如何启用 Azure 防火墙策略的 TLS 检查和 IDPS 高级功能
How to enable the TLS Inspection and IDPS premium features of Azure Firewall Policy
我已经使用以下 Terraform 代码创建了具有高级层的 Azure 防火墙策略:
resource "azurerm_firewall_policy" "firewall_policy" {
name = var.firewall_policy_name
resource_group_name = var.rg_name
location = var.location
sku = "Premium"
threat_intelligence_mode = "Alert"
#idps_mode = "Alert"
#tls_inspection_mode = "Alert"
}
我想使用 terraform 启用 Azure 防火墙策略的 TLS 检查 和 IDPS 高级功能。为此,我遵循了官方 azurerm_firewall_policy 文档。但本文档不包含 TLS Inspection 和 Azure Firewall Policy 的 IDPS 功能的参数参考。
根据本 Microsoft Documentiation ARM template 中的规定,您必须声明 TLS检查和IDPS in azurerm_firewall_policy in tls_certificate块和intrusion_detection块.
ARM 模板:
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2020-07-01",
"name": "DemoFirewallPolicy",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'DemoIdentity')]": {}
}
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('keyVaultCASecretName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'DemoIdentity')]"
],
"properties": {
"sku": {
"tier": "Premium"
},
"transportSecurity": {
"certificateAuthority": {
"name": "[variables('keyVaultCASecretName')]",
"keyVaultSecretId": "[concat(reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), '2019-09-01').vaultUri, 'secrets/', variables('keyVaultCASecretName'), '/')]"
}
},
"intrusionDetection": {
"mode": "Alert",
"configuration": {
"signatureOverrides": [
{
"id": "[parameters('sigOverrideParam1')]",
"mode": "Deny"
},
{
"id": "[parameters('sigOverrideParam2')]",
"mode": "Alert"
}
],
"bypassTrafficSettings": [
{
"name": "SecretBypass",
"protocol": "TCP",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.1.1.1"
],
"destinationPorts": [
"80"
]
}
]
}
}
}
},
所以上面的 terraform 会像下面这样:
resource "azurerm_firewall_policy" "example" {
name = "example"
resource_group_name = "example"
location = "West Europe"
identity {
type = "UserAssigned"
user_assigned_identity_ids = [azurerm_user_assigned_identity.test.id]
}
sku="Premium"
tls_certificate{
key_vault_secret_id = azurerm_key_vault_secret.Certificate.id//<id of the keyvault Secret where CA is stored>
name = //<name of the certificate stored in the keyvault>
}
intrusion_detection {
mode="Alert"
signature_overrides {
id = "sigOverrideParam1 id (2024897)"
state = "Deny"
}
signature_overrides {
id = "sigOverrideParam2 id (2024898)"
state = "Alert"
}
traffic_bypass {
name = "SecretBypass"
protocol ="TCP"
source_addresses = ["*"]
destination_addresses =["1.1.1.1"]
destination_ports = ["80"]
}
}
}
参考:
我已经使用以下 Terraform 代码创建了具有高级层的 Azure 防火墙策略:
resource "azurerm_firewall_policy" "firewall_policy" {
name = var.firewall_policy_name
resource_group_name = var.rg_name
location = var.location
sku = "Premium"
threat_intelligence_mode = "Alert"
#idps_mode = "Alert"
#tls_inspection_mode = "Alert"
}
我想使用 terraform 启用 Azure 防火墙策略的 TLS 检查 和 IDPS 高级功能。为此,我遵循了官方 azurerm_firewall_policy 文档。但本文档不包含 TLS Inspection 和 Azure Firewall Policy 的 IDPS 功能的参数参考。
根据本 Microsoft Documentiation ARM template 中的规定,您必须声明 TLS检查和IDPS in azurerm_firewall_policy in tls_certificate块和intrusion_detection块.
ARM 模板:
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2020-07-01",
"name": "DemoFirewallPolicy",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'DemoIdentity')]": {}
}
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('keyVaultCASecretName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'DemoIdentity')]"
],
"properties": {
"sku": {
"tier": "Premium"
},
"transportSecurity": {
"certificateAuthority": {
"name": "[variables('keyVaultCASecretName')]",
"keyVaultSecretId": "[concat(reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), '2019-09-01').vaultUri, 'secrets/', variables('keyVaultCASecretName'), '/')]"
}
},
"intrusionDetection": {
"mode": "Alert",
"configuration": {
"signatureOverrides": [
{
"id": "[parameters('sigOverrideParam1')]",
"mode": "Deny"
},
{
"id": "[parameters('sigOverrideParam2')]",
"mode": "Alert"
}
],
"bypassTrafficSettings": [
{
"name": "SecretBypass",
"protocol": "TCP",
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"1.1.1.1"
],
"destinationPorts": [
"80"
]
}
]
}
}
}
},
所以上面的 terraform 会像下面这样:
resource "azurerm_firewall_policy" "example" {
name = "example"
resource_group_name = "example"
location = "West Europe"
identity {
type = "UserAssigned"
user_assigned_identity_ids = [azurerm_user_assigned_identity.test.id]
}
sku="Premium"
tls_certificate{
key_vault_secret_id = azurerm_key_vault_secret.Certificate.id//<id of the keyvault Secret where CA is stored>
name = //<name of the certificate stored in the keyvault>
}
intrusion_detection {
mode="Alert"
signature_overrides {
id = "sigOverrideParam1 id (2024897)"
state = "Deny"
}
signature_overrides {
id = "sigOverrideParam2 id (2024898)"
state = "Alert"
}
traffic_bypass {
name = "SecretBypass"
protocol ="TCP"
source_addresses = ["*"]
destination_addresses =["1.1.1.1"]
destination_ports = ["80"]
}
}
}
参考: