How to perform FirewallPolicy changes

[timowille]

Hi,

i'm trying to figure out a way to perform incremental changes to a firewallpolicy assignment. Let's assume i have successfully deployed a firewallpolicy containing one rule and use this firewallpolicy with a secured virtual hub. Later i want to add another rule to this firewallpolicy assignment. How can i do that without deleting the firewall and the firewallpolicy?

Thanks for your help!

Timo

[krnese]

Are you referring to one of the policy definitions as part of the reference implementation? In general, if a policy assignment exist, then you can only update that policy based on the exposed parameters. I.e., if you have parameter for the rules, then you can update the assignment with additional rules. If larger modifications to the policy is needed - e.g., adding additional logic etc, then you may have to remove the assignment, update the policy, and re-assign the policy.

[timowille]

Thanks for your response!

I'm refering to this definition:
https://github.com/Azure/Enterprise-Scale/blob/main/azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560%20(3fc1081d-6105-4e19-b60c-1ec1252cf560)/ESLZ%20(ESLZ)/.AzState/Microsoft.Authorization_policyDefinitions-Deploy-FirewallPolicy.parameters.json

I created an assignment on the connectivity subscription which deployed the firewall policy as expected. This is the value for the fwpolicy parameter for the initial assignment:
{ "firewallPolicyName": "pcp-fw-policy-global", "location": "westeurope", "ruleGroups": { "name": "DefaultApplicationRuleCollectionGroup", "properties": { "priority": 300, "rules": [ { "name": "rule-collection-01", "priority": 100, "ruleType": "FirewallPolicyFilterRule", "action": { "type": "Allow" }, "ruleConditions": [ { "name": "allow-internet", "protocols": [ { "protocolType": "http", "port": 80 }, { "protocolType": "https", "port": 443 } ], "sourceAddresses": [ "*" ], "targetFqdns": [ "*" ], "fqdnTags": [], "ruleConditionType": "ApplicationRuleCondition" } ] } ] } } }

Now i want to add an additional rule to this assignment (i know the rule doesn't make sense ;-)):
{ "firewallPolicyName": "pcp-fw-policy-global", "location": "westeurope", "ruleGroups": { "name": "DefaultApplicationRuleCollectionGroup", "properties": { "priority": 300, "rules": [ { "name": "rule-collection-01", "priority": 100, "ruleType": "FirewallPolicyFilterRule", "action": { "type": "Allow" }, "ruleConditions": [ { "name": "allow-internet", "protocols": [ { "protocolType": "http", "port": 80 }, { "protocolType": "https", "port": 443 } ], "sourceAddresses": [ "*" ], "targetFqdns": [ "*" ], "fqdnTags": [], "ruleConditionType": "ApplicationRuleCondition" }, **{ "name": "allow-internet2", "protocols": [ { "protocolType": "http", "port": 8080 }, { "protocolType": "https", "port": 4443 } ], "sourceAddresses": [ "*" ], "targetFqdns": [ "*" ], "fqdnTags": [], "ruleConditionType": "ApplicationRuleCondition" }** ] } ] } } }

When i update the parameter of the policy assignment it will not update the existing resource, since the condition in the policy definition only checks if the resource exists and since that evaluates to true nothing will happen.
Another case would be how to handle an update to an existing rule (e.g. change of port).

Do you have a recommendation on how to handle those use cases? We would like to use policy assignments to manage the firewall rules and use azure devops pipeline approvals to enforce company guidelines and create transparency.

[krnese]

For the above to work, we would need to expand on the "existenceCondition" object to include the particular fields that represent the rules, so you can remediate whenever the rules are being updated. We will add this to our backlog

[timowille]

Hi Kristian, thanks for your reply. We would like to support with extending the existing definition and already have an idea on how to do that, but maybe we can have a look at our approach together? Afterwards we would contribute the extended policy to the repo.