|
| 1 | +# Azure Firewall Standard |
| 2 | + |
| 3 | +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with classic application and network rules. |
| 4 | + |
| 5 | +## Resources |
| 6 | + |
| 7 | +| Terraform Resource Type | Description | |
| 8 | +| - | - | |
| 9 | +| `azurerm_resource_group` | The resource group all the deployed resources.| |
| 10 | +| `azurerm_virtual_network` | The virtual network for the firewall. | |
| 11 | +| `azurerm_subnet` |The firewall subnet.| |
| 12 | +| `azurerm_public_ip` | The firewall public IP address. | |
| 13 | +| `azurerm_firewall` | The standard Azure Firewall. | |
| 14 | +| `azurerm_firewall_application_rule_collection` | The application rule collection. | |
| 15 | +| `azurerm_firewall_network_rule_collection` | The network rule collection. | |
| 16 | + |
| 17 | +## Variables |
| 18 | + |
| 19 | +| Name | Description | |
| 20 | +|-|-| |
| 21 | +| `resource_group_location` | Resource group location | |
| 22 | + |
| 23 | +## Example |
| 24 | + |
| 25 | +```bash |
| 26 | +$ terraform plan -out main.tfplan |
| 27 | + |
| 28 | +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: |
| 29 | + + create |
| 30 | + |
| 31 | +Terraform will perform the following actions: |
| 32 | + |
| 33 | + # azurerm_firewall.fw will be created |
| 34 | + + resource "azurerm_firewall" "fw" { |
| 35 | + + id = (known after apply) |
| 36 | + + location = "eastus" |
| 37 | + + name = "testfirewall" |
| 38 | + + resource_group_name = "test-resources" |
| 39 | + + sku_name = (known after apply) |
| 40 | + + sku_tier = (known after apply) |
| 41 | + + threat_intel_mode = "Alert" |
| 42 | + |
| 43 | + + ip_configuration { |
| 44 | + + name = "configuration" |
| 45 | + + private_ip_address = (known after apply) |
| 46 | + + public_ip_address_id = (known after apply) |
| 47 | + + subnet_id = (known after apply) |
| 48 | + } |
| 49 | + } |
| 50 | + |
| 51 | + # azurerm_firewall_application_rule_collection.app-rc will be created |
| 52 | + + resource "azurerm_firewall_application_rule_collection" "app-rc" { |
| 53 | + + action = "Allow" |
| 54 | + + azure_firewall_name = "testfirewall" |
| 55 | + + id = (known after apply) |
| 56 | + + name = "apptestcollection" |
| 57 | + + priority = 100 |
| 58 | + + resource_group_name = "test-resources" |
| 59 | + |
| 60 | + + rule { |
| 61 | + + name = "testrule" |
| 62 | + + source_addresses = [ |
| 63 | + + "10.0.0.0/16", |
| 64 | + ] |
| 65 | + + target_fqdns = [ |
| 66 | + + "*.google.com", |
| 67 | + ] |
| 68 | + |
| 69 | + + protocol { |
| 70 | + + port = 443 |
| 71 | + + type = "Https" |
| 72 | + } |
| 73 | + } |
| 74 | + } |
| 75 | + |
| 76 | + # azurerm_firewall_network_rule_collection.net-rc will be created |
| 77 | + + resource "azurerm_firewall_network_rule_collection" "net-rc" { |
| 78 | + + action = "Allow" |
| 79 | + + azure_firewall_name = "testfirewall" |
| 80 | + + id = (known after apply) |
| 81 | + + name = "apptestcollection" |
| 82 | + + priority = 100 |
| 83 | + + resource_group_name = "test-resources" |
| 84 | + |
| 85 | + + rule { |
| 86 | + + destination_addresses = [ |
| 87 | + + "8.8.4.4", |
| 88 | + + "8.8.8.8", |
| 89 | + ] |
| 90 | + + destination_fqdns = [] |
| 91 | + + destination_ip_groups = [] |
| 92 | + + destination_ports = [ |
| 93 | + + "53", |
| 94 | + ] |
| 95 | + + name = "dnsrule" |
| 96 | + + protocols = [ |
| 97 | + + "TCP", |
| 98 | + + "UDP", |
| 99 | + ] |
| 100 | + + source_addresses = [ |
| 101 | + + "10.0.0.0/16", |
| 102 | + ] |
| 103 | + + source_ip_groups = [] |
| 104 | + } |
| 105 | + } |
| 106 | + |
| 107 | + # azurerm_public_ip.pip will be created |
| 108 | + + resource "azurerm_public_ip" "pip" { |
| 109 | + + allocation_method = "Static" |
| 110 | + + availability_zone = (known after apply) |
| 111 | + + fqdn = (known after apply) |
| 112 | + + id = (known after apply) |
| 113 | + + idle_timeout_in_minutes = 4 |
| 114 | + + ip_address = (known after apply) |
| 115 | + + ip_version = "IPv4" |
| 116 | + + location = "eastus" |
| 117 | + + name = "testpip" |
| 118 | + + resource_group_name = "test-resources" |
| 119 | + + sku = "Standard" |
| 120 | + + zones = (known after apply) |
| 121 | + } |
| 122 | + |
| 123 | + # azurerm_resource_group.rg will be created |
| 124 | + + resource "azurerm_resource_group" "rg" { |
| 125 | + + id = (known after apply) |
| 126 | + + location = "eastus" |
| 127 | + + name = "test-resources" |
| 128 | + } |
| 129 | + |
| 130 | + # azurerm_subnet.subnet will be created |
| 131 | + + resource "azurerm_subnet" "subnet" { |
| 132 | + + address_prefix = (known after apply) |
| 133 | + + address_prefixes = [ |
| 134 | + + "10.0.1.0/24", |
| 135 | + ] |
| 136 | + + enforce_private_link_endpoint_network_policies = false |
| 137 | + + enforce_private_link_service_network_policies = false |
| 138 | + + id = (known after apply) |
| 139 | + + name = "AzureFirewallSubnet" |
| 140 | + + resource_group_name = "test-resources" |
| 141 | + + virtual_network_name = "testvnet" |
| 142 | + } |
| 143 | + |
| 144 | + # azurerm_virtual_network.vnet will be created |
| 145 | + + resource "azurerm_virtual_network" "vnet" { |
| 146 | + + address_space = [ |
| 147 | + + "10.0.0.0/16", |
| 148 | + ] |
| 149 | + + dns_servers = (known after apply) |
| 150 | + + guid = (known after apply) |
| 151 | + + id = (known after apply) |
| 152 | + + location = "eastus" |
| 153 | + + name = "testvnet" |
| 154 | + + resource_group_name = "test-resources" |
| 155 | + + subnet = (known after apply) |
| 156 | + + vm_protection_enabled = false |
| 157 | + } |
| 158 | + |
| 159 | +Plan: 7 to add, 0 to change, 0 to destroy. |
| 160 | +``` |
0 commit comments