Product DocumentationAppearance
Azure Terraform - Firewall
This page outlines the configuration of Azure Firewall and associated firewall policies for securing the network. The firewall ensures that traffic is controlled and filtered, allowing only authorized communication to pass through, providing an additional layer of security for the Azure environment.
The reference includes:
- Setting up an Azure Firewall instance with public IP configurations for both the primary and management interfaces.
- Defining a firewall policy with specific rule collections to control outbound HTTP and HTTPS traffic.
- Configuring firewall rules to allow traffic to necessary FQDNs within the environment.
- Creating and assigning public IP addresses for firewall management.
This configuration ensures that the Azure Firewall protects your network with precise traffic filtering, aligned with best practices for managing security in Azure.
resource "azurerm_firewall" "this" {
name = "${local.fingerprint}-firewall"
location = var.azure_location
resource_group_name = local.azure_resource_group
sku_name = "AZFW_VNet"
sku_tier = var.azure_firewall_sku_tier
firewall_policy_id = azurerm_firewall_policy.this.id
ip_configuration {
name = "cfg"
subnet_id = azurerm_subnet.firewall.id
public_ip_address_id = azurerm_public_ip.external.id
}
management_ip_configuration {
name = "cfg-mgmt"
subnet_id = azurerm_subnet.firewall_mgmt.id
public_ip_address_id = azurerm_public_ip.firewall_mgmt.id
}
tags = local.tags
}
resource "azurerm_firewall_policy" "this" {
name = "${local.fingerprint}-fwpolicy"
resource_group_name = local.azure_resource_group
location = var.azure_location
sku = var.azure_firewall_sku_tier
tags = local.tags
}
resource "azurerm_firewall_policy_rule_collection_group" "this" {
name = "${local.fingerprint}-fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.this.id
priority = 500
application_rule_collection {
name = "aks-application"
priority = 500
action = "Allow"
rule {
name = "http-outbound"
protocols {
type = "Http"
port = 80
}
source_addresses = ["*"]
destination_fqdns = local.hosts_all
}
rule {
name = "https-outbound"
protocols {
type = "Https"
port = 443
}
source_addresses = ["*"]
destination_fqdns = local.hosts_all
}
}
}
resource "azurerm_public_ip" "firewall_mgmt" {
name = "${local.fingerprint}-fwmgmt-ip-public"
resource_group_name = local.azure_resource_group
location = var.azure_location
allocation_method = "Static"
sku = "Standard"
tags = local.tags
}