使用 PowerShell 将 Azure 防火墙配置迁移到 Azure 防火墙策略

可以使用 Azure PowerShell 脚本将现有 Azure 防火墙配置迁移到 Azure 防火墙策略资源。 然后,可以使用 Azure 防火墙管理器来部署策略。

AZFWMigrationScript.ps1 脚本使用三个 RuleCollectionGroup 对象分别为 ApplicationRuleCollections、NetworkRuleCollections 和 NatRuleCollections 创建一个 FirewallPolicy。

RuleCollectionGroup 是规则集合的新顶级分组,用于将来的扩展性。 建议使用上述默认值,该操作可以通过门户自动完成。

脚本的开头定义源防火墙名称和资源组以及目标策略名称和位置。 根据组织的需要更改这些值。

迁移脚本

修改以下脚本以迁移防火墙配置。

#Input params to be modified as needed
$FirewallResourceGroup = "AzFWMigrateRG"
$FirewallName = "azfw"
$FirewallPolicyResourceGroup = "AzFWPolicyRG"
$FirewallPolicyName = "fwpolicy"
$FirewallPolicyLocation = "ChinaNorth2"
$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"
$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"
$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"
$ApplicationRuleGroupPriority = 300
$NetworkRuleGroupPriority = 200
$NatRuleGroupPriority = 100
$InvalidCharsPattern = "[']"

# Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
  Param([Object[]] $Protocols)
  $output = ""
  ForEach ($protocol in $Protocols)
  {
    $output += $protocol.ProtocolType + ":" + $protocol.Port + ","
  }
  return $output.Substring(0, $output.Length - 1)
}
Function GetApplicationRuleCmd
{
  Param([Object] $ApplicationRule)
  $cmd = "New-AzFirewallPolicyApplicationRule"
  $parsedName = ParseRuleName($ApplicationRule.Name)
  $cmd = $cmd + " -Name " + "'" + $parsedName + "'"
  if ($ApplicationRule.SourceAddresses)
  {
    $ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
    $cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
  }
  elseif ($ApplicationRule.SourceIpGroups)
  {
    $ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
    $cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
  }
  if ($ApplicationRule.Description)
 {
    $cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
  }
  if ($ApplicationRule.TargetFqdns)
  {
    $protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
    $cmd = $cmd + " -Protocol " + $protocols
    $AppRule = $($ApplicationRule.TargetFqdns) -join ","
    $cmd = $cmd + " -TargetFqdn " + $AppRule
  }
  if ($ApplicationRule.FqdnTags)
  {
    $cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
  }
  return $cmd
}
Function ParseRuleName
{
	Param([Object] $RuleName)
	if ($RuleName -match $InvalidCharsPattern) {
		$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
		Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Yellow
		return $newRuleName 
	}
	return $RuleName
}
If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
{
  New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
}
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
Write-Host "creating empty firewall policy"
if ($azfw.DNSEnableProxy) {
  $fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
  $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
}
else {
  $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
}
Write-Host $fwp.Name "created"

# Translate ApplicationRuleCollection
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
If ($azfw.ApplicationRuleCollections.Count -gt 0)
{
  $firewallPolicyAppRuleCollections = @()
  ForEach ($appRc in $azfw.ApplicationRuleCollections)
  {
    If ($appRc.Rules.Count -gt 0)
    {
      Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
      $firewallPolicyAppRules = @()
      ForEach ($appRule in $appRc.Rules)
      {
        $cmd = GetApplicationRuleCmd($appRule)
        $firewallPolicyAppRule = Invoke-Expression $cmd
        Write-Host "Created Application Rule: " $firewallPolicyAppRule.Name
        $firewallPolicyAppRules += $firewallPolicyAppRule
      }
      $fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
      Write-Host "Created Application Rule Collection: "  $fwpAppRuleCollection.Name
    }
    $firewallPolicyAppRuleCollections += $fwpAppRuleCollection
  }
  $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
  Write-Host "Created Application Rule Collection Group: "  $appRuleGroup.Name
}

# Translate NetworkRuleCollection
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
If ($azfw.NetworkRuleCollections.Count -gt 0)
{
  $firewallPolicyNetRuleCollections = @()
  ForEach ($rc in $azfw.NetworkRuleCollections)
  {
    If ($rc.Rules.Count -gt 0)
    {
      Write-Host "creating " $rc.Rules.Count " network rules for collection "  $rc.Name
      $firewallPolicyNetRules = @()
      ForEach ($rule in $rc.Rules)
      {
        $parsedName = ParseRuleName($rule.Name)
        If ($rule.SourceAddresses)
        {
          If ($rule.DestinationAddresses)
          {
            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
          }
          elseif ($rule.DestinationIpGroups)
          {
            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
          }
          elseif ($rule.DestinationFqdns)
          {
            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
          }
        }
        elseif ($rule.SourceIpGroups)
        {
          If ($rule.DestinationAddresses)
          {
            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
          }
          elseif ($rule.DestinationIpGroups)
          {
            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
          }
          elseif ($rule.DestinationFqdns)
          {
            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
          }
        }
        Write-Host "Created network rule: " $firewallPolicyNetRule.Name
        $firewallPolicyNetRules += $firewallPolicyNetRule
      }
      $fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
      Write-Host "Created Network Rule Collection: "  $fwpNetRuleCollection.Name
    }
    $firewallPolicyNetRuleCollections += $fwpNetRuleCollection
  }
  $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
  Write-Host "Created Network Rule Collection Group: "  $netRuleGroup.Name
}

# Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, translated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"
If ($azfw.NatRuleCollections.Count -gt 0)
{
  $firewallPolicyNatRuleCollections = @()
  $priority = 100
  ForEach ($rc in $azfw.NatRuleCollections)
  {
    $firewallPolicyNatRules = @()
    If ($rc.Rules.Count -gt 0)
    {
      Write-Host "creating " $rc.Rules.Count " nat rules for collection "  $rc.Name
      ForEach ($rule in $rc.Rules) 
			{
				$parsedName = ParseRuleName($rule.Name)
				If ($rule.SourceAddresses) 
				{
					$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup  $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
				}
        elseif ($rule.SourceIpGroups)
        {
					$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup  $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
        }
				Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
        $firewallPolicyNatRules += $firewallPolicyNatRule
      }

      $natRuleCollectionName = $rc.Name
      $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
      $priority += 1
      Write-Host "Created NAT Rule Collection: "  $fwpNatRuleCollection.Name
      $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
    }
  }
  $natRuleCollectionGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
  Write-Host "Created NAT Rule Collection Group: "  $natRuleCollectionGroup.Name
}

后续步骤

详细了解 Azure 防火墙管理器部署:Azure 防火墙管理器部署概述