Creating Application Rules for Azure Firewall with Powershell

Hey guys,
in this blog post I’m going to show you how to create application rules for Azure Firewall with Powershell. Application rules are used to control outbound access to specific FQDNs or IP addresses on a per-application basis. They are useful when you want to restrict or allow traffic based on the application identity, rather than the network identity.

To create application rules, you need to use the New-AzFirewallApplicationRule and New-AzFirewallApplicationRuleCollection cmdlets. The first one creates an individual rule that specifies the source and target information, and the second one creates a collection of rules that can be applied to a firewall. Here’s an example of how to create a rule that allows access to eduardokieling.com from any source:

$rule = New-AzFirewallApplicationRule -Name “AllowEduardoKieling” -SourceAddress * -TargetFqdn “eduardokieling.com” -Protocol “http:80″,”https:443”

This rule allows HTTP and HTTPS traffic to eduardokieling.com from any source address. You can specify multiple target FQDNs or IP addresses, as well as multiple protocols and ports. You can also use wildcards (*) for source or target addresses, or specify a range of IP addresses using CIDR notation.

To create a collection of rules, you need to use the New-AzFirewallApplicationRuleCollection cmdlet and pass the rules as an array. Here’s an example of how to create a collection that contains the rule we just created:

$collection = New-AzFirewallApplicationRuleCollection -Name “AppRules” -Priority 100 -Action Allow -Rule $rule

This collection has a name, a priority, an action, and a rule. The priority determines the order of evaluation of the collections, with lower numbers having higher priority. The action can be either Allow or Deny, and it applies to all the rules in the collection. You can create multiple collections with different priorities and actions, and assign them to a firewall.

To assign the collection to a firewall, you need to use the Set-AzFirewall cmdlet and pass the collection as an array. Here’s an example of how to assign the collection we just created to a firewall named “MyFirewall”:

$firewall = Get-AzFirewall -Name “MyFirewall”
Set-AzFirewall -Firewall $firewall -ApplicationRuleCollection $collection

This will update the firewall with the new application rule collection. You can verify that the collection is applied by using the Get-AzFirewall cmdlet and checking the ApplicationRuleCollections property.

That’s it for this blog post. I hope you found it useful and learned something new. If you have any questions or feedback, feel free to leave a comment below.

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *