIpConfig != null);
+
+                this.IpConfigurations.Add(
+                    new PSAzureFirewallIpConfiguration
+                    {
+                        Name = newIpConfigName,
+                        PublicIpAddress = new PSResourceId { Id = publicIpAddress.Id }
+                    });
+            }
         }
 
         public void RemovePublicIpAddress(PSPublicIpAddress publicIpAddress)
@@ -252,21 +271,32 @@ public void RemovePublicIpAddress(PSPublicIpAddress publicIpAddress)
                 throw new ArgumentException($"Public IP Address {publicIpAddress.Id} is not attached to firewall {this.Name}");
             }
 
-            if (this.IpConfigurations.Count > 1 && ipConfigToRemove.Subnet != null)
-            {
-                throw new InvalidOperationException($"Cannot remove IpConfiguration {ipConfigToRemove.Name} because it references subnet {ipConfigToRemove.Subnet.Id}. Move the subnet reference to another IpConfiguration and try again.");
+            if (this.ManagementIpConfiguration != null) {
+                if (ipConfigToRemove.Subnet != null)
+                {
+                    ipConfigToRemove.PublicIpAddress = null;
+                }
+                else
+                {
+                    this.IpConfigurations.Remove(ipConfigToRemove);
+                }
             }
-
-            if (this.IpConfigurations.Count == 1)
+            else
             {
-                Console.ForegroundColor = ConsoleColor.Yellow;
-                Console.WriteLine($"WARNING: Removing the last Public IP Address, this will deallocate the firewall. You will have to invoke {nameof(Allocate)} to reallocate it.");
-                Console.ResetColor();
+                if (this.IpConfigurations.Count > 1 && ipConfigToRemove.Subnet != null)
+                {
+                    throw new InvalidOperationException($"Cannot remove IpConfiguration {ipConfigToRemove.Name} because it references subnet {ipConfigToRemove.Subnet.Id}. Move the subnet reference to another IpConfiguration and try again.");
+                }
 
-                this.ManagementIpConfiguration = null;
-            }
+                if (this.IpConfigurations.Count == 1)
+                {
+                    Console.ForegroundColor = ConsoleColor.Yellow;
+                    Console.WriteLine($"WARNING: Removing the last Public IP Address, this will deallocate the firewall. You will have to invoke {nameof(Allocate)} to reallocate it.");
+                    Console.ResetColor();
+                }
 
-            this.IpConfigurations.Remove(ipConfigToRemove);
+                this.IpConfigurations.Remove(ipConfigToRemove);
+            }
         }
 
         #endregion // Ip Configuration Operations

src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs

@@ -29,7 +29,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String>
 ### OldIpConfigurationParameterValues
 ```
 New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -VirtualNetworkName <String>
- -PublicIpName <String> [-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
+ [-PublicIpName <String>] [-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
  [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
  [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>] [-ThreatIntelMode <String>]
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
@@ -42,7 +42,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
 ### IpConfigurationParameterValues
 ```
 New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -VirtualNetwork <PSVirtualNetwork>
- -PublicIpAddress <PSPublicIpAddress[]> [-ManagementPublicIpAddress <PSPublicIpAddress>]
+ [-PublicIpAddress <PSPublicIpAddress[]>] [-ManagementPublicIpAddress <PSPublicIpAddress>]
  [-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
  [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
  [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>] [-ThreatIntelMode <String>]
@@ -242,7 +242,7 @@ $fw=New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location westus -Sku
 This example creates a Firewall attached to virtual hub "hub" in the same resource group as the firewall.
 The Firewall will be assigned 2 public IPs that are created implicitly.
 
-### 16:  Create a Firewall with Allow Active FTP.
+### Example 16:  Create a Firewall with Allow Active FTP.
 ```
 $rgName = "resourceGroupName"
 $vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
@@ -252,6 +252,18 @@ New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -Virt
 
 This example creates a Firewall with allow active FTP flag.
 
+### Example 17: Create a Firewall with a management subnet and no data Public IP address
+```powershell
+$rgName = "resourceGroupName"
+$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
+$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "managementPublicIpName"
+
+New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -ManagementPublicIpAddress $mgmtPip
+```
+
+This example creates a "forced tunneling" Firewall that uses the subnet "AzureFirewallManagementSubnet" and the management public IP address for its management traffic.
+In this scenario, users do not have to specify a data Public IP if they are only using firewall for private traffic only.
+
 ## PARAMETERS
 
 ### -AllowActiveFTP
@@ -482,14 +494,14 @@ Accept wildcard characters: False
 ```
 
 ### -PublicIpAddress
-One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall.
+One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall. No input needed for Forced Tunneling Firewalls. 
 
 ```yaml
 Type: Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress[]
 Parameter Sets: IpConfigurationParameterValues
 Aliases:
 
-Required: True
+Required: False
 Position: Named
 Default value: None
 Accept pipeline input: True (ByPropertyName)
@@ -504,7 +516,7 @@ Type: System.String
 Parameter Sets: OldIpConfigurationParameterValues
 Aliases:
 
-Required: True
+Required: False
 Position: Named
 Default value: None
 Accept pipeline input: True (ByPropertyName)