Blocked some regions when creating/updating Basic Sku firewall (#21179)

Co-authored-by: Gizachew Eshetie <[email protected]>

Author: Gizachew-Eshetie

src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs

@@ -289,6 +289,13 @@ private PSAzureFirewall CreateAzureFirewall()
             sku.Name = !string.IsNullOrEmpty(this.SkuName) ? this.SkuName : MNM.AzureFirewallSkuName.AZFWVNet;
             sku.Tier = !string.IsNullOrEmpty(this.SkuTier) ? this.SkuTier : MNM.AzureFirewallSkuTier.Standard;
 
+            if (sku.Tier.Equals(MNM.AzureFirewallSkuTier.Basic) && !string.IsNullOrEmpty(this.Location))
+            {
+                if (FirewallConstants.IsRegionRestrictedForBasicFirewall(this.Location))
+                {
+                    throw new ArgumentException("Basic Sku Firewall is not supported in this region yet - " + this.Location, nameof(this.Location));
+                }
+            }
             if (this.SkuName == MNM.AzureFirewallSkuName.AZFWHub)
             {
 

src/Network/Network/AzureFirewall/SetAzureFirewallCommand.cs

@@ -42,6 +42,14 @@ public override void Execute()
                 throw new ArgumentException(Microsoft.Azure.Commands.Network.Properties.Resources.ResourceNotFound);
             }
 
+            if (this.AzureFirewall.Sku != null && this.AzureFirewall.Sku.Tier != null && this.AzureFirewall.Sku.Tier.Equals(MNM.AzureFirewallSkuTier.Basic) && !string.IsNullOrEmpty(this.AzureFirewall.Location))
+            {
+                if (FirewallConstants.IsRegionRestrictedForBasicFirewall(this.AzureFirewall.Location))
+                {
+                    throw new ArgumentException("Basic Sku Firewall is not supported in this region yet - " + this.AzureFirewall.Location, nameof(this.AzureFirewall.Location));
+                }
+            }
+
             // Map to the sdk object
             var secureGwModel = NetworkResourceManagerProfile.Mapper.Map<MNM.AzureFirewall>(this.AzureFirewall);
             secureGwModel.Tags = TagsConversionHelper.CreateTagDictionary(this.AzureFirewall.Tag, validate: true);

src/Network/Network/ChangeLog.md

@@ -27,6 +27,7 @@
 * Added `New-AzGatewayCustomBgpIpConfigurationObject` command
 * Updated `New-AzVirtualNetworkGatewayConnection`, `Set-AzVirtualNetworkGatewayConnection` and `New-AzVpnSiteLinkConnection` to support GatewayCustomBgpIpConfiguration.
 * Updated `Reset-AzVpnGateway` to support IpConfigurationId.
+* Blocked some regions when creating/updating Basic Sku firewall
 
 ## Version 5.5.0
 * Updated cmdlets to add new property of `Snat` in Azure Firewall Policy.

src/Network/Network/Common/Utils.cs

@@ -14,6 +14,7 @@
 
 using Microsoft.Azure.Commands.Network.Models;
 using System;
+using System.Globalization;
 
 namespace Microsoft.Azure.Commands.Network
 {
@@ -60,4 +61,26 @@ public static bool IsIpv4PrivatePeeringNull(PSPeering privatePeering)
             return false;
         }
     }
+
+    public static class FirewallConstants
+    {
+        public static readonly System.Collections.Generic.List<string> RestrictedBasicSkuFirewallRegions = new System.Collections.Generic.List<string>()
+        {
+            "TaiwanNorth","CanadaEast","JioIndiaWest", "PolandCentral", "SpainCentral", "USSecWestCentral", "BelgiumCentral", "GermanyNorth", "SwedenSouth", "ChinaEast3"
+        };
+        public static bool IsRegionRestrictedForBasicFirewall(string region)
+        {
+            if (!string.IsNullOrEmpty(region))
+            {
+                foreach(var reg in RestrictedBasicSkuFirewallRegions)
+                {
+                    if(String.Compare(reg, region, CultureInfo.CurrentCulture, CompareOptions.IgnoreCase | CompareOptions.IgnoreSymbols) == 0)
+                    {
+                        return true;
+                    }
+                }
+            }
+            return false;
+        }
+    }
 }