Azure / azure-cli

Azure Command-Line Interface
MIT License
4.04k stars 3.01k forks source link

"az network firewall policy rule-collection-group collection rule add" command does not properly set translatedFqdn #19760

Open paolosalvatori opened 3 years ago

paolosalvatori commented 3 years ago

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

When you use the following Azure CLI command and you don't explicitly specify a value for the translatedFqdn property using the --translated-fqdn optional parameter, a NAT rule gets successfully created, but the Azure Firewall and Azure Firewall Policy do not properly route the traffic to the translated address:

az network firewall policy rule-collection-group collection rule add \ --policy-name $firewallPolicyName \ --resource-group $resourceGroupName \ --rule-collection-group-name $ruleCollectionGroupName \ --collection-name $dnatRuleCollectionName \ --name $dnatRuleName \ --rule-type NatRule \ --destination-addresses $firewallPublicIpAddress \ --destination-ports $destinationPort \ --ip-protocols TCP \ --source-addresses '*' \ --translated-port $translatedPort \ --translated-address $serviceExternalIpAddress 1>/dev/null

To Reproduce

Try to use the above command to create a NAT rule in a NAT rule collection: the rule will be created, but it won't work properly. If you instead create the same rule using the Azure portal, with the same data, it works as expected.

I used the following command to compare and contrast the rule created by the above Azure CLI command and the rule created by the Azure Portal:

az network firewall policy rule-collection-group collection list \ --policy-name BabosbirdFirewallPolicy \ --rule-collection-group-name DefaultDnatRuleCollectionGroup \ --resource-group BabosbirdRG

The two rules are almost identical, apart from the value of the translatedFqdn property:

[
  {
    "action": {
      "type": "Dnat"
    },
    "name": "DnatRules",
    "priority": 100,
    "ruleCollectionType": "FirewallPolicyNatRuleCollection",
    "rules": [
      {
        "description": null,
        "destinationAddresses": [
          "51.124.64.22"
        ],
        "destinationPorts": [
          "80"
        ],
        "ipProtocols": [
          "TCP"
        ],
        "name": "CreatedViaAzureCLI",
        "ruleType": "NatRule",
        "sourceAddresses": [
          "*"
        ],
        "sourceIpGroups": [],
        "translatedAddress": "51.137.8.127",
        "translatedFqdn": null,
        "translatedPort": "80"
      },
      {
        "description": null,
        "destinationAddresses": [
          "51.124.64.22"
        ],
        "destinationPorts": [
          "80"
        ],
        "ipProtocols": [
          "TCP"
        ],
        "name": "CreatedViaThePortal",
        "ruleType": "NatRule",
        "sourceAddresses": [
          "*"
        ],
        "sourceIpGroups": [],
        "translatedAddress": "51.137.8.127",
        "translatedFqdn": "",
        "translatedPort": "80"
      }
    ]
  }
]

Expected behavior

Please fix the Azure CLI so that the NAT rule properly routes the incoming traffic on the destination address to the translated address.

Environment summary

Tested using bash scripts in Azure DevOps and locally on WSL.

Additional context

yonzhan commented 3 years ago

network

paolosalvatori commented 3 years ago

Any news on this? The problem is still there and it's very painful as it prevents automating the creation and deletion of a DNAT rule

kairu-ms commented 3 years ago

@necusjz Please help with this issue.

paolosalvatori commented 3 years ago

@kairu-ms @yonzhan I'm a principal system engineer in Microsoft. I can't determine your names from your GitHub accounts. Do you mind sending me an email to my Microsoft email? This fix is quite urgent as it disrupts my sample: https://github.com/Azure-Samples/private-aks-cluster-terraform-devops. I also have other feedbacks. Please contact me asap. You find my name in clear under my GitHub account. Thanks!