Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request: Azure Firewall Configuration does not support Specific Public IP addresses or multiple Public IP addresses #1083

Open
archmangler opened this issue Aug 15, 2024 · 4 comments
Open

feature request: Azure Firewall Configuration does not support Specific Public IP addresses or multiple Public IP addresses #1083

archmangler opened this issue Aug 15, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@archmangler
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform:

all

azure provider:

all

module:

all

Description

Describe the bug

The terraform configuration bloc for Azure Firewall does not support specification of multiple public IP addresses or of a single static public IP address:

  • variables.tf:
            azure_firewall = object({
              enabled = bool
              config = object({
                address_prefix                = string
                enable_dns_proxy              = bool
                dns_servers                   = list(string)
                sku_tier                      = string
                base_policy_id                = string
                private_ip_ranges             = list(string)
                threat_intelligence_mode      = string
                threat_intelligence_allowlist = list(string)
                availability_zones = object({
                  zone_1 = bool
                  zone_2 = bool
                  zone_3 = bool
                })
              })
            })

Steps to Reproduce

  1. Edit the variables.tf in the root module
  2. Attempt to specify a static Public IP address or multiple static public IP addresses

Screenshots

            azure_firewall = object({
              enabled = bool
              config = object({
                address_prefix                = string
                enable_dns_proxy              = bool
                dns_servers                   = list(string)
                sku_tier                      = string
                base_policy_id                = string
                private_ip_ranges             = list(string)
                threat_intelligence_mode      = string
                threat_intelligence_allowlist = list(string)
                availability_zones = object({
                  zone_1 = bool
                  zone_2 = bool
                  zone_3 = bool
                })
              })
            })

Additional context

Lack of support for easily specifying multiple Public IP addresses (static or dynamic) in the configuration means the user is unable to make use of key features of the Azure Firewall.:

  • DNAT is handicapped to only the default PIP.
  • Compliance policies which mandate the use of separate public IP addresses for different services even through the same firewall are difficult or expensive to meet - even though AFW supports these capabilities.
@matt-FFFFFF matt-FFFFFF changed the title Bug Report: Azure Firewall Configuration does not support Specific Public IP addresses or multiple Public IP addresses feature request: Azure Firewall Configuration does not support Specific Public IP addresses or multiple Public IP addresses Aug 16, 2024
@matt-FFFFFF
Copy link
Member

Hi this isn't a bug, we will consider this feature for a future release.

@matt-FFFFFF matt-FFFFFF added the enhancement New feature or request label Aug 16, 2024
@cndaan
Copy link
Contributor

cndaan commented Sep 5, 2024

Does anybody have a workaround for adding extra public ip's to the firewall? I tried using the advanced options but this will only override the current public ip address and not add additional public ip's unfortunately

@cndaan
Copy link
Contributor

cndaan commented Sep 12, 2024
edited
Loading

A workaround for now is to create extra public ip's and add them as overrides in the connectivity settings:

advanced = {
  custom_settings_by_resource_type = {
    azurerm_firewall = {
      connectivity = {
        westeurope = {
          name = "afw-hub-weu-01"
          ip_configuration = [
            {
              name                 = "pip-fw-weu-01"
              private_ip_address   = "10.0.0.4"
              public_ip_address_id = "/subscriptions/<subscription_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPAddresses/pip-fw-weu-01"
              subnet_id            = "/subscriptions/<subscription_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/virtualNetworks/<vnet_name>/subnets/AzureFirewallSubnet"
            },
            {
              name                 = "pip2-fw-weu-01"
              public_ip_address_id = "/subscriptions/<subscription_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPAddresses/pip2-fw-weu-01"
            }
          ]
        }
      }
    }
  }
}

@archmangler
Copy link
Author

Thanks, Daan. This will help for now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@archmangler @matt-FFFFFF @cndaan