Change RuleGroup, RuleCollectionGroup, and RuleType and add support for Multiple DNAT Rule Collections

src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.cs

@@ -26,7 +26,7 @@ public AzureFirewallPolicyTests(ITestOutputHelper output)
         {
         }
 
-        [Fact(Skip = "Fails with Internal Server Error")]
+        [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
         public void TestAzureFirewallPolicyCRUD()

src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1

@@ -22,7 +22,7 @@ function Test-AzureFirewallPolicyCRUD {
     $azureFirewallPolicyName = Get-ResourceName
     $azureFirewallPolicyAsJobName = Get-ResourceName
     $resourceTypeParent = "Microsoft.Network/FirewallPolicies"
-    $location = "westcentralus"
+    $location = "eastus2euap"
 
     $ruleGroupName = Get-ResourceName
 
@@ -33,11 +33,6 @@ function Test-AzureFirewallPolicyCRUD {
 
     $pipelineRcPriority = 154
 
-    # AzureFirewallPolicyApplicationRuleCollection 2
-    $appRc2Name = "appRc2"
-    $appRc2Priority = 300
-    $appRc2ActionType = "Deny"
-
     # AzureFirewallPolicyApplicationRule 1
     $appRule1Name = "appRule"
     $appRule1Desc = "desc1"
@@ -70,23 +65,22 @@ function Test-AzureFirewallPolicyCRUD {
     $networkRule1Desc = "desc1"
     $networkRule1SourceAddress1 = "10.0.0.0"
     $networkRule1SourceAddress2 = "111.1.0.0/24"
-    $networkRule1DestinationAddress1 = "*"
+    $networkRule1DestinationAddress1 = "10.10.10.1"
     $networkRule1Protocol1 = "UDP"
     $networkRule1Protocol2 = "TCP"
     $networkRule1Protocol3 = "ICMP"
     $networkRule1DestinationPort1 = "90"
 
     # AzureFirewallPolicyNatRuleCollection
     $natRcName = "natRc"
-    $natRcPriority = 200
+    $natRcPriority = 100
     $natRcActionType = "Dnat"
 
     # AzureFirewallPolicyNatRule 1
     $natRule1Name = "natRule"
     $natRule1Desc = "desc1"
     $natRule1SourceAddress1 = "10.0.0.0"
     $natRule1SourceAddress2 = "111.1.0.0/24"
-    $natRule1DestinationAddress1 = "1.2.3.4"
     $natRule1Protocol1 = "UDP"
     $natRule1Protocol2 = "TCP"
     $natRule1DestinationPort1 = "90"
@@ -115,16 +109,22 @@ function Test-AzureFirewallPolicyCRUD {
         $appRule = New-AzFirewallPolicyApplicationRule -Name $appRule1Name -Description $appRule1Desc -Protocol $appRule1Protocol1, $appRule1Protocol2 -TargetFqdn $appRule1Fqdn1, $appRule1Fqdn2 -SourceAddress $appRule1SourceAddress1
         $appRule2 = New-AzFirewallPolicyApplicationRule -Name $appRule2Name -Description $appRule1Desc -Protocol $appRule2Protocol1, $appRule2Protocol2 -TargetFqdn $appRule2Fqdn1 -SourceAddress $appRule2SourceAddress1
 
-        # Create Network Rule Condition
+        # Create Network Rule
         $networkRule = New-AzFirewallPolicyNetworkRule -Name $networkRule1Name -Description $networkRule1Desc -Protocol $networkRule1Protocol1, $networkRule1Protocol2 -SourceAddress $networkRule1SourceAddress1, $networkRule1SourceAddress2 -DestinationAddress $networkRule1DestinationAddress1 -DestinationPort $networkRule1DestinationPort1
 
-        # Create Filter Rule with 2 rules
+
+        # Create Filter Rule with 2 application rules
         $appRc = New-AzFirewallPolicyFilterRuleCollection -Name $appRcName -Priority $appRcPriority -Rule $appRule, $appRule2 -ActionType $appRcActionType
-        # Create a second Filter Rule Collection with 1 rule
-        $appRc2 = New-AzFirewallPolicyFilterRuleCollection -Name $appRc2Name -Priority $appRc2Priority -Rule $networkRule -ActionType $appRc2ActionType
+
+        # Create a second Filter Rule Collection with 1 network rule
+        $appRc2 = New-AzFirewallPolicyFilterRuleCollection -Name $networkRcName -Priority $networkRcPriority -Rule $networkRule -ActionType $networkRcActionType
+
+
+        # Create NAT rule
+        $natRule = New-AzFirewallPolicyNatRule -Name $natRule1Name -Description $natRule1Desc -Protocol $natRule1Protocol1, $natRule1Protocol2 -SourceAddress $natRule1SourceAddress1, $natRule1SourceAddress2 -DestinationAddress $networkRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort
 
-        # Create a NAT rule
-        $natRc = New-AzFirewallPolicyNatRuleCollection -Name $networkRcName -Priority $natRcPriority -Rule $networkRule -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort -ActionType $natRcActionType
+        # Create a NAT Rule Collection
+        $natRc = New-AzFirewallPolicyNatRuleCollection -Name $natRcName -ActionType $natRcActionType -Priority $natRcPriority -Rule $natRule
 
         New-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -Priority 100 -RuleCollection $appRc, $appRc2, $natRc -FirewallPolicyObject $azureFirewallPolicy
 
@@ -136,24 +136,25 @@ function Test-AzureFirewallPolicyCRUD {
         # Get AzureFirewallPolicy
         $getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgName
 
-        # #verification
+        # verification
         Assert-AreEqual $rgName $getAzureFirewallPolicy.ResourceGroupName
         Assert-AreEqual $azureFirewallPolicyName $getAzureFirewallPolicy.Name
         Assert-NotNull $getAzureFirewallPolicy.Location
         Assert-AreEqual $location $getAzureFirewallPolicy.Location
         Assert-AreEqual "Deny" $getAzureFirewallPolicy.ThreatIntelMode
 
-        # # Check rule groups count
+        # Check rule groups count
         Assert-AreEqual 1 @($getAzureFirewallPolicy.RuleCollectionGroups).Count
 
         $getRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicy $getAzureFirewallPolicy
 
         Assert-AreEqual 3 @($getRg.properties.ruleCollection).Count
 
         $filterRuleCollection1 = $getRg.Properties.GetRuleCollectionByName($appRcName)
-        $natRuleCollection = $getRg.Properties.GetRuleCollectionByName($networkRcName)
+        $filterRuleCollection2 = $getRg.Properties.GetRuleCollectionByName($networkRcName)
+        $natRuleCollection = $getRg.Properties.GetRuleCollectionByName($natRcName)
 
-        # Verify filter Rule1 
+        # Verify Filter Rule Collection1 
         Assert-AreEqual $appRcName $filterRuleCollection1.Name
         Assert-AreEqual $appRcPriority $filterRuleCollection1.Priority
         Assert-AreEqual $appRcActionType $filterRuleCollection1.Action.Type
@@ -176,29 +177,50 @@ function Test-AzureFirewallPolicyCRUD {
         Assert-AreEqual $appRule1Fqdn1 $appRule.TargetFqdns[0]
         Assert-AreEqual $appRule1Fqdn2 $appRule.TargetFqdns[1]
 
-        # Verify NAT rule collection and NAT rule)
-        $natRule = $natRuleCollection.GetRuleByName($networkRcName)
+        # Verify Filter Rule Collection2 
+        Assert-AreEqual $networkRcName $filterRuleCollection2.Name
+        Assert-AreEqual $networkRcPriority $filterRuleCollection2.Priority
+        Assert-AreEqual $networkRcActionType $filterRuleCollection2.Action.Type
+        Assert-AreEqual 1 $filterRuleCollection2.Rules.Count
+
+        $networkRule = $filterRuleCollection2.GetRuleByName($networkRule1Name)
+        # Verify Network rule
+        Assert-AreEqual $networkRule1Name $networkRule.Name
+
+        Assert-AreEqual 2 $networkRule.SourceAddresses.Count
+        Assert-AreEqual $networkRule1SourceAddress1 $networkRule.SourceAddresses[0]
+        Assert-AreEqual $networkRule1SourceAddress2 $networkRule.SourceAddresses[1]
+
+        Assert-AreEqual 2 $networkRule.Protocols.Count 
+        Assert-AreEqual $networkRule1Protocol1 $networkRule.Protocols[0]
+        Assert-AreEqual $networkRule1Protocol2 $networkRule.Protocols[1]
+
+        Assert-AreEqual 1 $networkRule.DestinationPorts.Count 
+        Assert-AreEqual $networkRule1DestinationPort1 $networkRule.DestinationPorts[0]
+
+        # Verify NAT rule collection and NAT rule
+        $natRule = $natRuleCollection.GetRuleByName($natRule1Name)
 
-        Assert-AreEqual $networkRcName $natRuleCollection.Name
+        Assert-AreEqual $natRcName $natRuleCollection.Name
         Assert-AreEqual $natRcPriority $natRuleCollection.Priority
 
-        Assert-AreEqual $networkRule1Name $natRule.Name
+        Assert-AreEqual $natRule1Name $natRule.Name
 
         Assert-AreEqual 2 $natRule.SourceAddresses.Count 
         Assert-AreEqual $natRule1SourceAddress1 $natRule.SourceAddresses[0]
         Assert-AreEqual $natRule1SourceAddress2 $natRule.SourceAddresses[1]
 
-        Assert-AreEqual 1 $natRule.DestinationAddresses.Count 
+        Assert-AreEqual 1 $natRule.DestinationAddresses.Count
 
-        Assert-AreEqual 2 $natRule.Protocols.Count 
-        Assert-AreEqual $networkRule1Protocol1 $natRule.Protocols[0]
-        Assert-AreEqual $networkRule1Protocol2 $natRule.Protocols[1]
+        Assert-AreEqual 2 $natRule.Protocols.Count
+        Assert-AreEqual $natRule1Protocol1 $natRule.Protocols[0]
+        Assert-AreEqual $natRule1Protocol2 $natRule.Protocols[1]
 
-        Assert-AreEqual 1 $natRule.DestinationPorts.Count 
+        Assert-AreEqual 1 $natRule.DestinationPorts.Count
         Assert-AreEqual $natRule1DestinationPort1 $natRule.DestinationPorts[0]
 
-        Assert-AreEqual $natRule1TranslatedAddress $natRuleCollection.TranslatedAddress
-        Assert-AreEqual $natRule1TranslatedPort $natRuleCollection.TranslatedPort
+        Assert-AreEqual $natRule1TranslatedAddress $natRule.TranslatedAddress
+        Assert-AreEqual $natRule1TranslatedPort $natRule.TranslatedPort
 
 
         $testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
@@ -208,7 +230,7 @@ function Test-AzureFirewallPolicyCRUD {
 
         $azureFirewallPolicyAsJob = New-AzFirewallPolicy -Name $azureFirewallPolicyAsJobName -ResourceGroupName $rgname -Location $location -AsJob
         $result = $azureFirewallPolicyAsJob | Wait-Job
-        Assert-AreEqual "Completed" $result.State;
+        Assert-AreEqual "Completed" $result.State
     }
     finally {
         # Cleanup