Merge pull request Azure#10334 from saisujithreddym/firewallsku

Firewall on the virtual Hub

Author: wyunchi-ms

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -57,5 +57,14 @@ public void TestAzureFirewallAllocateAndDeallocate()
         {
             TestRunner.RunTestScript("Test-AzureFirewallAllocateAndDeallocate");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallVirtualHubCRUD()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallVirtualHubCRUD");
+        }
+
     }
 }

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -16,8 +16,7 @@
 .SYNOPSIS
 Tests AzureFirewallCRUD.
 #>
-function Test-AzureFirewallCRUD
-{
+function Test-AzureFirewallCRUD {
     # Setup
     $rgname = Get-ResourceGroupName
     $azureFirewallName = Get-ResourceName
@@ -97,8 +96,7 @@ function Test-AzureFirewallCRUD
     $natRule1TranslatedAddress = "10.1.2.3"
     $natRule1TranslatedPort = "91"
 
-    try 
-    {
+    try {
         # Create the resource group
         $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
 
@@ -201,7 +199,7 @@ function Test-AzureFirewallCRUD
         Assert-ThrowsContains { $natRule.AddProtocol("ABCD") } "Invalid protocol"
         # Test handling of ICMP protocol
         Assert-ThrowsContains {
-            New-AzFirewallNatRule -Name $natRule1Name -Protocol $natRule1Protocol1,"ICMP" -SourceAddress $natRule1SourceAddress1 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort
+            New-AzFirewallNatRule -Name $natRule1Name -Protocol $natRule1Protocol1, "ICMP" -SourceAddress $natRule1SourceAddress1 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort
         } "The argument `"ICMP`" does not belong to the set"
         Assert-ThrowsContains { $natRule.AddProtocol("ICMP") } "Invalid protocol"
 
@@ -395,8 +393,7 @@ function Test-AzureFirewallCRUD
         $list = Get-AzFirewall -ResourceGroupName $rgname
         Assert-AreEqual 0 @($list).Count
     }
-    finally
-    {
+    finally {
         # Cleanup
         Clean-ResourceGroup $rgname
     }
@@ -406,8 +403,7 @@ function Test-AzureFirewallCRUD
 .SYNOPSIS
 Tests AzureFirewallCRUD With Availability Zones.
 #>
-function Test-AzureFirewallCRUDWithZones
-{
+function Test-AzureFirewallCRUDWithZones {
     # Setup
     $rgname = Get-ResourceGroupName
     $azureFirewallName = Get-ResourceName
@@ -480,8 +476,7 @@ function Test-AzureFirewallCRUDWithZones
     $natRule1TranslatedAddress = "10.1.2.3"
     $natRule1TranslatedPort = "91"
 
-    try 
-    {
+    try {
         # Create the resource group
         $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
 
@@ -493,7 +488,7 @@ function Test-AzureFirewallCRUDWithZones
         $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard
 
         # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default)
-        $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName -Zone 1,2,3
+        $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName -Zone 1, 2, 3
 
         # Get AzureFirewall
         $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
@@ -577,7 +572,7 @@ function Test-AzureFirewallCRUDWithZones
         Assert-ThrowsContains { $natRule.AddProtocol("ABCD") } "Invalid protocol"
         # Test handling of ICMP protocol
         Assert-ThrowsContains {
-            New-AzFirewallNatRule -Name $natRule1Name -Protocol $natRule1Protocol1,"ICMP" -SourceAddress $natRule1SourceAddress1 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort
+            New-AzFirewallNatRule -Name $natRule1Name -Protocol $natRule1Protocol1, "ICMP" -SourceAddress $natRule1SourceAddress1 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedAddress $natRule1TranslatedAddress -TranslatedPort $natRule1TranslatedPort
         } "The argument `"ICMP`" does not belong to the set"
         Assert-ThrowsContains { $natRule.AddProtocol("ICMP") } "Invalid protocol"
 
@@ -594,8 +589,8 @@ function Test-AzureFirewallCRUDWithZones
         # Add NetworkRuleCollections to the Firewall using method AddNetworkRuleCollection
         $azureFirewall.AddNetworkRuleCollection($netRc)
 
-		# Update ThreatIntel mode
-		$azureFirewall.ThreatIntelMode = "Deny"
+        # Update ThreatIntel mode
+        $azureFirewall.ThreatIntelMode = "Deny"
 
         # Set AzureFirewall
         Set-AzFirewall -AzureFirewall $azureFirewall
@@ -610,7 +605,7 @@ function Test-AzureFirewallCRUDWithZones
         Assert-NotNull $getAzureFirewall.Location
         Assert-AreEqual $location $getAzureFirewall.Location
         Assert-NotNull $getAzureFirewall.Etag
-		Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode
+        Assert-AreEqual "Deny" $getAzureFirewall.ThreatIntelMode
 
         Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
         Assert-NotNull $azureFirewallIpConfiguration[0].Subnet.Id
@@ -760,8 +755,7 @@ function Test-AzureFirewallCRUDWithZones
         $list = Get-AzFirewall -ResourceGroupName $rgname
         Assert-AreEqual 0 @($list).Count
     }
-    finally
-    {
+    finally {
         # Cleanup
         Clean-ResourceGroup $rgname
     }
@@ -771,8 +765,7 @@ function Test-AzureFirewallCRUDWithZones
 .SYNOPSIS
 Tests AzureFirewall with new style params for VNET and Public IPs - objects instead of strings
 #>
-function Test-AzureFirewallPIPAndVNETObjectTypeParams
-{
+function Test-AzureFirewallPIPAndVNETObjectTypeParams {
     # Setup
     $rgname = Get-ResourceGroupName
     $azureFirewallName = Get-ResourceName
@@ -784,8 +777,7 @@ function Test-AzureFirewallPIPAndVNETObjectTypeParams
     $publicIp1Name = Get-ResourceName
     $publicIp2Name = Get-ResourceName
 
-    try 
-    {
+    try {
         # Create the resource group
         $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
 
@@ -917,8 +909,7 @@ function Test-AzureFirewallPIPAndVNETObjectTypeParams
         $list = Get-AzFirewall -ResourceGroupName $rgname
         Assert-AreEqual 0 @($list).Count
     }
-    finally
-    {
+    finally {
         # Cleanup
         Clean-ResourceGroup $rgname
     }
@@ -928,8 +919,7 @@ function Test-AzureFirewallPIPAndVNETObjectTypeParams
 .SYNOPSIS
 Tests AzureFirewall Set and Remove IpConfiguration
 #>
-function Test-AzureFirewallAllocateAndDeallocate
-{
+function Test-AzureFirewallAllocateAndDeallocate {
     # Setup
     $rgname = Get-ResourceGroupName
     $azureFirewallName = Get-ResourceName
@@ -940,8 +930,7 @@ function Test-AzureFirewallAllocateAndDeallocate
     $subnetName = "AzureFirewallSubnet"
     $publicIpName = Get-ResourceName
 
-    try 
-    {
+    try {
         # Create the resource group
         $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
 
@@ -1031,8 +1020,60 @@ function Test-AzureFirewallAllocateAndDeallocate
         $list = Get-AzFirewall -ResourceGroupName $rgname
         Assert-AreEqual 0 @($list).Count
     }
-    finally
-    {
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
+<#
+.SYNOPSIS
+Tests AzureFirewall Set and Remove IpConfiguration
+#>
+function Test-AzureFirewallVirtualHubCRUD {
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $policyLocation = "westcentralus"
+    $location = Get-ProviderLocation $resourceTypeParent
+    $azureFirewallPolicyName = Get-ResourceName
+    $sku = "AZFW_Hub"
+    $tier = "Standard"
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
+        
+        # Create AzureFirewallPolicy (with no rules, ThreatIntel is in Alert mode by default)
+        $azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $policyLocation
+
+        # Get the AzureFirewallPolicy
+        $getazureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname
+
+        
+        Assert-NotNull $azureFirewallPolicy
+        Assert-NotNull $getazureFirewallPolicy.Id
+
+        $azureFirewallPolicyId = $getazureFirewallPolicy.Id
+
+        New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -Sku $sku -FirewallPolicyId $azureFirewallPolicyId
+
+        # Get AzureFirewall
+        $getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
+
+        #verification
+        Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
+        Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
+        Assert-NotNull $getAzureFirewall.Location
+        Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location
+        Assert-NotNull $sku $getAzureFirewall.Sku
+        Assert-AreEqual $sku $getAzureFirewall.Sku.Name
+        Assert-AreEqual $tier $getAzureFirewall.Sku.Tier
+        Assert-NotNull $getAzureFirewall.FirewallPolicy
+        Assert-AreEqual $azureFirewallPolicyId $getAzureFirewall.FirewallPolicy.Id
+    }
+    finally {
         # Cleanup
         Clean-ResourceGroup $rgname
     }

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallVirtualHubCRUD.json

@@ -18,6 +18,7 @@
 using Microsoft.Azure.Commands.ResourceManager.Common.Tags;
 using Microsoft.Azure.Management.Network;
 using Microsoft.Azure.Management.Network.Models;
+using Newtonsoft.Json;
 
 namespace Microsoft.Azure.Commands.Network
 {
@@ -47,6 +48,14 @@ protected IVirtualNetworksOperations VirtualNetworkClient
             }
         }
 
+        protected IVirtualHubsOperations VirtualHubClient
+        {
+            get
+            {
+                return NetworkClient.NetworkManagementClient.VirtualHubs;
+            }
+        }
+
         protected IPublicIPAddressesOperations PublicIPAddressesClient
         {
             get

src/Network/Network/AzureFirewall/AzureFirewallBaseCmdlet.cs

@@ -21,15 +21,16 @@
 using Microsoft.Azure.Commands.ResourceManager.Common.Tags;
 using Microsoft.Azure.Management.Network;
 using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
 using MNM = Microsoft.Azure.Management.Network.Models;
 
 namespace Microsoft.Azure.Commands.Network
 {
     [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "Firewall", SupportsShouldProcess = true, DefaultParameterSetName = DefaultParameterSet), OutputType(typeof(PSAzureFirewall))]
     public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
+
     {
         private const string DefaultParameterSet = "Default";
-
         private PSVirtualNetwork virtualNetwork;
         private PSPublicIpAddress[] publicIpAddresses;
 
@@ -58,7 +59,7 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
         [CmdletParameterBreakingChange(
             "VirtualNetworkName",
             deprecateByVersion: "2.0.0",
-            ChangeDescription = "This parameter will be removed in an upcoming breaking change release. After this point the Virtual Network will be provided as an object instead of a string.", 
+            ChangeDescription = "This parameter will be removed in an upcoming breaking change release. After this point the Virtual Network will be provided as an object instead of a string.",
             OldWay = "New-AzFirewall -VirtualNetworkName \"vnet-name\"",
             NewWay = "New-AzFirewall -VirtualNetwork $vnet",
             OldParamaterType = typeof(string),
@@ -155,6 +156,28 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
             HelpMessage = "A list of availability zones denoting where the firewall needs to come from.")]
         public string[] Zone { get; set; }
 
+        [Parameter(
+                Mandatory = false,
+                ValueFromPipelineByPropertyName = true,
+                HelpMessage = "The sku type for firewall")]
+        [ValidateSet(
+                MNM.AzureFirewallSkuName.AZFWHub,
+                MNM.AzureFirewallSkuName.AZFWVNet,
+                IgnoreCase = false)]
+        public string Sku { get; set; }
+
+        [Parameter(
+                Mandatory = false,
+                ValueFromPipelineByPropertyName = true,
+                HelpMessage = "The virtual hub that a firewall is attached to")]
+        public string VirtualHubId { get; set; }
+
+        [Parameter(
+                Mandatory = false,
+                ValueFromPipelineByPropertyName = true,
+                HelpMessage = "The firewall policy attached to the firewall")]
+        public string FirewallPolicyId { get; set; }
+
         public override void Execute()
         {
             // Old params provided - Get the virtual network, get the public IP address
@@ -190,25 +213,61 @@ public override void Execute()
 
         private PSAzureFirewall CreateAzureFirewall()
         {
-            var firewall = new PSAzureFirewall()
+            var firewall = new PSAzureFirewall();
+            if (Sku == MNM.AzureFirewallSkuName.AZFWHub)
             {
-                Name = this.Name,
-                ResourceGroupName = this.ResourceGroupName,
-                Location = this.Location,
-                ApplicationRuleCollections = this.ApplicationRuleCollection?.ToList(),
-                NatRuleCollections = this.NatRuleCollection?.ToList(),
-                NetworkRuleCollections = this.NetworkRuleCollection?.ToList(),
-                ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert
-            };
-
-            if (this.Zone != null)
-            {
-                firewall.Zones = this.Zone?.ToList();
-            }
 
-            if (this.virtualNetwork != null)
+                if (VirtualHubId != null && this.Location != null)
+                {
+                    var resourceInfo = new ResourceIdentifier(VirtualHubId);
+                    var hub = this.VirtualHubClient.Get(resourceInfo.ResourceGroupName, resourceInfo.ResourceName);
+                    if (hub.Location != this.Location)
+                    {
+                        throw new ArgumentException("VirtualHub and Firewall cannot be in different locations", nameof(VirtualHubId));
+                    }
+
+                }
+
+                var sku = new PSAzureFirewallSku();
+                sku.Name = MNM.AzureFirewallSkuName.AZFWHub;
+                sku.Tier = MNM.AzureFirewallSkuTier.Standard;
+
+                firewall = new PSAzureFirewall()
+                {
+                    Name = this.Name,
+                    ResourceGroupName = this.ResourceGroupName,
+                    Location = this.Location,
+                    Sku = sku,
+                    VirtualHub = VirtualHubId != null ? new MNM.SubResource(VirtualHubId) : null,
+                    FirewallPolicy = FirewallPolicyId != null ? new MNM.SubResource(FirewallPolicyId) : null
+                };
+            }
+            else
             {
-                firewall.Allocate(this.virtualNetwork, this.publicIpAddresses);
+                var sku = new PSAzureFirewallSku();
+                sku.Name = MNM.AzureFirewallSkuName.AZFWVNet;
+                sku.Tier = MNM.AzureFirewallSkuTier.Standard;
+                firewall = new PSAzureFirewall()
+                {
+                    Name = this.Name,
+                    ResourceGroupName = this.ResourceGroupName,
+                    Location = this.Location,
+                    ApplicationRuleCollections = this.ApplicationRuleCollection?.ToList(),
+                    NatRuleCollections = this.NatRuleCollection?.ToList(),
+                    NetworkRuleCollections = this.NetworkRuleCollection?.ToList(),
+                    ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert,
+                    Sku = sku
+                };
+
+                if (this.Zone != null)
+                {
+                    firewall.Zones = this.Zone?.ToList();
+                }
+
+                if (this.virtualNetwork != null)
+                {
+                    firewall.Allocate(this.virtualNetwork, this.publicIpAddresses);
+                }
             }
 
             // Map to the sdk object