Azure Network Policy
This page shows how to write Terraform and Azure Resource Manager for Network Policy and write them securely.
azurerm_firewall_policy (Terraform)
The Policy in Network can be configured in Terraform with the resource name azurerm_firewall_policy
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_firewall_policy" "firewall_policy" {
name = var.name
resource_group_name = var.resource_group_name
location = var.location
base_policy_id = var.base_policy_id
sku = var.sku
resource "azurerm_firewall_policy" "aks" {
name = "AKSpolicy"
resource_group_name = var.resource_group_name
location = var.location
}
resource "azurerm_firewall_policy" "aks" {
name = "AKSpolicy"
resource_group_name = var.resource_group_name
location = var.location
}
resource "azurerm_firewall_policy" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku = "Premium"
}
resource "azurerm_firewall_policy" "aks" {
name = "AKSpolicy"
resource_group_name = var.resource_group_name
location = var.location
}
resource "azurerm_firewall_policy" "aks" {
name = "AKSpolicy"
resource_group_name = var.resource_group_name
location = var.location
}
resource "azurerm_firewall_policy" "fwpol" {
name = azurecaf_name.fwpol.result
resource_group_name = local.resource_group_name
location = local.location
sku = try(var.settings.sku, null)
resource "azurerm_firewall_policy" "fwpol" {
name = azurecaf_name.fwpol.result
resource_group_name = var.resource_group_name
location = var.location
sku = try(var.policy_settings.sku, null)
resource "azurerm_firewall_policy" "firewall-policy" {
name = var.firewall_policy_name
resource_group_name = var.resourcegroup_name
location = var.location
threat_intelligence_mode = "Alert"
}
resource "azurerm_firewall_policy" "aks" {
name = "AKSpolicy"
resource_group_name = var.resource_group_name
location = var.location
}
Parameters
-
base_policy_id
optional - string -
child_policies
optional computed - list of string -
firewalls
optional computed - list of string -
id
optional computed - string -
location
required - string -
name
required - string -
resource_group_name
required - string -
rule_collection_groups
optional computed - list of string -
sku
optional computed - string -
tags
optional - map from string to string -
threat_intelligence_mode
optional - string -
dns
list block-
network_rule_fqdn_enabled
optional computed - bool -
proxy_enabled
optional - bool -
servers
optional - set of string
-
-
threat_intelligence_allowlist
list block-
fqdns
optional - set of string -
ip_addresses
optional - set of string
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a Firewall Policy.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/firewallPolicies (Azure Resource Manager)
The firewallPolicies in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/firewallPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2020-05-01",
"name": "fwpol-01",
"location": "UK South",
"properties": {
"threatIntelMode": "Deny"
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2020-08-01",
"name": "parent-policy",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/firewallPolicies"
},
{
"apiVersion": "2020-05-01",
"comments": "Generalized from resource: '/subscriptions/2006d617-bee2-430e-8239-c83634af2fef/resourcegroups/rg-network-fwpol-global/providers/Microsoft.Network/firewallPolicies/fwpol-hub-centralus'.",
"dependsOn": [
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2020-11-01",
"name": "[variables('fwPoliciesBaseName')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/firewallPolicies",
"deploymentScope": "Subscription",
"existenceScope": "ResourceGroup",
"resourceGroupName": "[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2021-02-01",
"name": "[variables('fwPoliciesBaseName')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/firewallPolicies",
"deploymentScope": "Subscription",
"existenceScope": "ResourceGroup",
"resourceGroupName": "[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
"type": "Microsoft.Network/firewallPolicies",
"deploymentScope": "Subscription",
"existenceScope": "ResourceGroup",
"resourceGroupName": "[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
"type": "Microsoft.Network/firewallPolicies",
"deploymentScope": "Subscription",
"existenceScope": "ResourceGroup",
"resourceGroupName": "[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
"type": "Microsoft.Network/firewallPolicies",
"deploymentScope": "Subscription",
"existenceScope": "ResourceGroup",
"resourceGroupName": "[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
Parameters
name
required - stringtype
required - stringapiVersion
required - stringlocation
required - stringResource location.
tags
optional - stringResource tags.
properties
requiredbasePolicy
optionalid
required - stringResource ID.
threatIntelMode
optional - stringThe operation mode for Threat Intelligence.
threatIntelWhitelist
optionalipAddresses
optional - arrayList of IP addresses for the ThreatIntel Whitelist.
fqdns
optional - arrayList of FQDNs for the ThreatIntel Whitelist.
insights
optionalisEnabled
optional - booleanA flag to indicate if the insights are enabled on the policy.
retentionDays
optional - integerNumber of days the insights should be enabled on the policy.
logAnalyticsResources
optionalworkspaces
optional arrayregion
optional - stringRegion to configure the Workspace.
workspaceId
optionalid
required - stringResource ID.
defaultWorkspaceId
optionalid
required - stringResource ID.
snat
optionalprivateRanges
optional - arrayList of private IP addresses/IP address ranges to not be SNAT.
dnsSettings
optionalservers
optional - arrayList of Custom DNS Servers.
enableProxy
optional - booleanEnable DNS Proxy on Firewalls attached to the Firewall Policy.
requireProxyForNetworkRules
optional - booleanFQDNs in Network Rules are supported when set to true.
intrusionDetection
optionalmode
optional - stringIntrusion detection general state.
configuration
optionalsignatureOverrides
optional arrayid
optional - stringSignature id.
mode
optional - stringThe signature state.
bypassTrafficSettings
optional arrayname
optional - stringName of the bypass traffic rule.
description
optional - stringDescription of the bypass traffic rule.
protocol
optional - stringThe rule bypass protocol.
sourceAddresses
optional - arrayList of source IP addresses or ranges for this rule.
destinationAddresses
optional - arrayList of destination IP addresses or ranges for this rule.
destinationPorts
optional - arrayList of destination ports or ranges.
sourceIpGroups
optional - arrayList of source IpGroups for this rule.
destinationIpGroups
optional - arrayList of destination IpGroups for this rule.
transportSecurity
optionalcertificateAuthority
optionalkeyVaultSecretId
optional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
name
optional - stringName of the CA certificate.
sku
optionaltier
optional - stringTier of Firewall Policy.
identity
optionaltype
optional - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
userAssignedIdentities
optional - undefinedThe list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Frequently asked questions
What is Azure Network Policy?
Azure Network Policy is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Policy?
For Terraform, the vmisson/terraform-azure-firewall, techbunny/cs-AKS and neelampawar1988/Azure-Arc-Kubenetescluster source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the pagyP/AzARM, StefanIvemo/LeedsAzure and phealy/arm-templates source code examples are useful. See the Azure Resource Manager Example section for further details.