From a313a3d07e84d3bfed33817a526864d3dbfe3240 Mon Sep 17 00:00:00 2001 From: Federico Arambarri Date: Wed, 21 Apr 2021 13:04:44 -0300 Subject: [PATCH 1/6] Adding Azure Firewall Manager and Azure Firewall Policies --- cluster-stamp.json | 2 +- networking/hub-default.json | 136 +++++-- networking/hub-regionA.json | 783 +++++++++++++++++++++--------------- 3 files changed, 565 insertions(+), 356 deletions(-) diff --git a/cluster-stamp.json b/cluster-stamp.json index a3892e24..a2abdc48 100644 --- a/cluster-stamp.json +++ b/cluster-stamp.json @@ -95,7 +95,7 @@ } }, "kubernetesVersion": { - "defaultValue": "1.20.2", + "defaultValue": "1.20.5", "type": "string" } }, diff --git a/networking/hub-default.json b/networking/hub-default.json index 2ca13898..0b1ce68c 100644 --- a/networking/hub-default.json +++ b/networking/hub-default.json @@ -363,9 +363,101 @@ "mode": "Parallel" } }, + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('hubFwName')]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "tier": "Standard" + }, + "threatIntelMode": "Deny", + "threatIntelWhitelist": { + "ipAddresses": [] + }, + "dnsSettings": { + "servers": [], + "enableProxy": true + } + }, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('hubFwName'), '/DefaultDnatRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('hubFwName')]" + ], + "properties": { + "priority": 100, + "ruleCollections": [] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('hubFwName'), '/DefaultApplicationRuleCollectionGroup')]", + "location":"[parameters('location')]", + "dependsOn": [ + "[variables('hubFwName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]" + ], + "properties": { + "priority": 300, + "ruleCollections": [] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('hubFwName'), '/DefaultNetworkRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('hubFwName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]" + ], + "properties": { + "priority": 200, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "DNS", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "53" + ] + } + ], + "name": "org-wide-allowed", + "priority": 100 + } + ] + } + } + ] + }, { "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2020-05-01", + "apiVersion": "2020-11-01", "name": "[variables('hubFwName')]", "location": "[parameters('location')]", "comments": "This is the regional Azure Firewall that all regional spoke networks can egress through.", @@ -376,12 +468,11 @@ ], "dependsOn": [ "create-fw-pips", - "[resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))]" + "[resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))]", + "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" ], "properties": { - "additionalProperties": { - "Network.DNS.EnableProxy": "true" - }, + "additionalProperties": {}, "sku": { "name": "AZFW_VNet", "tier": "Standard" @@ -417,36 +508,11 @@ } ], "natRuleCollections": [], - "networkRuleCollections": [ - { - "name": "org-wide-allowed", - "properties": { - "action": { - "type": "Allow" - }, - "priority": 100, - "rules": [ - { - "name": "DNS", - "description": "Consider restricting this to only DNS servers you expect to be used by spokes of this hub.", - "sourceAddresses": [ - "*" - ], - "protocols": [ - "UDP" - ], - "destinationPorts": [ - "53" - ], - "destinationAddresses": [ - "*" - ] - } - ] - } - } - ], - "applicationRuleCollections": [] + "networkRuleCollections": [], + "applicationRuleCollections": [], + "firewallPolicy": { + "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" + } }, "resources": [ { diff --git a/networking/hub-regionA.json b/networking/hub-regionA.json index 6a2ac25e..0e1960b1 100644 --- a/networking/hub-regionA.json +++ b/networking/hub-regionA.json @@ -387,9 +387,464 @@ ] } }, + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('hubFwName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ], + "properties": { + "sku": { + "tier": "Standard" + }, + "threatIntelMode": "Deny", + "threatIntelWhitelist": { + "ipAddresses": [] + }, + "dnsSettings": { + "servers": [], + "enableProxy": true + } + }, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('hubFwName'), '/DefaultDnatRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('hubFwName')]" + ], + "properties": { + "priority": 100, + "ruleCollections": [] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('hubFwName'), '/DefaultApplicationRuleCollectionGroup')]", + "location":"[parameters('location')]", + "dependsOn": [ + "[variables('hubFwName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]" + ], + "properties": { + "priority": 300, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "ApplicationRule", + "name": "nodes-to-api-server", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.hcp.eastus2.azmk8s.io" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "microsoft-container-registry", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "mcr.microsoft.com", + "*.data.mcr.microsoft.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "management-plane", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [ + "AzureKubernetesService" + ], + "webCategories": [], + "targetFqdns": [], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "aad-auth", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "login.microsoftonline.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "apt-get", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "packages.microsoft.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "cluster-binaries", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "acs-mirror.azureedge.net" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "ubuntu-security-patches", + "protocols": [ + { + "protocolType": "Http", + "port": 80 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "security.ubuntu.com", + "azure.archive.ubuntu.com", + "changelogs.ubuntu.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "azure-monitor-addon", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.ods.opinsights.azure.com", + "*.oms.opinsights.azure.com", + "eastus2.monitoring.azure.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "azure-policy-addon", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "data.policy.core.windows.net", + "store.policy.core.windows.net" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + } + ], + "name": "AKS-Global-Requirements", + "priority": 200 + }, + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "ApplicationRule", + "name": "flux-to-github", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "github.com", + "api.github.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + }, + { + "ruleType": "ApplicationRule", + "name": "pull-flux-images", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.docker.com", + "*.docker.io", + "docker.io", + "ghcr.io", + "github-production-container-registry.s3.amazonaws.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [], + "destinationAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ] + } + ], + "name": "Flux-Requirements", + "priority": 300 + } + ] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('hubFwName'), '/DefaultNetworkRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('hubFwName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]" + ], + "properties": { + "priority": 200, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "DNS", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "53" + ] + } + ], + "name": "org-wide-allowed", + "priority": 100 + }, + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "ntp", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "123" + ] + }, + { + "ruleType": "NetworkRule", + "name": "tunnelfront-pod-tcp", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ], + "destinationAddresses": [ + "AzureCloud.eastus2" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "9000" + ] + }, + { + "ruleType": "NetworkRule", + "name": "tunnelfront-pod-udp", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ], + "destinationAddresses": [ + "AzureCloud.eastus2" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "1194" + ] + }, + { + "ruleType": "NetworkRule", + "name": "pod-to-api-server", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [], + "sourceIpGroups": [ + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + ], + "destinationAddresses": [ + "AzureCloud.eastus2" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443" + ] + } + ], + "name": "AKS-Global-Requirements", + "priority": 200 + } + ] + } + } + ] + }, { "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2020-05-01", + "apiVersion": "2020-11-01", "name": "[variables('hubFwName')]", "location": "[parameters('location')]", "comments": "This is the regional Azure Firewall that all regional spoke networks can egress through.", @@ -401,12 +856,10 @@ "dependsOn": [ "create-fw-pips", "[resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))]", - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" + "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" ], "properties": { - "additionalProperties": { - "Network.DNS.EnableProxy": "true" - }, + "additionalProperties": {}, "sku": { "name": "AZFW_VNet", "tier": "Standard" @@ -442,321 +895,11 @@ } ], "natRuleCollections": [], - "networkRuleCollections": [ - { - "name": "org-wide-allowed", - "properties": { - "action": { - "type": "Allow" - }, - "priority": 100, - "rules": [ - { - "name": "DNS", - "description": "Consider restricting this to only DNS servers you expect to be used by spokes of this hub.", - "sourceAddresses": [ - "*" - ], - "protocols": [ - "UDP" - ], - "destinationPorts": [ - "53" - ], - "destinationAddresses": [ - "*" - ] - } - ] - } - }, - { - "name": "AKS-Global-Requirements", - "properties": { - "action": { - "type": "Allow" - }, - "priority": 200, - "rules": [ - { - "name": "ntp", - "description": "Network Time Protocol (NTP) time synchronization for nodepool nodes. These use ubuntu's NTP pools.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - "UDP" - ], - "destinationPorts": [ - "123" - ], - "destinationAddresses": [ - "*" - ] - }, - { - "name": "tunnelfront-pod-tcp", - "description": "Tunnelfront pod to communicate with the tunnel end on the API server. Technically only needed to our API servers instead of AzureCloud.EastUS2. Restrict this to your clusters' Cluster API Public IP; done this way for easy of demonstration. Not needed for private clusters.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - "TCP" - ], - "destinationPorts": [ - "9000" - ], - "destinationAddresses": [ - "[concat('AzureCloud.', parameters('location'))]" - ] - }, - { - "name": "tunnelfront-pod-udp", - "description": "Tunnelfront pod to communicate with the tunnel end on the API server. Technically only needed to our API servers instead of AzureCloud.EastUS2. Restrict this to your clusters' Cluster API Public IP; done this way for easy of demonstration. Not needed for private clusters.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - "UDP" - ], - "destinationPorts": [ - "1194" - ], - "destinationAddresses": [ - "[concat('AzureCloud.', parameters('location'))]" - ] - }, - { - "name": "pod-to-api-server", - "description": "Allows pods to communicate to the Cluster API server (e.g. Flux). Technically only needed to our API servers instead of AzureCloud.EastUS2. Restrict this to your clusters' Cluster API Public IP; done this way for ease of demonstration. Not needed for private clusters.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - "TCP" - ], - "destinationPorts": [ - "443" - ], - "destinationAddresses": [ - "[concat('AzureCloud.', parameters('location'))]" - ] - } - ] - } - } - ], - "applicationRuleCollections": [ - { - "name": "AKS-Global-Requirements", - "properties": { - "action": { - "type": "Allow" - }, - "priority": 200, - "rules": [ - { - "name": "nodes-to-api-server", - "description": "This address is required for Node <-> API server communication.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "[concat('*.hcp.', parameters('location'), '.azmk8s.io')]" - ] - }, - { - "name": "microsoft-container-registry", - "description": "Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images (E.g., coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "mcr.microsoft.com", - "*.data.mcr.microsoft.com" - ] - }, - { - "name": "management-plane", - "description": "This address is required for Kubernetes GET/PUT operations.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "fqdnTags": [ - "AzureKubernetesService" - ] - }, - { - "name": "aad-auth", - "description": "This address is required for Azure Active Directory authentication.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "login.microsoftonline.com" - ] - }, - { - "name": "apt-get", - "description": "This address is the Microsoft packages repository used for cached apt-get operations. Example packages include Moby, PowerShell, and Azure CLI.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "packages.microsoft.com" - ] - }, - { - "name": "cluster-binaries", - "description": "This address is for the repository required to download and install required binaries like kubenet and Azure CNI.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "acs-mirror.azureedge.net" - ] - }, - { - "name": "ubuntu-security-patches", - "description": "This address lets the Linux cluster nodes download the required security patches and updates per https://docs.microsoft.com/azure/aks/limit-egress-traffic#optional-recommended-fqdn--application-rules-for-aks-clusters.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Http", - "port": 80 - } - ], - "targetFqdns": [ - "security.ubuntu.com", - "azure.archive.ubuntu.com", - "changelogs.ubuntu.com" - ] - }, - { - "name": "azure-monitor-addon", - "description": "All required for Azure Monitor for containers per https://docs.microsoft.com/azure/aks/limit-egress-traffic#azure-monitor-for-containers - Optionally you can restrict the ods and oms wildcards to JUST your clusters' log analytics instances.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "*.ods.opinsights.azure.com", - "*.oms.opinsights.azure.com", - "[concat(parameters('location'), '.monitoring.azure.com')]" - ] - }, - { - "name": "azure-policy-addon", - "description": "All required for Azure Policy per https://docs.microsoft.com/azure/aks/limit-egress-traffic#azure-policy", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "data.policy.core.windows.net", - "store.policy.core.windows.net" - ] - } - ] - } - }, - { - "name": "Flux-Requirements", - "properties": { - "action": { - "type": "Allow" - }, - "priority": 300, - "rules": [ - { - "name": "flux-to-github", - "description": "This address is required for Flux <-> Github repository with the desired cluster baseline configuration.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "github.com", - "api.github.com" - ] - }, - { - "name": "pull-flux-images", - "description": "Allows pulling images from public container registries. Not necessary when using your private ACR instance via Private Link for images you've push or imported. Included here only for those that did not fork the repo.", - "sourceIpGroups": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "*.docker.com", - "*.docker.io", - "docker.io", - "ghcr.io", - "github-production-container-registry.s3.amazonaws.com" - ] - } - ] - } - } - ] + "networkRuleCollections": [], + "applicationRuleCollections": [], + "firewallPolicy": { + "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" + } }, "resources": [ { From a2c9c59d21c840a3c529239ad69da311e61bbeeb Mon Sep 17 00:00:00 2001 From: Federico Arambarri Date: Fri, 23 Apr 2021 16:03:57 -0300 Subject: [PATCH 2/6] Making more specific dependency --- networking/hub-default.json | 6 +++--- networking/hub-regionA.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/networking/hub-default.json b/networking/hub-default.json index 0b1ce68c..43c52e16 100644 --- a/networking/hub-default.json +++ b/networking/hub-default.json @@ -388,7 +388,7 @@ "name": "[concat(variables('hubFwName'), '/DefaultDnatRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[variables('hubFwName')]" + "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]" ], "properties": { "priority": 100, @@ -401,7 +401,7 @@ "name": "[concat(variables('hubFwName'), '/DefaultApplicationRuleCollectionGroup')]", "location":"[parameters('location')]", "dependsOn": [ - "[variables('hubFwName')]", + "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]" ], "properties": { @@ -415,7 +415,7 @@ "name": "[concat(variables('hubFwName'), '/DefaultNetworkRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[variables('hubFwName')]", + "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]" ], "properties": { diff --git a/networking/hub-regionA.json b/networking/hub-regionA.json index 0e1960b1..9e8cd3e0 100644 --- a/networking/hub-regionA.json +++ b/networking/hub-regionA.json @@ -415,7 +415,7 @@ "name": "[concat(variables('hubFwName'), '/DefaultDnatRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[variables('hubFwName')]" + "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]" ], "properties": { "priority": 100, @@ -428,7 +428,7 @@ "name": "[concat(variables('hubFwName'), '/DefaultApplicationRuleCollectionGroup')]", "location":"[parameters('location')]", "dependsOn": [ - "[variables('hubFwName')]", + "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]" ], "properties": { @@ -716,7 +716,7 @@ "name": "[concat(variables('hubFwName'), '/DefaultNetworkRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[variables('hubFwName')]", + "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]" ], "properties": { From fa9ba9a8d90b87a0c118ce1715ee61174f4bb68b Mon Sep 17 00:00:00 2001 From: Federico Arambarri Date: Fri, 23 Apr 2021 17:48:55 -0300 Subject: [PATCH 3/6] Moving down ip group dependency --- networking/hub-regionA.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/networking/hub-regionA.json b/networking/hub-regionA.json index 9e8cd3e0..b9db4760 100644 --- a/networking/hub-regionA.json +++ b/networking/hub-regionA.json @@ -392,9 +392,6 @@ "apiVersion": "2020-11-01", "name": "[variables('hubFwName')]", "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" - ], "properties": { "sku": { "tier": "Standard" @@ -429,7 +426,8 @@ "location":"[parameters('location')]", "dependsOn": [ "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]" + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]", + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" ], "properties": { "priority": 300, @@ -717,7 +715,8 @@ "location": "[parameters('location')]", "dependsOn": [ "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]" + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]", + "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" ], "properties": { "priority": 200, From d13e70f2a2bb8510c6fd28fb29b3975ca247a2d2 Mon Sep 17 00:00:00 2001 From: Federico Arambarri Date: Mon, 26 Apr 2021 09:05:18 -0300 Subject: [PATCH 4/6] Changing name to Azure Firewall Policies resource --- networking/hub-default.json | 23 ++++++++++++----------- networking/hub-regionA.json | 23 ++++++++++++----------- 2 files changed, 24 insertions(+), 22 deletions(-) diff --git a/networking/hub-default.json b/networking/hub-default.json index 43c52e16..5b980623 100644 --- a/networking/hub-default.json +++ b/networking/hub-default.json @@ -70,6 +70,7 @@ "[concat(variables('baseFwPipName'), '-02')]" ], "hubFwName": "[concat('fw-', parameters('location'))]", + "fwPoliciesName": "[concat('fw-policies-', parameters('location'))]", "hubVNetName": "[concat('vnet-', parameters('location'), '-hub')]", "bastionNetworkNsgName": "[concat('nsg-', parameters('location'), '-bastion')]", "hubLaName": "[concat('la-hub-', parameters('location'), '-', uniqueString(resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))))]" @@ -366,7 +367,7 @@ { "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2020-11-01", - "name": "[variables('hubFwName')]", + "name": "[variables('fwPoliciesName')]", "location": "[parameters('location')]", "properties": { "sku": { @@ -385,10 +386,10 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('hubFwName'), '/DefaultDnatRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesName'), '/DefaultDnatRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]" + "[variables('fwPoliciesName')]" ], "properties": { "priority": 100, @@ -398,11 +399,11 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('hubFwName'), '/DefaultApplicationRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesName'), '/DefaultApplicationRuleCollectionGroup')]", "location":"[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]" + "[variables('fwPoliciesName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultDnatRuleCollectionGroup')]" ], "properties": { "priority": 300, @@ -412,11 +413,11 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('hubFwName'), '/DefaultNetworkRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesName'), '/DefaultNetworkRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]" + "[variables('fwPoliciesName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultApplicationRuleCollectionGroup')]" ], "properties": { "priority": 200, @@ -469,7 +470,7 @@ "dependsOn": [ "create-fw-pips", "[resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))]", - "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" + "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesName'))]" ], "properties": { "additionalProperties": {}, @@ -511,7 +512,7 @@ "networkRuleCollections": [], "applicationRuleCollections": [], "firewallPolicy": { - "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" + "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesName'))]" } }, "resources": [ diff --git a/networking/hub-regionA.json b/networking/hub-regionA.json index b9db4760..a3edd2b3 100644 --- a/networking/hub-regionA.json +++ b/networking/hub-regionA.json @@ -78,6 +78,7 @@ "[concat(variables('baseFwPipName'), '-02')]" ], "hubFwName": "[concat('fw-', parameters('location'))]", + "fwPoliciesName": "[concat('fw-policies-', parameters('location'))]", "hubVNetName": "[concat('vnet-', parameters('location'), '-hub')]", "bastionNetworkNsgName": "[concat('nsg-', parameters('location'), '-bastion')]", "hubLaName": "[concat('la-hub-', parameters('location'), '-', uniqueString(resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))))]" @@ -390,7 +391,7 @@ { "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2020-11-01", - "name": "[variables('hubFwName')]", + "name": "[variables('fwPoliciesName')]", "location": "[parameters('location')]", "properties": { "sku": { @@ -409,10 +410,10 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('hubFwName'), '/DefaultDnatRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesName'), '/DefaultDnatRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]" + "[variables('fwPoliciesName')]" ], "properties": { "priority": 100, @@ -422,11 +423,11 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('hubFwName'), '/DefaultApplicationRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesName'), '/DefaultApplicationRuleCollectionGroup')]", "location":"[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultDnatRuleCollectionGroup')]", + "[ variables('fwPoliciesName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultDnatRuleCollectionGroup')]", "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" ], "properties": { @@ -711,11 +712,11 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('hubFwName'), '/DefaultNetworkRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesName'), '/DefaultNetworkRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/firewallPolicies/', variables('hubFwName'))]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('hubFwName'), 'DefaultApplicationRuleCollectionGroup')]", + "[variables('fwPoliciesName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultApplicationRuleCollectionGroup')]", "[resourceId('Microsoft.Network/ipGroups', variables('aksIpGroupName'))]" ], "properties": { @@ -855,7 +856,7 @@ "dependsOn": [ "create-fw-pips", "[resourceId('Microsoft.Network/virtualNetworks', variables('hubVnetName'))]", - "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" + "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesName'))]" ], "properties": { "additionalProperties": {}, @@ -897,7 +898,7 @@ "networkRuleCollections": [], "applicationRuleCollections": [], "firewallPolicy": { - "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('hubFwName'))]" + "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesName'))]" } }, "resources": [ From 0ccc9637a6b25c2bece5c8d13bba9c05a55e67d8 Mon Sep 17 00:00:00 2001 From: Federico Arambarri Date: Mon, 26 Apr 2021 11:39:18 -0300 Subject: [PATCH 5/6] Adding base policy --- networking/hub-default.json | 104 +++++++++++++++++++++++++----------- networking/hub-regionA.json | 101 ++++++++++++++++++++++++---------- 2 files changed, 145 insertions(+), 60 deletions(-) diff --git a/networking/hub-default.json b/networking/hub-default.json index 5b980623..34474973 100644 --- a/networking/hub-default.json +++ b/networking/hub-default.json @@ -70,6 +70,7 @@ "[concat(variables('baseFwPipName'), '-02')]" ], "hubFwName": "[concat('fw-', parameters('location'))]", + "fwPoliciesBaseName": "[concat('fw-policies-base')]", "fwPoliciesName": "[concat('fw-policies-', parameters('location'))]", "hubVNetName": "[concat('vnet-', parameters('location'), '-hub')]", "bastionNetworkNsgName": "[concat('nsg-', parameters('location'), '-bastion')]", @@ -367,7 +368,7 @@ { "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2020-11-01", - "name": "[variables('fwPoliciesName')]", + "name": "[variables('fwPoliciesBaseName')]", "location": "[parameters('location')]", "properties": { "sku": { @@ -386,38 +387,10 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2020-11-01", - "name": "[concat(variables('fwPoliciesName'), '/DefaultDnatRuleCollectionGroup')]", - "location": "[parameters('location')]", - "dependsOn": [ - "[variables('fwPoliciesName')]" - ], - "properties": { - "priority": 100, - "ruleCollections": [] - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2020-11-01", - "name": "[concat(variables('fwPoliciesName'), '/DefaultApplicationRuleCollectionGroup')]", - "location":"[parameters('location')]", - "dependsOn": [ - "[variables('fwPoliciesName')]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultDnatRuleCollectionGroup')]" - ], - "properties": { - "priority": 300, - "ruleCollections": [] - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2020-11-01", - "name": "[concat(variables('fwPoliciesName'), '/DefaultNetworkRuleCollectionGroup')]", + "name": "[concat(variables('fwPoliciesBaseName'), '/DefaultNetworkRuleCollectionGroup')]", "location": "[parameters('location')]", "dependsOn": [ - "[variables('fwPoliciesName')]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultApplicationRuleCollectionGroup')]" + "[variables('fwPoliciesBaseName')]" ], "properties": { "priority": 200, @@ -456,6 +429,75 @@ } ] }, + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('fwPoliciesName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesBaseName'))]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesBaseName'), 'DefaultNetworkRuleCollectionGroup')]" + ], + "properties": { + "basePolicy": { + "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesBaseName'))]" + }, + "sku": { + "tier": "Standard" + }, + "threatIntelMode": "Deny", + "threatIntelWhitelist": { + "ipAddresses": [] + }, + "dnsSettings": { + "servers": [], + "enableProxy": true + } + }, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('fwPoliciesName'), '/DefaultDnatRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('fwPoliciesName')]" + ], + "properties": { + "priority": 100, + "ruleCollections": [] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('fwPoliciesName'), '/DefaultApplicationRuleCollectionGroup')]", + "location":"[parameters('location')]", + "dependsOn": [ + "[variables('fwPoliciesName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultDnatRuleCollectionGroup')]" + ], + "properties": { + "priority": 300, + "ruleCollections": [] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('fwPoliciesName'), '/DefaultNetworkRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('fwPoliciesName')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesName'), 'DefaultApplicationRuleCollectionGroup')]" + ], + "properties": { + "priority": 200, + "ruleCollections": [] + } + } + ] + }, { "type": "Microsoft.Network/azureFirewalls", "apiVersion": "2020-11-01", diff --git a/networking/hub-regionA.json b/networking/hub-regionA.json index a3edd2b3..55508de6 100644 --- a/networking/hub-regionA.json +++ b/networking/hub-regionA.json @@ -78,6 +78,7 @@ "[concat(variables('baseFwPipName'), '-02')]" ], "hubFwName": "[concat('fw-', parameters('location'))]", + "fwPoliciesBaseName": "[concat('fw-policies-base')]", "fwPoliciesName": "[concat('fw-policies-', parameters('location'))]", "hubVNetName": "[concat('vnet-', parameters('location'), '-hub')]", "bastionNetworkNsgName": "[concat('nsg-', parameters('location'), '-bastion')]", @@ -388,12 +389,83 @@ ] } }, + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('fwPoliciesBaseName')]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "tier": "Standard" + }, + "threatIntelMode": "Deny", + "threatIntelWhitelist": { + "ipAddresses": [] + }, + "dnsSettings": { + "servers": [], + "enableProxy": true + } + }, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2020-11-01", + "name": "[concat(variables('fwPoliciesBaseName'), '/DefaultNetworkRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('fwPoliciesBaseName')]" + ], + "properties": { + "priority": 200, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "DNS", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "53" + ] + } + ], + "name": "org-wide-allowed", + "priority": 100 + } + ] + } + } + ] + }, { "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2020-11-01", "name": "[variables('fwPoliciesName')]", "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesBaseName'))]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', variables('fwPoliciesBaseName'), 'DefaultNetworkRuleCollectionGroup')]" + ], "properties": { + "basePolicy": { + "id": "[resourceId('Microsoft.Network/firewallPolicies', variables('fwPoliciesBaseName'))]" + }, "sku": { "tier": "Standard" }, @@ -722,35 +794,6 @@ "properties": { "priority": 200, "ruleCollections": [ - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "NetworkRule", - "name": "DNS", - "ipProtocols": [ - "UDP" - ], - "sourceAddresses": [ - "*" - ], - "sourceIpGroups": [], - "destinationAddresses": [ - "*" - ], - "destinationIpGroups": [], - "destinationFqdns": [], - "destinationPorts": [ - "53" - ] - } - ], - "name": "org-wide-allowed", - "priority": 100 - }, { "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { From cbe0e0b15a8c093dc91ca309c519b0066f8be60e Mon Sep 17 00:00:00 2001 From: Federico Arambarri Date: Mon, 26 Apr 2021 14:14:00 -0300 Subject: [PATCH 6/6] fixing fw policy base name --- networking/hub-default.json | 2 +- networking/hub-regionA.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/networking/hub-default.json b/networking/hub-default.json index 34474973..de6914d6 100644 --- a/networking/hub-default.json +++ b/networking/hub-default.json @@ -70,7 +70,7 @@ "[concat(variables('baseFwPipName'), '-02')]" ], "hubFwName": "[concat('fw-', parameters('location'))]", - "fwPoliciesBaseName": "[concat('fw-policies-base')]", + "fwPoliciesBaseName": "fw-policies-base", "fwPoliciesName": "[concat('fw-policies-', parameters('location'))]", "hubVNetName": "[concat('vnet-', parameters('location'), '-hub')]", "bastionNetworkNsgName": "[concat('nsg-', parameters('location'), '-bastion')]", diff --git a/networking/hub-regionA.json b/networking/hub-regionA.json index 55508de6..8c8ec32d 100644 --- a/networking/hub-regionA.json +++ b/networking/hub-regionA.json @@ -78,7 +78,7 @@ "[concat(variables('baseFwPipName'), '-02')]" ], "hubFwName": "[concat('fw-', parameters('location'))]", - "fwPoliciesBaseName": "[concat('fw-policies-base')]", + "fwPoliciesBaseName": "fw-policies-base", "fwPoliciesName": "[concat('fw-policies-', parameters('location'))]", "hubVNetName": "[concat('vnet-', parameters('location'), '-hub')]", "bastionNetworkNsgName": "[concat('nsg-', parameters('location'), '-bastion')]",