File: azure_firewall_put.py

package info (click to toggle)
python-azure 20250603%2Bgit-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 851,724 kB
  • sloc: python: 7,362,925; ansic: 804; javascript: 287; makefile: 195; sh: 145; xml: 109
file content (144 lines) | stat: -rw-r--r-- 7,009 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
# pylint: disable=line-too-long,useless-suppression
# coding=utf-8
# --------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See License.txt in the project root for license information.
# Code generated by Microsoft (R) AutoRest Code Generator.
# Changes may cause incorrect behavior and will be lost if the code is regenerated.
# --------------------------------------------------------------------------

from azure.identity import DefaultAzureCredential

from azure.mgmt.network import NetworkManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-network
# USAGE
    python azure_firewall_put.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = NetworkManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subid",
    )

    response = client.azure_firewalls.begin_create_or_update(
        resource_group_name="rg1",
        azure_firewall_name="azurefirewall",
        parameters={
            "location": "West US",
            "properties": {
                "applicationRuleCollections": [
                    {
                        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/applicationRuleCollections/apprulecoll",
                        "name": "apprulecoll",
                        "properties": {
                            "action": {"type": "Deny"},
                            "priority": 110,
                            "rules": [
                                {
                                    "description": "Deny inbound rule",
                                    "name": "rule1",
                                    "protocols": [{"port": 443, "protocolType": "Https"}],
                                    "sourceAddresses": ["216.58.216.164", "10.0.0.0/24"],
                                    "targetFqdns": ["www.test.com"],
                                }
                            ],
                        },
                    }
                ],
                "ipConfigurations": [
                    {
                        "name": "azureFirewallIpConfiguration",
                        "properties": {
                            "publicIPAddress": {
                                "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
                            },
                            "subnet": {
                                "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
                            },
                        },
                    }
                ],
                "natRuleCollections": [
                    {
                        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/natRuleCollections/natrulecoll",
                        "name": "natrulecoll",
                        "properties": {
                            "action": {"type": "Dnat"},
                            "priority": 112,
                            "rules": [
                                {
                                    "description": "D-NAT all outbound web traffic for inspection",
                                    "destinationAddresses": ["1.2.3.4"],
                                    "destinationPorts": ["443"],
                                    "name": "DNAT-HTTPS-traffic",
                                    "protocols": ["TCP"],
                                    "sourceAddresses": ["*"],
                                    "translatedAddress": "1.2.3.5",
                                    "translatedPort": "8443",
                                },
                                {
                                    "description": "D-NAT all inbound web traffic for inspection",
                                    "destinationAddresses": ["1.2.3.4"],
                                    "destinationPorts": ["80"],
                                    "name": "DNAT-HTTP-traffic-With-FQDN",
                                    "protocols": ["TCP"],
                                    "sourceAddresses": ["*"],
                                    "translatedFqdn": "internalhttpserver",
                                    "translatedPort": "880",
                                },
                            ],
                        },
                    }
                ],
                "networkRuleCollections": [
                    {
                        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall/networkRuleCollections/netrulecoll",
                        "name": "netrulecoll",
                        "properties": {
                            "action": {"type": "Deny"},
                            "priority": 112,
                            "rules": [
                                {
                                    "description": "Block traffic based on source IPs and ports",
                                    "destinationAddresses": ["*"],
                                    "destinationPorts": ["443-444", "8443"],
                                    "name": "L4-traffic",
                                    "protocols": ["TCP"],
                                    "sourceAddresses": ["192.168.1.1-192.168.1.12", "10.1.4.12-10.1.4.255"],
                                },
                                {
                                    "description": "Block traffic based on source IPs and ports to amazon",
                                    "destinationFqdns": ["www.amazon.com"],
                                    "destinationPorts": ["443-444", "8443"],
                                    "name": "L4-traffic-with-FQDN",
                                    "protocols": ["TCP"],
                                    "sourceAddresses": ["10.2.4.12-10.2.4.255"],
                                },
                            ],
                        },
                    }
                ],
                "sku": {"name": "AZFW_VNet", "tier": "Standard"},
                "threatIntelMode": "Alert",
            },
            "tags": {"key1": "value1"},
            "zones": [],
        },
    ).result()
    print(response)


# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2024-07-01/examples/AzureFirewallPut.json
if __name__ == "__main__":
    main()