Merge pull request Azure#11067 from iatodoro/azfw_forcetun_fix

Bug fixes for Azure Firewall

Author: iatodoro

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -998,7 +998,7 @@ function Test-AzureFirewallCRUDwithManagementIpConfig {
     $rgname = Get-ResourceGroupName
     $azureFirewallName = Get-ResourceName
     $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
-    $location = Get-ProviderLocation $resourceTypeParent "centraluseuap"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
 
     $vnetName = Get-ResourceName
     $subnetName = "AzureFirewallSubnet"
@@ -1056,21 +1056,14 @@ function Test-AzureFirewallCRUDwithManagementIpConfig {
         Assert-ThrowsContains { $getAzureFirewall.AddPublicIpAddress("ABCD") } "Cannot convert argument"
         Assert-ThrowsContains { $getAzureFirewall.AddPublicIpAddress($publicip1) } "already attached to firewall"
 
-		# Test handling of incorrect values when setting management IP configuration
-		Assert-ThrowsContains { $getAzureFirewall.SetManagementIpConfiguration() } "Cannot find an overload"
-		Assert-ThrowsContains { $getAzureFirewall.SetManagementIpConfiguration($null) } "Cannot find an overload"
-		Assert-ThrowsContains { $getAzureFirewall.SetManagementIpConfiguration($null, $mgmtPublicIp) } "Virtual Network cannot be null"
-		Assert-ThrowsContains { $getAzureFirewall.SetManagementIpConfiguration("ABCD", "ABCDE") } "Cannot convert argument"
-
-
         # Test handling of incorrect values when removing public IP Address
         Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress() } "Cannot find an overload"
         Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress($null) } "Public IP Address cannot be null"
         Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress("ABCD") } "Cannot convert argument"
         Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress($mgmtPublicIp) } "not attached to firewall"
 
-        # Change management public IP address
-        $getAzureFirewall.SetManagementIpConfiguration($vnet, $mgmtPublicIp2)
+        # Change Management PIP
+        $getAzureFirewall.ManagementIpConfiguration.PublicIpAddress = $mgmtPublicIp2
 
         # Set AzureFirewall
         Set-AzFirewall -AzureFirewall $getAzureFirewall

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDwithManagementIpConfig.json

@@ -184,9 +184,11 @@ public void AddPublicIpAddress(PSPublicIpAddress publicIpAddress)
                 throw new ArgumentNullException(nameof(publicIpAddress), "Public IP Address cannot be null!");
             }
 
+            PSAzureFirewallIpConfiguration conflictingIpConfig = null;
+
             if (this.IpConfigurations.Count > 0)
             {
-                var conflictingIpConfig = this.IpConfigurations.SingleOrDefault
+                conflictingIpConfig = this.IpConfigurations.SingleOrDefault
                     (ipConfig => string.Equals(ipConfig.PublicIpAddress?.Id, publicIpAddress.Id, System.StringComparison.CurrentCultureIgnoreCase));
 
                 if (conflictingIpConfig != null)
@@ -199,44 +201,26 @@ public void AddPublicIpAddress(PSPublicIpAddress publicIpAddress)
                 throw new InvalidOperationException($"Please invoke {nameof(Allocate)} to attach the firewall to a Virtual Network");
             }
 
+            var i = 0;
+            conflictingIpConfig = null;
+            var newIpConfigName = "";
+
+            do
+            {
+                newIpConfigName = $"{AzureFirewallIpConfigurationName}{this.IpConfigurations.Count + i}";
+                conflictingIpConfig = this.IpConfigurations.SingleOrDefault
+                    (ipConfig => string.Equals(ipConfig.Name, newIpConfigName, System.StringComparison.CurrentCultureIgnoreCase));
+                i++;
+            } while (conflictingIpConfig != null);
+
             this.IpConfigurations.Add(
                 new PSAzureFirewallIpConfiguration
                 {
-                    Name = $"{AzureFirewallIpConfigurationName}{this.IpConfigurations.Count}",
+                    Name = newIpConfigName,
                     PublicIpAddress = new PSResourceId { Id = publicIpAddress.Id }
                 });
         }
 
-        public void SetManagementIpConfiguration(PSVirtualNetwork virtualNetwork, PSPublicIpAddress publicIpAddress)
-        {
-            if (publicIpAddress == null)
-            {
-                throw new ArgumentNullException(nameof(publicIpAddress), "Public IP Address cannot be null!");
-            }
-
-            if (virtualNetwork == null)
-            {
-                throw new ArgumentNullException(nameof(virtualNetwork), "Virtual Network cannot be null!");
-            }
-
-            PSSubnet subnet = null;
-            try
-            {
-                subnet = virtualNetwork.Subnets.Single(mgmtSubnet => AzureFirewallMgmtSubnetName.Equals(mgmtSubnet.Name));
-            }
-            catch (InvalidOperationException)
-            {
-                throw new ArgumentException($"Virtual Network {virtualNetwork.Name} should contain a Subnet named {AzureFirewallMgmtSubnetName}");
-            }
-            
-            this.ManagementIpConfiguration = new PSAzureFirewallIpConfiguration
-            {
-                Name = AzureFirewallMgmtIpConfigurationName,
-                PublicIpAddress = new PSResourceId { Id = publicIpAddress.Id },
-                Subnet = new PSResourceId { Id = subnet.Id }
-            };
-        }
-
         public void RemovePublicIpAddress(PSPublicIpAddress publicIpAddress)
         {
             if (publicIpAddress == null)
@@ -252,6 +236,11 @@ public void RemovePublicIpAddress(PSPublicIpAddress publicIpAddress)
                 throw new ArgumentException($"Public IP Address {publicIpAddress.Id} is not attached to firewall {this.Name}");
             }
 
+            if (this.IpConfigurations.Count > 1 && ipConfigToRemove.Subnet != null)
+            {
+                throw new InvalidOperationException($"Cannot remove IpConfiguration {ipConfigToRemove.Name} because it references subnet {ipConfigToRemove.Subnet.Id}. Move the subnet reference to another IpConfiguration and try again.");
+            }
+
             if (this.IpConfigurations.Count == 1)
             {
                 Console.ForegroundColor = ConsoleColor.Yellow;

src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs

@@ -25,13 +25,11 @@ The **New-AzIpGroup** cmdlet creates an Azure IpGroup
 
 ### Example 1
 ```powershell
-$ipGroup = '/subscriptions/8c992d64-fce9-426d-b278-85642dfeab03/resourceGroups/ipGroupRG/providers/Microsoft.Network/virtualNetworkGateways/erGateway'
 New-AzIpGroup -Name ipGroup -ResourceGroupName ipGroupRG -Location 'West US'
 ```
 
 ### Example 2
 ```powershell
-$ipGroup = '/subscriptions/8c992d64-fce9-426d-b278-85642dfeab03/resourceGroups/ipGroupRG/providers/Microsoft.Network/virtualNetworkGateways/erGateway'
 New-AzIpGroup -Name ipGroup -ResourceGroupName ipGroupRG -Location 'West US' -IpAddress 10.0.0.0/24,11.9.0.0/24
 ```
 

src/Network/Network/help/New-AzIpGroup.md

@@ -73,14 +73,23 @@ $pip = Get-AzPublicIpAddress - ResourceGroupName rgName -Name publicIpName
 $firewall.Allocate($vnet, $pip)
 $firewall | Set-AzFirewall
 ```
-
 This example retrieves a Firewall, deallocates the firewall, and saves it. The Deallocate command removes the running 
 service but preserves the firewall's configuration. For changes to be reflected in cloud, Set-AzFirewall must be called.
 If user wants to start the service again, the Allocate method should be called on the firewall.
 The new VNet and Public IP must be in the same resource group as the Firewall. Again, for changes to be reflected in cloud,
 Set-AzFirewall must be called.
 
-### 5:	Add a Public IP address to an Azure Firewall
+### 5: Allocate with a management public IP address for forced tunneling scenarios
+```
+$vnet = Get-AzVirtualNetwork -ResourceGroupName rgName -Name anotherVNetName
+$pip = Get-AzPublicIpAddress - ResourceGroupName rgName -Name publicIpName
+$mgmtPip = Get-AzPublicIpAddress - ResourceGroupName rgName -Name MgmtPublicIpName
+$firewall.Allocate($vnet, $pip, $mgmtPip)
+$firewall | Set-AzFirewall
+```
+This example allocates the firewall with a management public IP address and subnet for forced tunneling scenarios. The VNet must contain a subnet called "AzureFirewallManagementSubnet".
+
+### 6:	Add a Public IP address to an Azure Firewall
 ```
 $pip = New-AzPublicIpAddress -Name "azFwPublicIp1" -ResourceGroupName "rg" -Sku "Standard" -Location "centralus" -AllocationMethod Static
 $azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
@@ -91,7 +100,7 @@ $azFw | Set-AzFirewall
 
 In this example, the Public IP Address "azFwPublicIp1" as attached to the Firewall.
 
-### 6:	Remove a Public IP address from an Azure Firewall
+### 7:	Remove a Public IP address from an Azure Firewall
 ```
 $pip = Get-AzPublicIpAddress -Name "azFwPublicIp1" -ResourceGroupName "rg"
 $azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
@@ -102,18 +111,16 @@ $azFw | Set-AzFirewall
 
 In this example, the Public IP Address "azFwPublicIp1" as detached from the Firewall.
 
-### 7:	Set management subnet and public IP address on an Azure Firewall
+### 8:	Change the management public IP address on an Azure Firewall
 ```
-$mgmtPip = Get-AzPublicIpAddress -Name "managementPublicIp1" -ResourceGroupName "rg"
-$vnet = Get-AzVirtualNetwork -ResourceGroupName "rg" -Name anotherVNetName
+$newMgmtPip = New-AzPublicIpAddress -Name "azFwMgmtPublicIp2" -ResourceGroupName "rg" -Sku "Standard" -Location "centralus" -AllocationMethod Static
 $azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
-$azFw.SetManagementIpConfiguration($vnet, $mgmtPip)
+$azFw.ManagementIpConfiguration.PublicIpAddress = $newMgmtPip
 
 $azFw | Set-AzFirewall
 ```
 
-In this example, the subnet "AzureFirewallManagementSubnet" and the Public IP address ""managementPublicIp1" will be attached to the firewall.
-For forced tunneling scenarios, this subnet and IP address will be used by the firewall for management traffic.
+In this example, the management public IP address of the firewall will be changed to "AzFwMgmtPublicIp2"
 
 
 ## PARAMETERS