Azure Firewall

Common Azure module to generate an Azure Firewall and its dedicated subnet.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "firewall" {
  source  = "claranet/firewall/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name  = module.rg.name
  virtual_network_name = module.vnet.name
  subnet_cidr          = "10.10.0.0/22"

  network_rule_collections = [
    {
      name     = "RuleCollection1"
      priority = 100
      action   = "Allow"
      rules = [
        {
          name                  = "AllowSSHFromWorkload1ToWorkload2"
          source_addresses      = ["10.11.1.0/24"]
          destination_ports     = ["22"]
          destination_addresses = ["10.11.2.0/24"]
          protocols             = ["TCP"]
          destination_fqdns     = null
          destination_ip_groups = null
          source_ip_groups      = null
        },
        {
          name                  = "AllowRDPFromWorkload1ToWorkload2"
          source_addresses      = ["10.11.1.0/24"]
          destination_ports     = ["3389"]
          destination_addresses = ["10.11.2.0/24"]
          protocols             = ["TCP"]
          destination_fqdns     = null
          destination_ip_groups = null
          source_ip_groups      = null
        }
      ]
    }
  ]

  application_rule_collections = [
    {
      name     = "AppRuleCollection1"
      priority = 101
      action   = "Allow"
      rules = [
        {
          name             = "AllowGoogle"
          source_addresses = ["10.11.1.0/24", "10.11.2.0/24"]
          target_fqdns     = ["*.google.com", "*.google.fr"]
          source_ip_groups = null
          protocols = [
            {
              port = "443"
              type = "Https"
            },
            {
              port = "80"
              type = "Http"
            }
          ]
        }
      ]
    }
  ]
  nat_rule_collections = [
    {
      name     = "NatRuleCollection1"
      priority = 100
      action   = "Dnat"
      rules = [
        {
          name                  = "RedirectWeb"
          source_addresses      = ["*"]
          destination_ports     = ["80"]
          destination_addresses = ["x.x.x.x"] # Firewall public IP Address
          translated_port       = 80
          translated_address    = "10.10.1.4"
          protocols             = ["TCP", "UDP"]
          source_ip_groups      = null
        }
      ]
    }
  ]

  logs_destinations_ids = [
    module.logs.storage_account_id,
    module.logs.id
  ]
}

Providers

Name	Version
azurecaf	~> 1.2.29
azurerm	~> 4.0

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 8.0.0
firewall_subnet	claranet/subnet/azurerm	~> 8.0.0

Resources

Name	Type
azurerm_firewall.main	resource
azurerm_firewall_application_rule_collection.main	resource
azurerm_firewall_nat_rule_collection.main	resource
azurerm_firewall_network_rule_collection.main	resource
azurerm_public_ip.main	resource
azurerm_resource_group_template_deployment.firewall_workbook_logs	resource
azurecaf_name.firewall	data source
azurecaf_name.firewall_pip	data source

Inputs

Name	Description	Type	Default	Required
additional_public_ips	List of additional public ips' ids to attach to the firewall.	list(object({ name = string, public_ip_address_id = string }))	[]	no
application_rule_collections	Create an application rule collection.	list(object({ name = string, priority = number, action = string, rules = list(object({ name = string, source_addresses = list(string), source_ip_groups = list(string), target_fqdns = list(string), protocols = list(object({ port = string, type = string })) })) }))	null	no
client_name	Client name/account used in naming.	string	n/a	yes
custom_name	Optional custom firewall name.	string	""	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
deploy_log_workbook	Deploy Azure Workbook Log in log analytics workspace. See documentation.	bool	true	no
diagnostic_settings_custom_name	Custom name of the diagnostics settings, name will be default if not set.	string	"default"	no
dns_servers	DNS Servers to use with Azure Firewall. Using this also activate DNS Proxy.	list(string)	null	no
environment	Project environment.	string	n/a	yes
extra_tags	Extra tags to add.	map(string)	{}	no
firewall_policy_id	Attach an existing firewall policy to this firewall. Cannot be used in conjuction with network_rule_collections, application_rule_collections and nat_rule_collections variables.	string	null	no
ip_configuration_name	Name of the ip_configuration block. See documentation.	string	"ip_configuration"	no
location	Azure region to use.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.	list(string)	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
nat_rule_collections	Create a NAT rule collection.	list(object({ name = string, priority = number, action = string, rules = list(object({ name = string, source_addresses = list(string), source_ip_groups = list(string), destination_ports = list(string), destination_addresses = list(string), translated_port = number, translated_address = string, protocols = list(string) })) }))	null	no
network_rule_collections	Create a network rule collection.	list(object({ name = string, priority = number, action = string, rules = list(object({ name = string, source_addresses = list(string), source_ip_groups = list(string), destination_ports = list(string), destination_addresses = list(string), destination_ip_groups = list(string), destination_fqdns = list(string), protocols = list(string) })) }))	null	no
private_ip_ranges	A list of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918.	list(string)	null	no
public_ip_custom_name	Custom name for the public IP.	string	null	no
public_ip_ddos_protection_mode	The DDoS protection mode to use for the firewall's public address.	string	"VirtualNetworkInherited"	no
public_ip_zones	Public IP zones to configure.	list(number)	[ 1, 2, 3 ]	no
resource_group_name	Resource group name.	string	n/a	yes
sku_tier	SKU tier of the Firewall. Possible values are Premium and Standard.	string	"Standard"	no
stack	Project stack name.	string	n/a	yes
subnet_cidr	The address prefix to use for the firewall's subnet.	string	n/a	yes
subnet_default_outbound_access_enabled	Whether to allow default outbound traffic from the subnet.	bool	false	no
virtual_network_name	Name of the vnet attached to the firewall.	string	n/a	yes
zones	Optional - Specifies a list of Availability Zones in which this Azure Firewall should be located. Changing this forces a new Azure Firewall to be created.	list(number)	null	no

Outputs

Name	Description
diagnostic_settings	Diagnostic settings module object.
id	Firewall generated ID.
module_subnet	Subnet module object.
name	Firewall name.
private_ip_address	Firewall private IP.
public_ip_address	Firewall public IP.
resource	Azure Firewall resource object.
resource_application_rule_collection	Azure Firewall application rule collection resource object.
resource_nat_rule_collection	Azure Firewall NAT rule collection resource object.
resource_network_rule_collection	Azure Firewall network rule collection resource object.
resource_public_ip	Azure Firewall public IP resource object.
subnet_id	ID of the subnet attached to the firewall.

Sources

• docs.microsoft.com/en-us/azure/firewall/overview
• docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
• docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
• docs.microsoft.com/en-us/azure/firewall/rule-processing
• docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics
• github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Workbook%20-%20Azure%20Firewall%20Monitor%20Workbook