Open aareizag opened 5 months ago
keithcampbelljr
commented
5 months ago I've started working on this. The Terraform is done, but I need to make some time to test.
My approach was to update the logic and remove the public_ip_address_id parameter as mandatory and made it conditional if the management_ip_configuration is present.
Is this acceptable? After my testing, and verification I will get a PR linked to this issue.
matt-FFFFFF
commented
5 months ago Thank you for your efforts!
I believe that the basic SKU of Azure FW requires mgmt IP and also supports public IP.
Are you saying that the presence of a mgmt IP is the inverse of a public IP?
keithcampbelljr
commented
5 months ago I read over the docs yesterday and this https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall#:~:text=An-,ip_configuration,-block%20supports%20the seems optional. But its only optional if management_ip_configuration is setup which is also flagged optional.
Would someone ever run both ip_confguration && management_ip_configuration blocks at the same time? If thats the case, I suppose I can change my conditional logic to allow an override for public_ip_address_id in the ip_configuration block.
Sorry for the slow uptake, I have a stronger AWS background, so I've been picking up Azure a little at a time. I can easily pivot the changes I made. Thanks for taking the time to respond! :)
Edit: After rereading the problem statement again -- I think we just need to make the public_ip_address_id optional as long as management_ip block exists and call it good (which also lines up with the docs). I will pivot my Terraform and get this tested.
Laudenlaruto
commented
4 months ago For those looking to solve this, you can use the advanced block of configure_connectivity_resources
advanced = {
custom_settings_by_resource_type = {
azurerm_firewall = {
connectivity = {
"REGION" = {
ip_configuration = [{
name = "fw"
public_ip_address_id = null
subnet_id = "/subscriptions/xxxx/resourceGroups/NAME-connectivity-REGION/providers/Microsoft.Network/virtualNetworks/NAME-hub-REGION/subnets/AzureFirewallSubnet"
}]
}
}
}
}
}It's not the best, but it works.
Community Note
Description
Is your feature request related to a problem?
Is there a possibility to create an Azure Firewall without the public IP exposed in the AzureFirewallSubnet?
Describe the solution you'd like
We have some situations where we need to deploy an Azure Firewall solution but there is already an existing proxy that will act as an entry point exposed to the public, therefore the public IP created in the AzureFirewallSubnet should not be needed as the comunication is expected to be internal, and as explained in the documentation to the question "Can I deploy Azure Firewall without a public IP address?": "Yes, but you must configure the firewall in Forced Tunneling Mode. This configuration creates a management interface with a public IP address that is used by Azure Firewall for its operations. This public IP address is for management traffic. It is used exclusively by the Azure platform and can't be used for any other purpose. The tenant data path network can be configured without a public IP address, and Internet traffic can be forced tunneled to another Firewall or completely blocked."