z ‐ Implementing Azure Firewall rules using Terraform - SanjeevOCI/Ocidocs GitHub Wiki

Here is an example of how to implement Azure Firewall rules using Terraform. This configuration will create an Azure Firewall, configure its network settings, and define rules for application and network traffic.

Steps to Implement Azure Firewall Rules Using Terraform

1. Prerequisites

  • Install Terraform: Download and install Terraform from Terraform's official website.
  • Azure CLI: Install Azure CLI and authenticate: 
    az login
az account set --subscription "<subscription-id>"

2. Terraform Configuration

Below is a complete Terraform configuration to create an Azure Firewall and define rules:

// Step 1: Specify the Azure provider
provider "azurerm" {
  features {}
}

// Step 2: Create a Resource Group
resource "azurerm_resource_group" "example" {
  name     = "example-firewall-rg"
  location = "East US"
}

// Step 3: Create a Virtual Network
resource "azurerm_virtual_network" "example" {
  name                = "example-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

// Step 4: Create a Subnet for Azure Firewall
resource "azurerm_subnet" "firewall_subnet" {
  name                 = "AzureFirewallSubnet" // Must be named "AzureFirewallSubnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]
}

// Step 5: Create a Public IP for Azure Firewall
resource "azurerm_public_ip" "firewall_public_ip" {
  name                = "example-firewall-pip"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  allocation_method   = "Static"
  sku                 = "Standard"
}

// Step 6: Create the Azure Firewall
resource "azurerm_firewall" "example" {
  name                = "example-firewall"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku {
    tier = "Standard"
  }

  ip_configuration {
    name                 = "example-firewall-ipconfig"
    subnet_id            = azurerm_subnet.firewall_subnet.id
    public_ip_address_id = azurerm_public_ip.firewall_public_ip.id
  }
}

// Step 7: Define Firewall Rules
// Application Rule Collection
resource "azurerm_firewall_application_rule_collection" "example_app_rule" {
  name                = "example-app-rule"
  azure_firewall_name = azurerm_firewall.example.name
  resource_group_name = azurerm_resource_group.example.name
  priority            = 100
  action              = "Allow"

  rule {
    name        = "allow-web-traffic"
    source_addresses = ["10.0.0.0/24"]
    protocols {
      protocol_type = "Http"
      port          = 80
    }
    target_fqdns = ["www.example.com"]
  }
}

// Network Rule Collection
resource "azurerm_firewall_network_rule_collection" "example_net_rule" {
  name                = "example-net-rule"
  azure_firewall_name = azurerm_firewall.example.name
  resource_group_name = azurerm_resource_group.example.name
  priority            = 200
  action              = "Allow"

  rule {
    name             = "allow-ssh"
    source_addresses = ["10.0.0.0/24"]
    destination_addresses = ["192.168.1.4"]
    destination_ports = ["22"]
    protocols         = ["TCP"]
  }
}

// NAT Rule Collection
resource "azurerm_firewall_nat_rule_collection" "example_nat_rule" {
  name                = "example-nat-rule"
  azure_firewall_name = azurerm_firewall.example.name
  resource_group_name = azurerm_resource_group.example.name
  priority            = 300
  action              = "Dnat"

  rule {
    name             = "nat-ssh"
    source_addresses = ["*"]
    destination_addresses = [azurerm_public_ip.firewall_public_ip.ip_address]
    destination_ports = ["22"]
    translated_address = "10.0.1.4"
    translated_port   = "22"
    protocols         = ["TCP"]
  }
}

3. Explanation of the Configuration

  1. Resource Group: A logical container for all resources.
  2. Virtual Network and Subnet:
    • A VNet is created with a dedicated subnet named AzureFirewallSubnet (mandatory for Azure Firewall).
  3. Public IP: A static public IP is created for the firewall.
  4. Azure Firewall:
    • The firewall is deployed with the public IP and subnet configuration.
  5. Firewall Rules:
    • Application Rule Collection: Allows HTTP traffic to a specific FQDN (e.g., www.example.com).
    • Network Rule Collection: Allows SSH traffic to a specific IP address.
    • NAT Rule Collection: Redirects SSH traffic from the firewall's public IP to a private IP.

4. Deploy the Configuration

  1. Initialize Terraform: 
    terraform init
  2. Validate the Configuration: 
    terraform validate
  3. Plan the Deployment: 
    terraform plan
  4. Apply the Configuration: 
    terraform apply
    • Confirm the prompt by typing yes.

5. Verify the Deployment

  • Go to the Azure Portal and navigate to the Resource Group.
  • Check the Azure Firewall and its associated rules under the Firewall Manager.

6. Clean Up Resources (Optional)

  • To destroy all resources created by Terraform: 
    terraform destroy
    • Confirm the prompt by typing yes.

Best Practices

  1. Use Variables:
    • Store reusable values (e.g., resource names, IP ranges) in a variables.tf file.
  2. Secure Sensitive Data:
    • Use Azure Key Vault or environment variables to store sensitive information like IP addresses or credentials.
  3. Modularize:
    • Break the configuration into reusable modules for better organization.

This configuration demonstrates how to create and manage Azure Firewall rules using Terraform, ensuring secure and controlled traffic flow in your Azure environment.