search

Azure / bicep-types-az

Bicep type definitions for ARM resources
MIT License
86 stars 27 forks source link

Azure Firewall not getting private IPs #2352

Open StefanW86 opened 2 days ago

StefanW86 commented 2 days ago

Bicep version Deployment through VS Code mit extension version v0.31.34

I deploy an Azure Firewall with bicep. The deployment runs smoothly, but the firewall does not receive any IPs from the AzureFirewallSubnet and the subnets are not displayed in the firewall. It is also interesting that the deployment of the firewall only takes about 5-7 seconds. If I look for connected devices in the vnet, the firewall is displayed. If I deploy the firewall via an ARM template, the subnet is assigned correctly and private IPs are also assigned. The deployment then takes about 7 minutes. Something seems to be wrong with the bicep deployment.

To Reproduce

resource firewall 'Microsoft.Network/azureFirewalls@2024-03-01' = {
  name: FirewallName
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'AZFW_Hub'
      tier: 'Premium'
    }
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          publicIPAddress: {
            id: publicIP.id
          }
          subnet: {
            id: resourceId('Microsoft.Network/virtualNetworks/subnets', 'vn_001', 'AzureFirewallSubnet') 
          }
        }
      }    
    ]
    firewallPolicy: {
      id: firewallPolicyId
    }
  }
}

und hier das ARM Template

"resources": [
        {
            "apiVersion": "2020-05-01",
            "type": "Microsoft.Network/azureFirewalls",
            "name": "[parameters('azureFirewallName')]",
            "location": "[parameters('location')]",
            "zones": "[parameters('zones')]",
            "dependsOn": [],
            "properties": {
                "ipConfigurations": [
                    {
                        "name": "[parameters('publicIpAddressName')]",
                        "properties": {
                            "subnet": {
                                "id": "[parameters('subnetId')]"
                            },
                            "publicIpAddress": {
                                "id": "[parameters('publicIpAddressId')]"
                            }
                        }
                    }
                ],
                "sku": {
                    "tier": "[parameters('azureFirewallTier')]"
                },
                "firewallPolicy": {
                    "id": "/subscriptions/db05b715-3e5d-4136-bebc-7b0fdd366616/resourcegroups/rg_000/providers/Microsoft.Network/firewallPolicies/WhiteList"
                }
            },
            "tags": {}
        }
    ]

The screenshot shows that there is no private IP and no assigned subnet Image

And last but not least, if you look at the json of the firewall deployed with bicep, you can also see that the subnet is assigned.

{
    "name": "azFirewall",
    "id": "/subscriptions/db05b715-3e5d-4136-bebc-7b0fdd366616/resourceGroups/rg_000/providers/Microsoft.Network/azureFirewalls/azFirewall",
    "etag": "W/\"a8b73db4-458e-4a72-a304-cb0706fb9c7a\"",
    "type": "Microsoft.Network/azureFirewalls",
    "location": "germanywestcentral",
    "properties": {
        "provisioningState": "Succeeded",
        "sku": {
            "name": "AZFW_Hub",
            "tier": "Premium"
        },
        "additionalProperties": {},
        "ipConfigurations": [
            {
                "name": "ipconfig1",
                "id": "/subscriptions/db05b715-3e5d-4136-bebc-7b0fdd366616/resourceGroups/rg_000/providers/Microsoft.Network/azureFirewalls/azFirewall/azureFirewallIpConfigurations/ipconfig1",
                "etag": "W/\"a8b73db4-458e-4a72-a304-cb0706fb9c7a\"",
                "type": "Microsoft.Network/azureFirewalls/azureFirewallIpConfigurations",
                "properties": {
                    "provisioningState": "Succeeded",
                    "privateIPAllocationMethod": "Dynamic",
                    "publicIPAddress": {
                        "id": "/subscriptions/db05b715-3e5d-4136-bebc-7b0fdd366616/resourceGroups/rg_000/providers/Microsoft.Network/publicIPAddresses/azFirewall-publicIPAddress"
                    },
                    "subnet": {
                        "id": "/subscriptions/db05b715-3e5d-4136-bebc-7b0fdd366616/resourceGroups/rg_000/providers/Microsoft.Network/virtualNetworks/vn_001/subnets/AzureFirewallSubnet"
                    }
                }
            }
        ],
        "firewallPolicy": {
            "id": "/subscriptions/db05b715-3e5d-4136-bebc-7b0fdd366616/resourceGroups/rg_000/providers/Microsoft.Network/firewallPolicies/WhiteList"
        }
    }
}
stephaniezyen commented 2 days ago

This looks to be a Microsoft.Network RP issue, please open a support ticket with this team