AzureFirewallManagementSubnet with Azure Firewall Standard

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs

MIT License

761 stars 513 forks source link

AzureFirewallManagementSubnet with Azure Firewall Standard #901

Open gerrynicol opened 2 days ago

gerrynicol commented 2 days ago

What happened? Provide a clear and concise description of the bug, including deployment details.

The Management subnet and public IP address is not associated with the Azure Firewall when the standard SKU is seletced. It is when the Basic SKU is selected.

Unsure if its related to this link where it seems that there may have been a change to Azure Firewall? - https://learn.microsoft.com/en-us/azure/firewall/management-nic

Please provide the correlation id associated with your error or bug.

No error, this looks like configuartion.

What was the expected outcome?

The Management IP and subnet are associated with the AzureFirewallManagementSubnet

Relevant log output

Check previous GitHub issues

[x] I have searched the issues for this item and found no duplicate

Code of Conduct

[x] I agree to follow this project's Code of Conduct

oZakari commented 2 days ago

Hey @gerrynicol, appreciate you calling this out and sharing the documentation as it does appear related to upcoming changes to firewall that the management IP is now going to be required for standard and premium skus for certain features. Will put this in the backlog to fix.

gerrynicol commented 2 days ago

No problem @oZakari.

As a workaround at present I have changed the value here from Basic to Standard and the resource has deployed with the management PIP assigned to the subnet.

Assume there will be changes required to factor in all SKU types im the code going forward.

resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2023-02-01' = if (parAzFirewallEnabled) { dependsOn: [ resGateway ] name: parAzFirewallName location: parLocation tags: parTags zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : []) properties: parAzFirewallTier == 'Standard' ? { ipConfigurations: varAzFirewallUseCustomPublicIps ? map(parAzFirewallCustomPublicIps, ip => {

gerrynicol commented 1 day ago

On further testing, when I then subsequently try to add an additional custom Public IP into the parameter file as below, I get an error.

cannot have more than one subnet reference, please ensure only one IpConfiguration contains a subnet reference","details"

"parAzFirewallCustomPublicIps": { "value": [