PowerShell을 사용하여 Azure Firewall 구성을 Azure Firewall 정책으로 마이그레이션
Azure PowerShell 스크립트를 사용하여 기존 Azure Firewall 구성을 Azure Firewall 정책 리소스로 마이그레이션할 수 있습니다. 그런 다음 Azure Firewall Manager를 사용하여 정책을 배포할 수 있습니다.
AZFWMigrationScript.ps1 스크립트는 각각 ApplicationRuleCollections, NetworkRuleCollections 및 NatRuleCollections에 대해 3개의 RuleCollectionGroup 개체를 사용하여 FirewallPolicy를 만듭니다.
RuleCollectionGroup은 향후 확장성을 위한 규칙 컬렉션의 새로운 최상위 그룹화입니다. 위의 기본값을 사용하는 것이 좋으며 이는 Portal에서 자동으로 수행됩니다.
스크립트의 시작 부분에는 원본 방화벽 이름, 리소스 그룹, 대상 정책 이름 및 위치가 정의되어 있습니다. 해당 값을 사용자 조직에 적절하게 변경합니다.
마이그레이션 스크립트
다음 스크립트를 수정하여 방화벽 구성을 마이그레이션합니다.
# Input params to be modified as needed
$FirewallResourceGroup = "AzFWMigrateRG"
$FirewallName = "azfw"
$FirewallPolicyResourceGroup = "AzFWPolicyRG"
$FirewallPolicyName = "fwpolicy"
$FirewallPolicyLocation = "WestEurope"
$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"
$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"
$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"
$ApplicationRuleGroupPriority = 300
$NetworkRuleGroupPriority = 200
$NatRuleGroupPriority = 100
$InvalidCharsPattern = "[']"
# Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
Param([Object[]] $Protocols)
$output = ""
ForEach ($protocol in $Protocols)
{
$output += $protocol.ProtocolType + ":" + $protocol.Port + ","
}
return $output.Substring(0, $output.Length - 1)
}
Function GetApplicationRuleCmd
{
Param([Object] $ApplicationRule)
$cmd = "New-AzFirewallPolicyApplicationRule"
$parsedName = ParseRuleName($ApplicationRule.Name)
$cmd = $cmd + " -Name " + "'" + $parsedName + "'"
if ($ApplicationRule.SourceAddresses)
{
$ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
$cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
}
elseif ($ApplicationRule.SourceIpGroups)
{
$ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
$cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
}
if ($ApplicationRule.Description)
{
$cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
}
if ($ApplicationRule.TargetFqdns)
{
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
$cmd = $cmd + " -Protocol " + $protocols
$AppRule = $($ApplicationRule.TargetFqdns) -join ","
$cmd = $cmd + " -TargetFqdn " + $AppRule
}
if ($ApplicationRule.FqdnTags)
{
$cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
}
return $cmd
}
Function ParseRuleName
{
Param([Object] $RuleName)
if ($RuleName -match $InvalidCharsPattern) {
$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Yellow
return $newRuleName
}
return $RuleName
}
If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
{
New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
}
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
Write-Host "creating empty firewall policy"
if ($azfw.DNSEnableProxy) {
$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
}
else {
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
}
Write-Host $fwp.Name "created"
# Translate ApplicationRuleCollection
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
If ($azfw.ApplicationRuleCollections.Count -gt 0)
{
$firewallPolicyAppRuleCollections = @()
ForEach ($appRc in $azfw.ApplicationRuleCollections)
{
If ($appRc.Rules.Count -gt 0)
{
Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
$firewallPolicyAppRules = @()
ForEach ($appRule in $appRc.Rules)
{
$cmd = GetApplicationRuleCmd($appRule)
$firewallPolicyAppRule = Invoke-Expression $cmd
Write-Host "Created Application Rule: " $firewallPolicyAppRule.Name
$firewallPolicyAppRules += $firewallPolicyAppRule
}
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
Write-Host "Created Application Rule Collection: " $fwpAppRuleCollection.Name
}
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
}
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created Application Rule Collection Group: " $appRuleGroup.Name
}
# Translate NetworkRuleCollection
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
If ($azfw.NetworkRuleCollections.Count -gt 0)
{
$firewallPolicyNetRuleCollections = @()
ForEach ($rc in $azfw.NetworkRuleCollections)
{
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
$firewallPolicyNetRules = @()
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
elseif ($rule.SourceIpGroups)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
Write-Host "Created network rule: " $firewallPolicyNetRule.Name
$firewallPolicyNetRules += $firewallPolicyNetRule
}
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
Write-Host "Created Network Rule Collection: " $fwpNetRuleCollection.Name
}
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
}
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created Network Rule Collection Group: " $netRuleGroup.Name
}
# Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, translated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"
If ($azfw.NatRuleCollections.Count -gt 0)
{
$firewallPolicyNatRuleCollections = @()
$priority = 100
ForEach ($rc in $azfw.NatRuleCollections)
{
$firewallPolicyNatRules = @()
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
{
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.SourceIpGroups)
{
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
$firewallPolicyNatRules += $firewallPolicyNatRule
}
$natRuleCollectionName = $rc.Name
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
$priority += 1
Write-Host "Created NAT Rule Collection: " $fwpNatRuleCollection.Name
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
}
}
$natRuleCollectionGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created NAT Rule Collection Group: " $natRuleCollectionGroup.Name
}
다음 단계
Azure Firewall Manager 배포에 대한 자세한 내용은 Azure Firewall Manager 배포 개요를 확인하세요.