Top / Microsoft Azure / Azure Network / Policy

Azure Network Policy

This page shows how to write Terraform and Azure Resource Manager for Network Policy and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_firewall_policy (Terraform)

The Policy in Network can be configured in Terraform with the resource name azurerm_firewall_policy. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L1
resource "azurerm_firewall_policy" "firewall_policy" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.location
  base_policy_id      = var.base_policy_id
  sku                 = var.sku
aks-fw.tf#L3
resource "azurerm_firewall_policy" "aks" {
  name                = "AKSpolicy"
  resource_group_name = var.resource_group_name
  location            = var.location
}
aks-fw.tf#L3
resource "azurerm_firewall_policy" "aks" {
  name                = "AKSpolicy"
  resource_group_name = var.resource_group_name
  location            = var.location
}
main.tf#L7
resource "azurerm_firewall_policy" "example" {
  name                = "example"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  sku                 = "Premium"
}
aks-fw.tf#L3
resource "azurerm_firewall_policy" "aks" {
  name                = "AKSpolicy"
  resource_group_name = var.resource_group_name
  location            = var.location
}
aks-fw.tf#L3
resource "azurerm_firewall_policy" "aks" {
  name                = "AKSpolicy"
  resource_group_name = var.resource_group_name
  location            = var.location
}
firewall_policy.tf#L14
resource "azurerm_firewall_policy" "fwpol" {
  name                = azurecaf_name.fwpol.result
  resource_group_name = local.resource_group_name
  location            = local.location

  sku                      = try(var.settings.sku, null)
firewall_policy.tf#L14
resource "azurerm_firewall_policy" "fwpol" {
  name                = azurecaf_name.fwpol.result
  resource_group_name = var.resource_group_name
  location            = var.location

  sku                      = try(var.policy_settings.sku, null)
firewall.tf#L29
resource "azurerm_firewall_policy" "firewall-policy" {
  name                = var.firewall_policy_name
  resource_group_name = var.resourcegroup_name
  location            = var.location
  threat_intelligence_mode = "Alert"
 }
aks-fw.tf#L3
resource "azurerm_firewall_policy" "aks" {
  name                = "AKSpolicy"
  resource_group_name = var.resource_group_name
  location            = var.location
}

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Firewall Policy.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_security_rule

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/firewallPolicies (Azure Resource Manager)

The firewallPolicies in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/firewallPolicies. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

fwpol.json#L9
            "type": "Microsoft.Network/firewallPolicies",
            "apiVersion": "2020-05-01",
            "name": "fwpol-01",
            "location": "UK South",
            "properties": {
                "threatIntelMode": "Deny"
2-simple-fwpolicy.json#L20
      "type": "Microsoft.Network/firewallPolicies",
      "apiVersion": "2020-08-01",
      "name": "parent-policy",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
rg-network-fwpol-global.json#L39
      "type": "Microsoft.Network/firewallPolicies"
    },
    {
      "apiVersion": "2020-05-01",
      "comments": "Generalized from resource: '/subscriptions/2006d617-bee2-430e-8239-c83634af2fef/resourcegroups/rg-network-fwpol-global/providers/Microsoft.Network/firewallPolicies/fwpol-hub-centralus'.",
      "dependsOn": [
hub-default.json#L369
            "type": "Microsoft.Network/firewallPolicies",
            "apiVersion": "2020-11-01",
            "name": "[variables('fwPoliciesBaseName')]",
            "location": "[parameters('location')]",
            "properties": {
                "sku": {
Microsoft.Authorization_policyDefinitions-Deploy-FirewallPolicy.parameters.json#L51
                "type": "Microsoft.Network/firewallPolicies",
                "deploymentScope": "Subscription",
                "existenceScope": "ResourceGroup",
                "resourceGroupName": "[parameters('rgName')]",
                "roleDefinitionIds": [
                  "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
hub-default.json#L369
            "type": "Microsoft.Network/firewallPolicies",
            "apiVersion": "2021-02-01",
            "name": "[variables('fwPoliciesBaseName')]",
            "location": "[parameters('location')]",
            "properties": {
                "sku": {
Microsoft.Authorization_policyDefinitions-Deploy-FirewallPolicy.parameters.json#L51
                "type": "Microsoft.Network/firewallPolicies",
                "deploymentScope": "Subscription",
                "existenceScope": "ResourceGroup",
                "resourceGroupName": "[parameters('rgName')]",
                "roleDefinitionIds": [
                  "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
Microsoft.Authorization_policyDefinitions-Deploy-FirewallPolicy.parameters.json#L51
                "type": "Microsoft.Network/firewallPolicies",
                "deploymentScope": "Subscription",
                "existenceScope": "ResourceGroup",
                "resourceGroupName": "[parameters('rgName')]",
                "roleDefinitionIds": [
                  "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
Microsoft.Authorization_policyDefinitions-Deploy-FirewallPolicy.parameters.json#L51
                "type": "Microsoft.Network/firewallPolicies",
                "deploymentScope": "Subscription",
                "existenceScope": "ResourceGroup",
                "resourceGroupName": "[parameters('rgName')]",
                "roleDefinitionIds": [
                  "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
Microsoft.Authorization_policyDefinitions-Deploy-FirewallPolicy.parameters.json#L63
                "type": "Microsoft.Network/firewallPolicies",
                "deploymentScope": "Subscription",
                "existenceScope": "ResourceGroup",
                "resourceGroupName": "[parameters('rgName')]",
                "roleDefinitionIds": [
                  "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • location required - string

    Resource location.

  • tags optional - string

    Resource tags.

  • properties required
      • basePolicy optional
          • id required - string

            Resource ID.

      • threatIntelMode optional - string

        The operation mode for Threat Intelligence.

      • threatIntelWhitelist optional
          • ipAddresses optional - array

            List of IP addresses for the ThreatIntel Whitelist.

          • fqdns optional - array

            List of FQDNs for the ThreatIntel Whitelist.

      • insights optional
          • isEnabled optional - boolean

            A flag to indicate if the insights are enabled on the policy.

          • retentionDays optional - integer

            Number of days the insights should be enabled on the policy.

          • logAnalyticsResources optional
              • workspaces optional array
                  • region optional - string

                    Region to configure the Workspace.

                  • workspaceId optional
                      • id required - string

                        Resource ID.

              • defaultWorkspaceId optional
                  • id required - string

                    Resource ID.

      • snat optional
          • privateRanges optional - array

            List of private IP addresses/IP address ranges to not be SNAT.

      • dnsSettings optional
          • servers optional - array

            List of Custom DNS Servers.

          • enableProxy optional - boolean

            Enable DNS Proxy on Firewalls attached to the Firewall Policy.

          • requireProxyForNetworkRules optional - boolean

            FQDNs in Network Rules are supported when set to true.

      • intrusionDetection optional
          • mode optional - string

            Intrusion detection general state.

          • configuration optional
              • signatureOverrides optional array
                  • id optional - string

                    Signature id.

                  • mode optional - string

                    The signature state.

              • bypassTrafficSettings optional array
                  • name optional - string

                    Name of the bypass traffic rule.

                  • description optional - string

                    Description of the bypass traffic rule.

                  • protocol optional - string

                    The rule bypass protocol.

                  • sourceAddresses optional - array

                    List of source IP addresses or ranges for this rule.

                  • destinationAddresses optional - array

                    List of destination IP addresses or ranges for this rule.

                  • destinationPorts optional - array

                    List of destination ports or ranges.

                  • sourceIpGroups optional - array

                    List of source IpGroups for this rule.

                  • destinationIpGroups optional - array

                    List of destination IpGroups for this rule.

      • transportSecurity optional
          • certificateAuthority optional
              • keyVaultSecretId optional - string

                Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.

              • name optional - string

                Name of the CA certificate.

      • sku optional
          • tier optional - string

            Tier of Firewall Policy.

  • identity optional
      • type optional - string

        The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

      • userAssignedIdentities optional - undefined

        The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

>> from Azure Resource Manager Documentation

The Other Related Azure Network Resources

Frequently asked questions

What is Azure Network Policy?

Azure Network Policy is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Policy?

For Terraform, the vmisson/terraform-azure-firewall, techbunny/cs-AKS and neelampawar1988/Azure-Arc-Kubenetescluster source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the pagyP/AzARM, StefanIvemo/LeedsAzure and phealy/arm-templates source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents