Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Azure Firewall as an option - Bicep code development #499

Closed
wants to merge 131 commits into from

Conversation

yahanda
Copy link
Contributor

@yahanda yahanda commented Oct 4, 2023

Overview/Summary

https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?tabs=azure
the need for inspecting and filtering egress traffic from AVD, but isn't this function typically a part of platform landing zone and the 'network hub', so it is deployed as part of platform foundation (different subscriptions), rather than AVD landing zone

This PR fixes/adds/changes/removes

  1. Add the following features to bicep codes
    1. create Azure Firewall Policy and create Rule Collections for Network Rules and Application Rules to control Host pool outbound access.
    2. create Azure Firewall subnet in the existing hub vNet.
    3. create Azure Firewall with the created policy in the hub vNet.
  2. Add the following UI to ARM templates
    1. CheckBox to deploy Azure Firewall in Hub vNet or not.
    2. TextBox to enter Azure Firewall Subnet address prefix.

Breaking Changes

  1. N/A

Testing Evidence

Tested from the linke here: https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fyahanda%2Favdaccelerator-bicep-edits%2Fmain%2Fworkload%2Farm%2Fdeploy-baseline.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fyahanda%2Favdaccelerator-bicep-edits%2Fmain%2Fworkload%2Fportal-ui%2Fportal-ui-baseline.json

  1. The portal displays a new firewall option.
    image

  2. The deployment was successful.
    image

  3. Firewall and related resources successfully deployed.
    image
    image
    image

As part of this Pull Request I have

  • Read the Contribution Guide and ensured this PR is compliant with the guide
  • Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
  • Checked for duplicate Pull Requests
  • Associated it with relevant GitHub Issues
  • (AVD LZA Team Only) Associated it with relevant ADO Items
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Docs etc.)

@danycontre
Copy link
Collaborator

@yahanda thanks for your contribution, we will review it and update you.

@jensheerin will ping you to make sure Bicep and TF AzFW code is aligned.

cc: @moisesjgomez

@danycontre
Copy link
Collaborator

@yahanda please sync your fork/branch with Azure/main.

@yahanda
Copy link
Contributor Author

yahanda commented Oct 10, 2023

@danycontre I just synced with the latest changes into my branch. Thanks.

@moisesjgomez
Copy link
Contributor

@yahanda Thank you for your contribution! Reviewing the PR and will let you know of any further updates

@moisesjgomez moisesjgomez changed the base branch from main to AzFW October 31, 2023 16:14
@yahanda
Copy link
Contributor Author

yahanda commented Dec 11, 2023

Hi @moisesjgomez, I have updated it based on your advice. I would like to ask you to review my branch.

  • We can choose to deploy Fw to either Hub vNet or another existing vNet.
  • In both cases, the vNet is peered with AVD vNet and UDR on AVD subnet points to the Fw. Then, the Fw can control outbound network access.

Testing evidence

  1. deploy Fw to Hub vnet
    image
    image

  2. deploy Fw to another existing vNet
    image
    image

@danycontre danycontre closed this Apr 15, 2024
@yahanda
Copy link
Contributor Author

yahanda commented Aug 13, 2024

Hi @danycontre, this doesn't seem to be merged yet. Can it be reopened?

CC: @swathibhat1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants