Validations for Snat private ranges and route server id - Azure Firewall and Azure Firewall Policy (Azure#22108)

* update to the snat command

* clean up

* adding validation for route server id on hub firewalls

* scenario test for hub firewall with route server id

* clean up

* revert the bad changes

* Test for empty private range with auto learn

* test recordings

Author: saisujithreddym

src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1

@@ -1778,6 +1778,7 @@ function Test-AzureFirewallSnat {
     $vnetName = Get-ResourceName
     $privateRange = @("3.3.0.0/24", "98.0.0.0/8","10.227.16.0/20")
     $privateRange2 = @("0.0.0.0/0", "66.92.0.0/16")
+    $emptyPrivateRange = @()
 
     try {
 
@@ -1801,7 +1802,7 @@ function Test-AzureFirewallSnat {
         Assert-AreEqualArray $privateRange $getAzureFirewallPolicy.Snat.PrivateRanges
         Assert-AreEqual "Enabled" $getAzureFirewallPolicy.Snat.AutoLearnPrivateRanges
 
-        # Modify
+         # Modify
         $snat = New-AzFirewallPolicySnat -PrivateRange $privateRange2
         # Set AzureFirewallPolicy
         $azureFirewallPolicy.Snat = $snat
@@ -1811,6 +1812,13 @@ function Test-AzureFirewallSnat {
         Assert-NotNull $policy.Snat
         Assert-AreEqualArray $privateRange2 $policy.Snat.PrivateRanges
         Assert-AreEqual "Disabled" $policy.Snat.AutoLearnPrivateRanges
+
+          # Modify
+        $snat = New-AzFirewallPolicySnat -AutoLearnPrivateRange
+        Assert-AreEqual $emptyPrivateRange $snat.PrivateRanges
+        Assert-NotNull $snat.PrivateRanges
+        Assert-AreEqual $snat.PrivateRanges.count 0
+     
     }
     finally {
         # Cleanup

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -186,6 +186,14 @@ public void TestAzureFirewallCRUDRouteServerId()
             TestRunner.RunTestScript("Test-AzureFirewallCRUDRouteServerId");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallCRUDRouteServerIdHub()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallCRUDRouteServerIdHub");
+        }
+
         [Fact(Skip = "Skipped due to LearnedIpPrefixes feature not available in most regions")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -2056,6 +2056,31 @@ function Test-AzureFirewallCRUDRouteServerId {
     }
 }
 
+<#
+.SYNOPSIS
+Tests AzureFirewall RouteServerId on Hub Firewall
+#>
+function Test-AzureFirewallCRUDRouteServerIdHub {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent
+    $skuName = "AZFW_Hub"
+    $skuTier = "Standard"
+    $routeServerId="/subscriptions/aeb5b02a-0f18-45a4-86d6-81808115cacf/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/TestRS"
+
+    try {
+
+         Assert-ThrowsContains { New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -SkuName $skuName -SkuTier $skuTier -RouteServerId $routeServerId } "The Route Server is not supported on AZFW_Hub SKU Firewalls"
+
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
 <#
 .SYNOPSIS
 Tests  Get Azure Firewall LearnedPrefixes

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallPolicyTests/TestAzureFirewallSnat.json

@@ -313,6 +313,11 @@ private PSAzureFirewall CreateAzureFirewall()
                     throw new ArgumentException("The list of public Ip addresses cannot be provided during the firewall creation");
                 }
 
+                if(this.RouteServerId != null)
+                {
+                    throw new ArgumentException("The Route Server is not supported on AZFW_Hub SKU Firewalls");
+                }
+
                 firewall = new PSAzureFirewall()
                 {
                     Name = this.Name,

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDRouteServerIdHub.json

@@ -36,6 +36,11 @@ public override void Execute()
         {
             base.Execute();
 
+            if(this.AutoLearnPrivateRange.IsPresent && this.PrivateRange == null)
+            {
+                this.PrivateRange = new string[] {};
+            }
+
             var firewallPolicySNAT = new PSAzureFirewallPolicySNAT
             {
                 AutoLearnPrivateRanges = this.AutoLearnPrivateRange.IsPresent ? "Enabled" : "Disabled",