Add Mssql value to Application Rule Type enum

Andrey Terentyev · anton-evseev · commit 98eea5a9edac · 2019-09-16T10:44:39.000-07:00
diff --git a/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1 b/src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1
@@ -58,6 +58,13 @@ function Test-AzureFirewallCRUD
     $appRule2Port1 = 8080
     $appRule2ProtocolType1 = "http"
 
+    # AzureFirewallApplicationRule 3
+    $appRule3Name = "appRule3"
+    $appRule3Fqdn1 = "sql1.database.windows.net"
+    $appRule3Protocol1 = "mssql:1433"
+    $appRule3Port1 = 1433
+    $appRule3ProtocolType1 = "mssql"
+
     # AzureFirewallNetworkRuleCollection
     $networkRcName = "networkRc"
     $networkRcPriority = 200
@@ -160,11 +167,14 @@ function Test-AzureFirewallCRUD
 
         $appRule2 = New-AzFirewallApplicationRule -Name $appRule2Name -Protocol $appRule2Protocol1 -TargetFqdn $appRule2Fqdn1
 
+        $appRule3 = New-AzFirewallApplicationRule -Name $appRule3Name -Protocol $appRule3Protocol1 -TargetFqdn $appRule3Fqdn1
+
         # Create Application Rule Collection with 1 rule
         $appRc = New-AzFirewallApplicationRuleCollection -Name $appRcName -Priority $appRcPriority -Rule $appRule -ActionType $appRcActionType
 
         # Add a rule to the rule collection using AddRule method
         $appRc.AddRule($appRule2)
+        $appRc.AddRule($appRule3)
 
         # Create a second Application Rule Collection with 1 rule
         $appRc2 = New-AzFirewallApplicationRuleCollection -Name $appRc2Name -Priority $appRc2Priority -Rule $appRule -ActionType $appRc2ActionType
@@ -233,7 +243,7 @@ function Test-AzureFirewallCRUD
 
         # Check rule collections
         Assert-AreEqual 2 @($getAzureFirewall.ApplicationRuleCollections).Count
-        Assert-AreEqual 2 @($getAzureFirewall.ApplicationRuleCollections[0].Rules).Count
+        Assert-AreEqual 3 @($getAzureFirewall.ApplicationRuleCollections[0].Rules).Count
         Assert-AreEqual 1 @($getAzureFirewall.ApplicationRuleCollections[1].Rules).Count
 
         Assert-AreEqual 1 @($getAzureFirewall.NatRuleCollections).Count
@@ -245,6 +255,7 @@ function Test-AzureFirewallCRUD
         $appRc = $getAzureFirewall.GetApplicationRuleCollectionByName($appRcName)
         $appRule = $appRc.GetRuleByName($appRule1Name)
         $appRule2 = $appRc.GetRuleByName($appRule2Name)
+        $appRule3 = $appRc.GetRuleByName($appRule3Name)
 
         # Verify application rule collection 1 
         Assert-AreEqual $appRcName $appRc.Name
@@ -281,6 +292,19 @@ function Test-AzureFirewallCRUD
         Assert-AreEqual 1 $appRule2.TargetFqdns.Count 
         Assert-AreEqual $appRule2Fqdn1 $appRule2.TargetFqdns[0]
 
+        # Verify application rule 3
+        Assert-AreEqual $appRule3Name $appRule3.Name
+        Assert-Null $appRule3.Description
+
+        Assert-AreEqual 0 $appRule3.SourceAddresses.Count
+
+        Assert-AreEqual 1 $appRule3.Protocols.Count
+        Assert-AreEqual $appRule3ProtocolType1 $appRule3.Protocols[0].ProtocolType
+        Assert-AreEqual $appRule3Port1 $appRule3.Protocols[0].Port
+
+        Assert-AreEqual 1 $appRule3.TargetFqdns.Count
+        Assert-AreEqual $appRule3Fqdn1 $appRule3.TargetFqdns[0]
+
         # Verify application rule collection 2
         $appRc2 = $getAzureFirewall.GetApplicationRuleCollectionByName($appRc2Name)
 
@@ -505,16 +529,16 @@ function Test-AzureFirewallCRUDWithZones
         Assert-AreEqual @($list[0].NetworkRuleCollections).Count @($getAzureFirewall.NetworkRuleCollections).Count
 
         # list all Azure Firewalls under subscription
-        $listAll = Get-AzureRmFirewall
+        $listAll = Get-AzFirewall
         Assert-NotNull $listAll
 
-        $listAll = Get-AzureRmFirewall -Name "*"
+        $listAll = Get-AzFirewall -Name "*"
         Assert-NotNull $listAll
 
-        $listAll = Get-AzureRmFirewall -ResourceGroupName "*"
+        $listAll = Get-AzFirewall -ResourceGroupName "*"
         Assert-NotNull $listAll
 
-        $listAll = Get-AzureRmFirewall -ResourceGroupName "*" -Name "*"
+        $listAll = Get-AzFirewall -ResourceGroupName "*" -Name "*"
         Assert-NotNull $listAll
 
         # Create Application Rules
diff --git a/src/Network/Network/AzureFirewall/ApplicationRule/NewAzureFirewallApplicationRuleCommand.cs b/src/Network/Network/AzureFirewall/ApplicationRule/NewAzureFirewallApplicationRuleCommand.cs
@@ -73,7 +73,7 @@ public override void Execute()
 
             if (FqdnTag != null)
             {
-                this.Protocol = new string[] { "http", "https" };
+                this.Protocol = PSAzureFirewallApplicationRuleProtocol.AllProtocols().ToArray();
                 FqdnTag = AzureFirewallFqdnTagHelper.MapUserInputToAllowedFqdnTags(FqdnTag, this.AzureFirewallFqdnTagClient).ToArray();
             }
 
diff --git a/src/Network/Network/ChangeLog.md b/src/Network/Network/ChangeLog.md
@@ -29,6 +29,7 @@
     - Added property 'PrivateEndpoint' as type of PSResourceId to PSNetworkInterface
     - Added property 'PrivateLinkConnectionProperties' as type of PSIpConfigurationConnectivityInformation to PSNetworkInterfaceIPConfiguration
     - Added new model class PSIpConfigurationConnectivityInformation
+* Added new ApplicationRuleProtocolType "mssql" for Azure Firewall resource
 * MultiLink support in Virtual WAN
     - New cmdlets
         - New-AzVpnSiteLink
diff --git a/src/Network/Network/Models/AzureFirewall/PSAzureFirewallApplicationRuleProtocol.cs b/src/Network/Network/Models/AzureFirewall/PSAzureFirewallApplicationRuleProtocol.cs
@@ -26,26 +26,42 @@ public class PSAzureFirewallApplicationRuleProtocol
         public string ProtocolType { get; set; }
         public uint Port { get; set; }
 
+        public static List<string> AllProtocols()
+        {
+            return new List<string> {
+                MNM.AzureFirewallApplicationRuleProtocolType.Http,
+                MNM.AzureFirewallApplicationRuleProtocolType.Https,
+                MNM.AzureFirewallApplicationRuleProtocolType.Mssql,
+            };
+        }
+
         public static PSAzureFirewallApplicationRuleProtocol MapUserInputToApplicationRuleProtocol(string userInput)
         {
-            var protocolRegEx = new Regex("^[hH][tT][tT][pP][sS]?(:[1-9][0-9]*)?$");
+            var portRegEx = new Regex("^[1-9][0-9]*$");
 
             var supportedProtocolsAndTheirDefaultPorts = new List<PSAzureFirewallApplicationRuleProtocol>
             {
                 new PSAzureFirewallApplicationRuleProtocol { ProtocolType = MNM.AzureFirewallApplicationRuleProtocolType.Http, Port = 80 },
-                new PSAzureFirewallApplicationRuleProtocol { ProtocolType = MNM.AzureFirewallApplicationRuleProtocolType.Https, Port = 443 }
+                new PSAzureFirewallApplicationRuleProtocol { ProtocolType = MNM.AzureFirewallApplicationRuleProtocolType.Https, Port = 443 },
+                new PSAzureFirewallApplicationRuleProtocol { ProtocolType = MNM.AzureFirewallApplicationRuleProtocolType.Mssql, Port = 1433 }
             };
 
             //The actual validation is performed in NRP. Here we are just trying to map user info to our model
-            if (!protocolRegEx.IsMatch(userInput))
-            {
-                throw new ArgumentException($"Invalid protocol {userInput}");
-            }
 
             var userParts = userInput.Split(':');
             var userProtocolText = userParts[0];
             var userPortText = userParts.Length == 2 ? userParts[1] : null;
 
+            if (!AllProtocols().Contains(userProtocolText, StringComparer.OrdinalIgnoreCase))
+            {
+                throw new ArgumentException($"Invalid protocol {userProtocolText}");
+            }
+
+            if (userPortText != null && !portRegEx.IsMatch(userPortText))
+            {
+                throw new ArgumentException($"Invalid port {userPortText}");
+            }
+
             PSAzureFirewallApplicationRuleProtocol supportedProtocol;
             try
             {
diff --git a/src/Network/Network/help/New-AzFirewall.md b/src/Network/Network/help/New-AzFirewall.md
@@ -131,6 +131,19 @@ New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -Virt
 
 This example creates a Firewall attached to virtual network "vnet" with two public IP addresses.
 
+### 8: Create a Firewall which allows MSSQL traffic to specific SQL database
+```
+$rgName = "resourceGroupName"
+$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
+$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
+
+$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "mssql:1433" -TargetFqdn "sql1.database.windows.net"
+$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
+New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny
+```
+
+This example creates a Firewall which allows MSSQL traffic on standard port 1433 to SQL database sql1.database.windows.net.
+
 ## PARAMETERS
 
 ### -ApplicationRuleCollection

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ public override void Execute()`
`73`	`73`
`74`	`74`	`if (FqdnTag != null)`
`75`	`75`	`{`
`76`		`- this.Protocol = new string[] { "http", "https" };`
	`76`	`+ this.Protocol = PSAzureFirewallApplicationRuleProtocol.AllProtocols().ToArray();`
`77`	`77`	`FqdnTag = AzureFirewallFqdnTagHelper.MapUserInputToAllowedFqdnTags(FqdnTag, this.AzureFirewallFqdnTagClient).ToArray();`
`78`	`78`	`}`
`79`	`79`