Azure · vidai-msft · Jun 21, 2023 · Jun 13, 2023 · Jun 19, 2023 · Jun 19, 2023
diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1
@@ -1778,6 +1778,7 @@ function Test-AzureFirewallSnat {
     $vnetName = Get-ResourceName
     $privateRange = @("3.3.0.0/24", "98.0.0.0/8","10.227.16.0/20")
     $privateRange2 = @("0.0.0.0/0", "66.92.0.0/16")
+    $emptyPrivateRange = @()
 
     try {
 
@@ -1802,7 +1803,7 @@ function Test-AzureFirewallSnat {
         Assert-AreEqualArray $privateRange $getAzureFirewallPolicy.Snat.PrivateRanges
         Assert-AreEqual "Enabled" $getAzureFirewallPolicy.Snat.AutoLearnPrivateRanges
 
-        # Modify
+         # Modify
         $snat = New-AzFirewallPolicySnat -PrivateRange $privateRange2
         # Set AzureFirewallPolicy
         $azureFirewallPolicy.Snat = $snat
@@ -1812,6 +1813,13 @@ function Test-AzureFirewallSnat {
         Assert-NotNull $policy.Snat
         Assert-AreEqualArray $privateRange2 $policy.Snat.PrivateRanges
         Assert-AreEqual "Disabled" $policy.Snat.AutoLearnPrivateRanges
+
+          # Modify
+        $snat = New-AzFirewallPolicySnat -AutoLearnPrivateRange
+        Assert-AreEqual $emptyPrivateRange $snat.PrivateRanges
+        Assert-NotNull $snat.PrivateRanges
+        Assert-AreEqual $snat.PrivateRanges.count 0
+
     }
     finally {
         # Cleanup

diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs
@@ -186,6 +186,14 @@ public void TestAzureFirewallCRUDRouteServerId()
             TestRunner.RunTestScript("Test-AzureFirewallCRUDRouteServerId");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallCRUDRouteServerIdHub()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallCRUDRouteServerIdHub");
+        }
+
         [Fact(Skip = "Skipped due to LearnedIpPrefixes feature not available in most regions")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]

diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1
@@ -2056,6 +2056,31 @@ function Test-AzureFirewallCRUDRouteServerId {
     }
 }
 
+<#
+.SYNOPSIS
+Tests AzureFirewall RouteServerId on Hub Firewall
+#>
+function Test-AzureFirewallCRUDRouteServerIdHub {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent
+    $skuName = "AZFW_Hub"
+    $skuTier = "Standard"
+    $routeServerId="/subscriptions/aeb5b02a-0f18-45a4-86d6-81808115cacf/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/TestRS"
+
+    try {
+
+         Assert-ThrowsContains { New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -SkuName $skuName -SkuTier $skuTier -RouteServerId $routeServerId } "The Route Server is not supported on AZFW_Hub SKU Firewalls"
+
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
 <#
 .SYNOPSIS
 Tests  Get Azure Firewall LearnedPrefixes

diff --git a/...s/Commands.Network.Test.ScenarioTests.AzureFirewallPolicyTests/TestAzureFirewallSnat.json b/...s/Commands.Network.Test.ScenarioTests.AzureFirewallPolicyTests/TestAzureFirewallSnat.json
diff --git a/....Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDRouteServerIdHub.json b/....Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDRouteServerIdHub.json
diff --git a/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs b/src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs
@@ -313,6 +313,11 @@ private PSAzureFirewall CreateAzureFirewall()
                     throw new ArgumentException("The list of public Ip addresses cannot be provided during the firewall creation");
                 }
 
+                if(this.RouteServerId != null)
+                {
+                    throw new ArgumentException("The Route Server is not supported on AZFW_Hub SKU Firewalls");
+                }
+
                 firewall = new PSAzureFirewall()
                 {
                     Name = this.Name,

diff --git a/src/Network/Network/AzureFirewallPolicy/Snat/NewAzureFirewallPolicySNATCommand.cs b/src/Network/Network/AzureFirewallPolicy/Snat/NewAzureFirewallPolicySNATCommand.cs
@@ -36,6 +36,11 @@ public override void Execute()
         {
             base.Execute();
 
+            if(this.AutoLearnPrivateRange.IsPresent && this.PrivateRange == null)
+            {
+                this.PrivateRange = new string[] {};
+            }
+
             var firewallPolicySNAT = new PSAzureFirewallPolicySNAT
             {
                 AutoLearnPrivateRanges = this.AutoLearnPrivateRange.IsPresent ? "Enabled" : "Disabled",