avdaccelerator icon indicating copy to clipboard operation
avdaccelerator copied to clipboard
verified publisher icon Azure

Add Azure Firewall as an option - Bicep code development

Open yahanda opened this issue 2 years ago • 5 comments

Overview/Summary

https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?tabs=azure the need for inspecting and filtering egress traffic from AVD, but isn't this function typically a part of platform landing zone and the 'network hub', so it is deployed as part of platform foundation (different subscriptions), rather than AVD landing zone

This PR fixes/adds/changes/removes

  1. Add the following features to bicep codes
    1. create Azure Firewall Policy and create Rule Collections for Network Rules and Application Rules to control Host pool outbound access.
    2. create Azure Firewall subnet in the existing hub vNet.
    3. create Azure Firewall with the created policy in the hub vNet.
  2. Add the following UI to ARM templates
    1. CheckBox to deploy Azure Firewall in Hub vNet or not.
    2. TextBox to enter Azure Firewall Subnet address prefix.

Breaking Changes

  1. N/A

Testing Evidence

Tested from the linke here: https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fyahanda%2Favdaccelerator-bicep-edits%2Fmain%2Fworkload%2Farm%2Fdeploy-baseline.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fyahanda%2Favdaccelerator-bicep-edits%2Fmain%2Fworkload%2Fportal-ui%2Fportal-ui-baseline.json

  1. The portal displays a new firewall option. image

  2. The deployment was successful. image

  3. Firewall and related resources successfully deployed. image image image

As part of this Pull Request I have

  • [x] Read the Contribution Guide and ensured this PR is compliant with the guide
  • [x] Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
  • [x] Checked for duplicate Pull Requests
  • [x] Associated it with relevant GitHub Issues
  • [x] (AVD LZA Team Only) Associated it with relevant ADO Items
  • [x] Ensured my code/branch is up-to-date with the latest changes in the main branch
  • [x] Performed testing and provided evidence.
  • [x] Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Docs etc.)

yahanda avatar Oct 04 '23 16:10 yahanda

@yahanda thanks for your contribution, we will review it and update you.

@jensheerin will ping you to make sure Bicep and TF AzFW code is aligned.

cc: @moisesjgomez

danycontre avatar Oct 04 '23 17:10 danycontre

@yahanda please sync your fork/branch with Azure/main.

danycontre avatar Oct 06 '23 15:10 danycontre

@danycontre I just synced with the latest changes into my branch. Thanks.

yahanda avatar Oct 10 '23 12:10 yahanda

@yahanda Thank you for your contribution! Reviewing the PR and will let you know of any further updates

moisesjgomez avatar Oct 30 '23 13:10 moisesjgomez

Hi @moisesjgomez, I have updated it based on your advice. I would like to ask you to review my branch.

  • We can choose to deploy Fw to either Hub vNet or another existing vNet.
  • In both cases, the vNet is peered with AVD vNet and UDR on AVD subnet points to the Fw. Then, the Fw can control outbound network access.

Testing evidence

  1. deploy Fw to Hub vnet image image

  2. deploy Fw to another existing vNet image image

yahanda avatar Dec 11 '23 07:12 yahanda

Hi @danycontre, this doesn't seem to be merged yet. Can it be reopened?

CC: @swathibhat1

yahanda avatar Aug 13 '24 12:08 yahanda