Azure Firewall Configuration / Modification

[AErmie]

Currently, Azure Firewall is deployed and implemented using the Azure landing zones Terraform module.

We need to research and test what is and is not supported through the CAF Terraform module, in particular the Azure Firewall Policy. This should be tested by creating a Rule Collection, along with a sample DNAT Rule, Network Rule, and Application Rule.

Additionally, Firewall Policy Analytics should be enabled and configured to use an existing Log Analytics Workspace. Other Firewall configurations (ie. custom DNS, Threat Intelligence, TLS Inspection, IDPS, Web Categories, etc.) will be handled on-demand/as needed at a later point.

[!NOTE] From initial investigation and research, although the Azure Terraform CAF Enterprise Scale module creates a base Azure Firewall Policy, it does not support the lower-level resources, such as Policy Rule Collections, Rules, etc.

There is an Azure Verified Module for the Azure Firewall Policy that we could look into using. It's just not clear if it can use an existing policy, or we're required to create a new one.

The challenge if we use an AVM module to update an existing Policy, means there will be a battle for ownership between the CAF and AVM whenever we run the various pipelines.

Include confirming what traffic is routed through the firewall.

Acceptance Criteria

• [x] Scenario: Testing Azure Firewall Policy support in Terraform module
  • Given the current implementation of the Azure landing zones Terraform module
  • When testing the creation of a Rule Collection, DNAT Rule, Network Rule, and Application Rule
  • Then verify if these resources can be created using the CAF Terraform module
  • [x] Scenario: Enabling Firewall Policy Analytics
  • Given an existing Log Analytics Workspace is available
  • When configuring Firewall Policy Analytics to use the workspace
  • Then verify that the analytics are enabled and working correctly
  • [ ] Scenario: Evaluating Azure Verified Module for Firewall Policy
  • Given the Azure Verified Module for the Firewall Policy is available
  • When determining if it can be used with an existing policy or requires a new one
  • Then decide on the best approach to use the module in conjunction with the CAF Terraform module

[AErmie]

Part of these modifications will require updating the vWAN configuration, to include routing intents and routing policies, to force Internet traffic to/through the Firewall.

[AErmie]

Successfully applied changes to the vWAN routing intent and routing policy, to force Internet traffic through the Azure Firewall.

[AErmie]

Sample code has bee created (and tested) that successfully...

• Works with / uses the existing Azure Policy (that is created by the CAF module)
• Creates a Rule Collection Group
• Creates individual Application / Network / NAT Rule Collections
• Create a sample Rule for each rule type

Sample code can be found in the /azure_firewall/ directory in thie azure-lz-core-forge repo.

[!NOTE] This code is not based on the Azure Verified Module, but is custom created.

[AErmie]

Was able to update the existing Azure Policy and enable the Firewall Policy Analytics, using the azapi_update_resource resource.

However, when re-running the Forge Plan workflow, it shows that it will remove/undo the policy analytics configurations.

This means that we need to figure out how to enable/control the Policy Analytics through the CAF deployment. In the CAF connectivity locals.tf file, there is a reference to azurerm_firewall_policy but it is unclear how to properly configure this. It's position in the code implies it is part of the azure_firewall block, but when testing this, it did not work. Additionally, there is an open GitHub Issue (Feature Request: Enable Policy Analytics on Firewall Policy), which provides a work-around (using the advanced custom_settings).

[AErmie]

Successfully updated the CAF settings.connectivity.tf file, using and advanced block, to enable Azure Firewall Policy Analytics through the CAF module.

IMPORTANT

Note the following important points discovered:

• It may not be apparent, but you need to use the correct connectivity module reference (ie. connectivity is for the traditional hub-and-spoke, virtual_wan is for the vWAN topology)
• You have to hard-code the Azure region versus using a variable (ie. we can't use var.primary_location)
• Requires the full Resource ID for the Log Analytics Workspace (ie. /subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.OperationalInsights/workspaces/,LAW_ID>) versus just the name
• The terraform plan output does not show the Log Analytics ID that was provided (which makes you think the configuration is not working correctly), but just shows that Insights will be enabled
• And the worse of all, the Resource ID obtained directly from the Portal, does not provide the correct syntax required!
  • In particular it does not use the correct casing for the resourceGroups and Microsoft.OperationalInsights sections (it provides them all in lowercase, where camelCase is required)