Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_network_security_rule support for protocol ESP and AH for IPsec traffic #11569

Closed
someoneelsescloud opened this issue May 4, 2021 · 2 comments · Fixed by #11581
Closed

azurerm_network_security_rule support for protocol ESP and AH for IPsec traffic #11569

someoneelsescloud opened this issue May 4, 2021 · 2 comments · Fixed by #11581
Labels
enhancement service/network-security
Milestone
v2.58.0

Comments

@someoneelsescloud
Copy link

someoneelsescloud commented May 4, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The resource azurerm_network_security_rule currently does not support the Protocols Encapsulating Security Payload (ESP) and Authentication Header (AH) for Encapsulating Security Payload IPSec traffic. As a result an ANY / ANY rule is required on the Network Security Group to allow for these protocols.

These Protocols are also known as ESP Protocol 50 and AH Protocol 51. They cannot be added as ports and must be added as protocols.

Currently the Terraform resource azurerm_network_security_rule has the following configurable protocols (also appears to be the same options for azurerm_network_security_group using the embedded security_rule option):

protocol - (Required) Network protocol this rule applies to. Possible values include Tcp, Udp, Icmp, or * (which matches all).

New or Affected Resource(s)

azurerm_network_security_rule
azurerm_network_security_group (security_rule)

  • azurerm_v2.57.0
  • Terraform v0.15.1

Potential Terraform Configuration

resource "azurerm_network_security_group" "nsg" {
  name                = "nsg"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  security_rule {
  name                        = "allow_esp_protocol"
  priority                    = 101
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "ESP"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  }

}

resource "azurerm_network_security_rule" "nsg_esp" {
  name                        = "allow_esp_protocol"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "ESP"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.resourcegroup.name
  network_security_group_name = azurerm_network_security_group.nsg.name
}

resource "azurerm_network_security_rule" "nsg_ah" {
  name                        = "allow_ah_protocol"
  priority                    = 101
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "AH"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.resourcegroup.name
  network_security_group_name = azurerm_network_security_group.nsg.name

Example Errors:

│ Error: expected protocol to be one of [* Tcp Udp Icmp], got ESP
│
│   with azurerm_network_security_rule.nsg_esp,
│   on main.tf line 53, in resource "azurerm_network_security_rule" "nsg_esp":
│   53: resource "azurerm_network_security_rule" "nsg_esp" {
│

│ Error: expected protocol to be one of [* Tcp Udp Icmp], got AH
│
│   with azurerm_network_security_rule.nsg_ah,
│   on main.tf line 67, in resource "azurerm_network_security_rule" "nsg_ah":
│   67: resource "azurerm_network_security_rule" "nsg_ah" {

References

Microsoft confirm that these protocols can be configured via Azure CLI: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview, see below for snippet.

  • Protocol | TCP, UDP, ICMP, ESP, AH, or Any.
  • #0000
@MattiasAng MattiasAng mentioned this issue May 4, 2021
Merged
@katbyte katbyte added this to the v2.58.0 milestone May 4, 2021
@ghost
Copy link

ghost commented May 7, 2021

This has been released in version 2.58.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.58.0"
}
# ... other configuration ...

@github-actions
Copy link

github-actions bot commented Jun 7, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement service/network-security
Projects
None yet
Milestone
v2.58.0
2 participants
@katbyte @someoneelsescloud