[AzureFirewall] NAT and FQDN Tags

src/ResourceManager/Network/Commands.Network/Az.Network.psd1

@@ -384,6 +384,8 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
     'Remove-AzFirewall',
     'New-AzFirewallApplicationRuleCollection',
     'New-AzFirewallApplicationRule',
+    'New-AzFirewallNatRuleCollection',
+    'New-AzFirewallNatRule',
     'New-AzFirewallNetworkRuleCollection',
     'New-AzFirewallNetworkRule',
     'Get-AzInterfaceEndpoint' 

src/ResourceManager/Network/Commands.Network/AzureFirewall/ApplicationRule/AzureFirewallApplicationRuleParameterSets.cs

@@ -0,0 +1,23 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.Azure.Commands.Network
+{
+    public static class AzureFirewallApplicationRuleParameterSets
+    {
+        public const string TargetFqdn = @"TargetFqdn";
+
+        public const string FqdnTag = @"FqdnTag";
+    }
+}

src/ResourceManager/Network/Commands.Network/AzureFirewall/ApplicationRule/NewAzureFirewallApplicationRuleCommand.cs

@@ -16,17 +16,20 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation;
-using System.Text.RegularExpressions;
 using Microsoft.Azure.Commands.Network.Models;
-using MNM = Microsoft.Azure.Management.Network.Models;
 
 namespace Microsoft.Azure.Commands.Network
 {
-    [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallApplicationRule", SupportsShouldProcess = true), OutputType(typeof(PSAzureFirewallApplicationRule))]
+    [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallApplicationRule", SupportsShouldProcess = true, DefaultParameterSetName = AzureFirewallApplicationRuleParameterSets.TargetFqdn), OutputType(typeof(PSAzureFirewallApplicationRule))]
     public class NewAzureFirewallApplicationRuleCommand : NetworkBaseCmdlet
     {
         [Parameter(
             Mandatory = true,
+            ParameterSetName = AzureFirewallApplicationRuleParameterSets.TargetFqdn,
+            HelpMessage = "The name of the Application Rule")]
+        [Parameter(
+            Mandatory = true,
+            ParameterSetName = AzureFirewallApplicationRuleParameterSets.FqdnTag,
             HelpMessage = "The name of the Application Rule")]
         [ValidateNotNullOrEmpty]
         public virtual string Name { get; set; }
@@ -45,20 +48,35 @@ public class NewAzureFirewallApplicationRuleCommand : NetworkBaseCmdlet
 
         [Parameter(
             Mandatory = true,
+            ParameterSetName = AzureFirewallApplicationRuleParameterSets.TargetFqdn,
             HelpMessage = "The target FQDNs of the rule")]
         [ValidateNotNullOrEmpty]
         public List<string> TargetFqdn { get; set; }
 
         [Parameter(
             Mandatory = true,
+            ParameterSetName = AzureFirewallApplicationRuleParameterSets.FqdnTag,
+            HelpMessage = "The FQDN Tags of the rule")]
+        [ValidateNotNullOrEmpty]
+        public List<string> FqdnTag { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            ParameterSetName = AzureFirewallApplicationRuleParameterSets.TargetFqdn,
             HelpMessage = "The protocols of the rule")]
         [ValidateNotNullOrEmpty]
         public List<string> Protocol { get; set; }
-        
+
         public override void Execute()
         {
             base.Execute();
-
+
+            if (FqdnTag != null)
+            {
+                this.Protocol = new List<string> { "http", "https" };
+                FqdnTag = AzureFirewallFqdnTagHelper.MapUserInputToAllowedFqdnTags(FqdnTag);
+            }
+
             var protocolsAsWeExpectThem = MapUserProtocolsToFirewallProtocols(Protocol);
 
             var applicationRule = new PSAzureFirewallApplicationRule
@@ -67,63 +85,15 @@ public override void Execute()
                 Description = this.Description,
                 SourceAddresses = this.SourceAddress,
                 Protocols = protocolsAsWeExpectThem,
-                TargetFqdns = this.TargetFqdn
+                TargetFqdns = this.TargetFqdn,
+                FqdnTags = this.FqdnTag
             };
             WriteObject(applicationRule);
         }
 
         private List<PSAzureFirewallApplicationRuleProtocol> MapUserProtocolsToFirewallProtocols(List<string> userProtocols)
         {
-            var protocolRegEx = new Regex("^[hH][tT][tT][pP][sS]?(:[1-9][0-9]*)?$");
-
-            var supportedProtocolsAndTheirDefaultPorts = new List<PSAzureFirewallApplicationRuleProtocol>
-            {
-                new PSAzureFirewallApplicationRuleProtocol { ProtocolType = MNM.AzureFirewallApplicationRuleProtocolType.Http, Port = 80 },
-                new PSAzureFirewallApplicationRuleProtocol { ProtocolType = MNM.AzureFirewallApplicationRuleProtocolType.Https, Port = 443 }
-            };
-
-            // User can pass "http", "HTtP" or "hTTp:8080"
-            var protocolsAsWeExpectThem = this.Protocol.Select(userText =>
-            {
-                //The actual validation is performed in NRP. Here we are just trying to map user info to our model
-                if (!protocolRegEx.IsMatch(userText))
-                {
-                    throw new ArgumentException($"Invalid protocol {userText}");
-                }
-
-                var userParts = userText.Split(':');
-                var userProtocolText = userParts[0];
-                var userPortText = userParts.Length == 2 ? userParts[1] : null;
-
-                PSAzureFirewallApplicationRuleProtocol supportedProtocol;
-                try
-                {
-                    supportedProtocol = supportedProtocolsAndTheirDefaultPorts.Single(protocol => protocol.ProtocolType.Equals(userProtocolText, StringComparison.InvariantCultureIgnoreCase));
-                }
-                catch
-                {
-                    throw new ArgumentException($"Unsupported protocol {userProtocolText}. Supported protocols are {string.Join(", ", supportedProtocolsAndTheirDefaultPorts.Select(proto => proto.ProtocolType))}", nameof(Protocol));
-                }
-
-                uint port;
-                if (userPortText == null)
-                {
-                    // Use default port for this protocol
-                    port = supportedProtocol.Port;
-                }
-                else if (!uint.TryParse(userPortText, out port))
-                {
-                    throw new ArgumentException($"Invalid port {userText}", nameof(Protocol));
-                }
-
-                return new PSAzureFirewallApplicationRuleProtocol
-                {
-                    ProtocolType = supportedProtocol.ProtocolType,
-                    Port = port
-                };
-            }).ToList();
-
-            return protocolsAsWeExpectThem;
+            return userProtocols.Select(PSAzureFirewallApplicationRuleProtocol.MapUserInputToApplicationRuleProtocol).ToList();
         }
     }
 }

src/ResourceManager/Network/Commands.Network/AzureFirewall/AzureFirewallNetworkRuleProtocolHelper.cs

@@ -0,0 +1,48 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using MNM = Microsoft.Azure.Management.Network.Models;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    public static class AzureFirewallNetworkRuleProtocolHelper
+    {
+        private static readonly IDictionary<string, string> SupportedNetworkProtocols = new Dictionary<string, string>
+        {
+            { MNM.AzureFirewallNetworkRuleProtocol.Any.ToUpper(), MNM.AzureFirewallNetworkRuleProtocol.Any },
+            { MNM.AzureFirewallNetworkRuleProtocol.TCP.ToUpper(), MNM.AzureFirewallNetworkRuleProtocol.TCP },
+            { MNM.AzureFirewallNetworkRuleProtocol.UDP.ToUpper(), MNM.AzureFirewallNetworkRuleProtocol.UDP },
+        };
+
+        internal static string MapUserInputToNetworkProtocol(string protocolType)
+        {
+            if (protocolType == null)
+            {
+                throw new ArgumentException("A protocol must be provided", nameof(protocolType));
+            }
+
+            var userInputKey = protocolType.ToUpper();
+            if (!SupportedNetworkProtocols.ContainsKey(userInputKey))
+            {
+                throw new ArgumentException(
+                    $"Invalid protocol {protocolType}. Accepted values are {string.Join(", ", SupportedNetworkProtocols.Values)}.",
+                    nameof(protocolType));
+            }
+
+            return SupportedNetworkProtocols[userInputKey];
+        }
+    }
+}

src/ResourceManager/Network/Commands.Network/AzureFirewall/NatRule/NewAzureFirewallNatRuleCommand.cs

@@ -0,0 +1,137 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Management.Automation;
+using System.Text.RegularExpressions;
+using Microsoft.Azure.Commands.Network.Models;
+using MNM = Microsoft.Azure.Management.Network.Models;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallNatRule", SupportsShouldProcess = true), OutputType(typeof(PSAzureFirewallNatRule))]
+    public class NewAzureFirewallNatRuleCommand : NetworkBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The name of the NAT Rule")]
+        [ValidateNotNullOrEmpty]
+        public virtual string Name { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The description of the rule")]
+        [ValidateNotNullOrEmpty]
+        public string Description { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The source addresses of the rule")]
+        [ValidateNotNullOrEmpty]
+        public List<string> SourceAddress { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The destination addresses of the rule")]
+        [ValidateNotNullOrEmpty]
+        public List<string> DestinationAddress { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The destination ports of the rule")]
+        [ValidateNotNullOrEmpty]
+        public List<string> DestinationPort { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The protocols of the rule")]
+        [ValidateSet(
+            MNM.AzureFirewallNetworkRuleProtocol.Any,
+            MNM.AzureFirewallNetworkRuleProtocol.TCP,
+            MNM.AzureFirewallNetworkRuleProtocol.UDP,
+            IgnoreCase = false)]
+        public List<string> Protocol { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The translated address for this NAT rule")]
+        [ValidateNotNullOrEmpty]
+        public string TranslatedAddress { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The translated port for this NAT rule")]
+        [ValidateNotNullOrEmpty]
+        public string TranslatedPort { get; set; }
+
+        public override void Execute()
+        {
+            base.Execute();
+
+            // Add some validation based on the type of RuleCollection (SNAT will be supported later)
+            // if (MNM.AzureFirewallNatRCActionType.Dnat.Equals(ActionType))
+            {
+                if (DestinationAddress.Count != 1)
+                {
+                    throw new ArgumentException("Only one destination address is accepted.", nameof(DestinationAddress));
+                }
+
+                if (DestinationPort.Count != 1)
+                {
+                    throw new ArgumentException("Only one destination port is accepted.", nameof(DestinationPort));
+                }
+
+                ValidateIsSingleIpNotRange(DestinationAddress.Single());
+                ValidateIsSingleIpNotRange(TranslatedAddress);
+
+                ValidateIsSinglePortNotRange(DestinationPort.Single());
+                ValidateIsSinglePortNotRange(TranslatedPort);
+            }
+
+            var networkRule = new PSAzureFirewallNatRule
+            {
+                Name = this.Name,
+                Description = this.Description,
+                Protocols = this.Protocol,
+                SourceAddresses = this.SourceAddress,
+                DestinationAddresses = this.DestinationAddress,
+                DestinationPorts = this.DestinationPort,
+                TranslatedAddress = this.TranslatedAddress,
+                TranslatedPort = this.TranslatedPort
+            };
+            WriteObject(networkRule);
+        }
+
+        private void ValidateIsSingleIpNotRange(string ipStr)
+        {
+            var singleIpRegEx = new Regex("^((\\d){1,3}\\.){3}((\\d){1,3})$");
+
+            if (!singleIpRegEx.IsMatch(ipStr))
+            {
+                throw new ArgumentException($"Invalid value {ipStr}. Only a single IPv4 value is accepted (e.g. 10.1.2.3).");
+            }
+        }
+
+        private void ValidateIsSinglePortNotRange(string portStr)
+        {
+            uint parsed;
+            if (!uint.TryParse(portStr, out parsed))
+            {
+                throw new ArgumentException($"Invalid value {portStr}. Only a single port value is accepted (e.g. 8080).");
+            }
+        }
+    }
+}