markcowl
diff --git a/‎src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs
Lines changed: 8 additions & 0 deletions b/‎src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1
Lines changed: 166 additions & 5 deletions b/‎src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1
Lines changed: 166 additions & 5 deletions
diff --git a/‎src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallPIPAndVNETObjectTypeParams.json
Lines changed: 22295 additions & 0 deletions b/‎src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallPIPAndVNETObjectTypeParams.json
Lines changed: 22295 additions & 0 deletions
diff --git a/‎src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs
Lines changed: 52 additions & 10 deletions b/‎src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs
Lines changed: 52 additions & 10 deletions
diff --git a/‎src/Network/Network/ChangeLog.md
Lines changed: 7 additions & 0 deletions b/‎src/Network/Network/ChangeLog.md
Lines changed: 7 additions & 0 deletions
@@ -42,6 +42,14 @@ public void TestAzureFirewallCRUDWithZones()
             TestRunner.RunTestScript("Test-AzureFirewallCRUDWithZones");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallPIPAndVNETObjectTypeParams()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallPIPAndVNETObjectTypeParams");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
 
@@ -98,6 +98,8 @@ function Test-AzureFirewallCRUD
         # Create the Virtual Network
         $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
         $vnet = New-AzvirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+        # Get full subnet details
+        $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
 
         # Create public ip
         $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard
@@ -119,6 +121,8 @@ function Test-AzureFirewallCRUD
         Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id
         Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
         Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress
+        Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-AreEqual $publicip.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
         Assert-AreEqual 0 @($getAzureFirewall.ApplicationRuleCollections).Count
         Assert-AreEqual 0 @($getAzureFirewall.NatRuleCollections).Count
         Assert-AreEqual 0 @($getAzureFirewall.NetworkRuleCollections).Count
@@ -204,8 +208,8 @@ function Test-AzureFirewallCRUD
         # Add NetworkRuleCollections to the Firewall using method AddNetworkRuleCollection
         $azureFirewall.AddNetworkRuleCollection($netRc)
 
-		# Update ThreatIntel mode
-		$azureFirewall.ThreatIntelMode = "Deny"
+        # Update ThreatIntel mode
+        $azureFirewall.ThreatIntelMode = "Deny"
 
         # Set AzureFirewall
         Set-AzFirewall -AzureFirewall $azureFirewall
@@ -220,7 +224,7 @@ function Test-AzureFirewallCRUD
         Assert-NotNull $getAzureFirewall.Location
         Assert-AreEqual $location $getAzureFirewall.Location
         Assert-NotNull $getAzureFirewall.Etag
-		Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode
+        Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode
 
         Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
         Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id
@@ -456,7 +460,7 @@ function Test-AzureFirewallCRUDWithZones
     {
         # Create the resource group
         $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
-        
+
         # Create the Virtual Network
         $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
         $vnet = New-AzvirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
@@ -660,7 +664,7 @@ function Test-AzureFirewallCRUDWithZones
         Assert-AreEqual $appRule1ProtocolType2 $appRule.Protocols[1].ProtocolType
         Assert-AreEqual $appRule1Port1 $appRule.Protocols[0].Port
         Assert-AreEqual $appRule1Port2 $appRule.Protocols[1].Port
-        
+
         Assert-AreEqual 2 $appRule.TargetFqdns.Count 
         Assert-AreEqual $appRule1Fqdn1 $appRule.TargetFqdns[0]
         Assert-AreEqual $appRule1Fqdn2 $appRule.TargetFqdns[1]
@@ -739,6 +743,163 @@ function Test-AzureFirewallCRUDWithZones
     }
 }
 
+<#
+.SYNOPSIS
+Tests AzureFirewall with new style params for VNET and Public IPs - objects instead of strings
+#>
+function Test-AzureFirewallPIPAndVNETObjectTypeParams
+{
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIp1Name = Get-ResourceName
+    $publicIp2Name = Get-ResourceName
+
+    try 
+    {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzvirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+        # Get full subnet details
+        $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
+
+        # Create public ips
+        $publicip1 = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIp1Name -location $location -AllocationMethod Static -Sku Standard
+        $publicip2 = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIp2Name -location $location -AllocationMethod Static -Sku Standard
+
+        # Create AzureFirewall with a single public IP address
+        $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress $publicip1
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+
+        #verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location
+        Assert-NotNull $getAzureFirewall.Etag
+        Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+        Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress
+        Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-AreEqual $publicip1.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+
+        # Test handling of incorrect values when adding public IP address
+        Assert-ThrowsContains { $getAzureFirewall.AddPublicIpAddress() } "Cannot find an overload"
+        Assert-ThrowsContains { $getAzureFirewall.AddPublicIpAddress($null) } "Public IP Address cannot be null"
+        Assert-ThrowsContains { $getAzureFirewall.AddPublicIpAddress("ABCD") } "Cannot convert argument"
+        Assert-ThrowsContains { $getAzureFirewall.AddPublicIpAddress($publicip1) } "already attached to firewall"
+
+        # Test handling of incorrect values when removing public IP Address
+        Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress() } "Cannot find an overload"
+        Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress($null) } "Public IP Address cannot be null"
+        Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress("ABCD") } "Cannot convert argument"
+        Assert-ThrowsContains { $getAzureFirewall.RemovePublicIpAddress($publicip2) } "not attached to firewall"
+
+        # Add second public IP Address
+        $getAzureFirewall.AddPublicIpAddress($publicip2)
+
+        # Set AzureFirewall
+        Set-AzFirewall -AzureFirewall $getAzureFirewall
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName
+        $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations
+
+        #verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual $location $getAzureFirewall.Location
+        Assert-NotNull $getAzureFirewall.Etag
+
+        Assert-AreEqual 2 @($getAzureFirewall.IpConfigurations).Count
+        Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id
+        Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id
+        Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress
+        Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-AreEqual $publicip1.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+        Assert-AreEqual $publicip2.Id $getAzureFirewall.IpConfigurations[1].PublicIpAddress.Id
+
+        # Remove second public IP address
+        $getAzureFirewall.RemovePublicIpAddress($publicip2)
+
+        # Set AzureFirewall
+        Set-AzFirewall -AzureFirewall $getAzureFirewall
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName
+        $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations
+
+        #verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual $location $getAzureFirewall.Location
+        Assert-NotNull $getAzureFirewall.Etag
+
+        Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
+        Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id
+        Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id
+        Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress
+        Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-AreEqual $publicip1.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+
+        # Delete AzureFirewall
+        $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        # Create AzureFirewall with Two Public IP addresses
+        $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress @($publicip1, $publicip2)
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+        $azureFirewallIpConfiguration = $getAzureFirewall.IpConfigurations
+
+        #verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual $location $getAzureFirewall.Location
+        Assert-NotNull $getAzureFirewall.Etag
+
+        Assert-AreEqual 2 @($getAzureFirewall.IpConfigurations).Count
+        Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id
+        Assert-NotNull $azureFirewallIpConfiguration[0].PublicIpAddress.Id
+        Assert-NotNull $azureFirewallIpConfiguration[1].PublicIpAddress.Id
+        Assert-NotNull $azureFirewallIpConfiguration[0].PrivateIpAddress
+        Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
+        Assert-AreEqual $publicip1.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
+        Assert-AreEqual $publicip2.Id $getAzureFirewall.IpConfigurations[1].PublicIpAddress.Id
+
+        # Delete AzureFirewall
+        $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        # Delete VirtualNetwork 
+        $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force
+        Assert-AreEqual true $delete
+
+        $list = Get-AzFirewall -ResourceGroupName $rgname
+        Assert-AreEqual 0 @($list).Count
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
 <#
 .SYNOPSIS
 Tests AzureFirewall Set and Remove IpConfiguration
 
@@ -20,6 +20,7 @@
 using Microsoft.Azure.Commands.Network.Models;
 using Microsoft.Azure.Commands.ResourceManager.Common.Tags;
 using Microsoft.Azure.Management.Network;
+using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 using MNM = Microsoft.Azure.Management.Network.Models;
 
 namespace Microsoft.Azure.Commands.Network
@@ -30,7 +31,7 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
         private const string DefaultParameterSet = "Default";
 
         private PSVirtualNetwork virtualNetwork;
-        private PSPublicIpAddress publicIpAddress;
+        private PSPublicIpAddress[] publicIpAddresses;
 
         [Alias("ResourceName")]
         [Parameter(
@@ -54,22 +55,56 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
         [ValidateNotNullOrEmpty]
         public virtual string Location { get; set; }
 
+        [CmdletParameterBreakingChange(
+            "VirtualNetworkName",
+            deprecateByVersion: "2.0.0",
+            ChangeDescription = "This parameter will be removed in an upcoming breaking change release. After this point the Virtual Network will be provided as an object instead of a string.", 
+            OldWay = "New-AzFirewall -VirtualNetworkName \"vnet-name\"",
+            NewWay = "New-AzFirewall -VirtualNetwork $vnet",
+            OldParamaterType = typeof(string),
+            NewParameterTypeName = nameof(PSVirtualNetwork),
+            ReplaceMentCmdletParameterName = "VirtualNetwork")]
         [Parameter(
             Mandatory = true,
             ValueFromPipelineByPropertyName = true,
-            ParameterSetName = "IpConfigurationParameterValues",
+            ParameterSetName = "OldIpConfigurationParameterValues",
             HelpMessage = "Virtual Network Name")]
         [ValidateNotNullOrEmpty]
         public string VirtualNetworkName { get; set; }
 
+        [CmdletParameterBreakingChange(
+            "PublicIpName",
+            deprecateByVersion: "2.0.0",
+            ChangeDescription = "This parameter will be removed in an upcoming breaking change release. After this point the Public IP Address will be provided as a list of one or more objects instead of a string.",
+            OldWay = "New-AzFirewall -PublicIpName \"public-ip-name\"",
+            NewWay = "New-AzFirewall -PublicIpAddress @($publicip1, $publicip2)",
+            OldParamaterType = typeof(string),
+            NewParameterTypeName = "List<PSPublicIpAddress>",
+            ReplaceMentCmdletParameterName = "PublicIpAddress")]
         [Parameter(
             Mandatory = true,
             ValueFromPipelineByPropertyName = true,
-            ParameterSetName = "IpConfigurationParameterValues",
-            HelpMessage = "Public Ip Name")]
+            ParameterSetName = "OldIpConfigurationParameterValues",
+            HelpMessage = "Public IP address name. The Public IP must use Standard SKU and must belong to the same resource group as the Firewall.")]
         [ValidateNotNullOrEmpty]
         public string PublicIpName { get; set; }
 
+        [Parameter(
+            Mandatory = true,
+            ValueFromPipeline = true,
+            ParameterSetName = "IpConfigurationParameterValues",
+            HelpMessage = "Virtual Network")]
+        [ValidateNotNullOrEmpty]
+        public PSVirtualNetwork VirtualNetwork { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            ParameterSetName = "IpConfigurationParameterValues",
+            HelpMessage = "One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall.")]
+        [ValidateNotNullOrEmpty]
+        public PSPublicIpAddress[] PublicIpAddress { get; set; }
+
         [Parameter(
             Mandatory = false,
             ValueFromPipelineByPropertyName = true,
@@ -122,16 +157,23 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
 
         public override void Execute()
         {
-            var isVnetPresent = VirtualNetworkName!=null;
-
-            // Get the virtual network, get the public IP address
-            if (isVnetPresent)
+            // Old params provided - Get the virtual network, get the public IP address
+            if (!string.IsNullOrEmpty(VirtualNetworkName))
             {
                 var vnet = this.VirtualNetworkClient.Get(this.ResourceGroupName, VirtualNetworkName);
                 this.virtualNetwork = NetworkResourceManagerProfile.Mapper.Map<PSVirtualNetwork>(vnet);
 
                 var publicIp = this.PublicIPAddressesClient.Get(this.ResourceGroupName, PublicIpName);
-                this.publicIpAddress = NetworkResourceManagerProfile.Mapper.Map<PSPublicIpAddress>(publicIp);
+                this.publicIpAddresses = new PSPublicIpAddress[]
+                {
+                    NetworkResourceManagerProfile.Mapper.Map<PSPublicIpAddress>(publicIp)
+                };
+            }
+            // New params
+            else if (VirtualNetwork != null)
+            {
+                this.virtualNetwork = VirtualNetwork;
+                this.publicIpAddresses = PublicIpAddress;
             }
 
             base.Execute();
@@ -166,7 +208,7 @@ private PSAzureFirewall CreateAzureFirewall()
 
             if (this.virtualNetwork != null)
             {
-                firewall.Allocate(this.virtualNetwork, this.publicIpAddress);
+                firewall.Allocate(this.virtualNetwork, this.publicIpAddresses);
             }
 
             // Map to the sdk object
 
@@ -53,6 +53,13 @@
 * Add Availability Zones support for Azure Firewall
 * Added cmdlet Get-AzNetworkServiceTag
 
+* Add support for multiple public IP addresses for Azure Firewall
+    - Updated New-AzFirewall cmdlet:
+        - Added parameter -PublicIpAddress which accepts one or more Public IP Address objects
+        - Added parameter -VirtualNetwork which accepts a Virtual Network object
+        - Added methods AddPublicIpAddress and RemovePublicIpAddress on firewall object - these accept a Public IP Address object as input
+        - Deprecated parameters -PublicIpName and -VirtualNetworkName 
+
 ## Version 1.8.1
 * Add DisableBgpRoutePropagation flag to Effective Route Table output
     - Updated cmdlet: