使用 PowerShell 将 Azure 防火墙配置迁移到 Azure 防火墙策略
可以使用 Azure PowerShell 脚本将现有 Azure 防火墙配置迁移到 Azure 防火墙策略资源。 然后,可以使用 Azure 防火墙管理器来部署策略。
AZFWMigrationScript.ps1 脚本使用三个 RuleCollectionGroup 对象分别为 ApplicationRuleCollections、NetworkRuleCollections 和 NatRuleCollections 创建一个 FirewallPolicy。
RuleCollectionGroup 是规则集合的新顶级分组,用于将来的扩展性。 建议使用上述默认值,该操作可以通过门户自动完成。
脚本的开头定义源防火墙名称和资源组以及目标策略名称和位置。 根据组织的需要更改这些值。
迁移脚本
修改以下脚本以迁移防火墙配置。
#Input params to be modified as needed
$FirewallResourceGroup = "AzFWMigrateRG"
$FirewallName = "azfw"
$FirewallPolicyResourceGroup = "AzFWPolicyRG"
$FirewallPolicyName = "fwpolicy"
$FirewallPolicyLocation = "ChinaNorth2"
@@ -43,141 +44,186 @@ $InvalidCharsPattern = "[']"
#Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
Param([Object[]] $Protocols)
$output = ""
ForEach ($protocol in $Protocols)
{
$output += $protocol.ProtocolType + ":" + $protocol.Port + ","
}
return $output.Substring(0, $output.Length - 1)
}
Function GetApplicationRuleCmd
{
Param([Object] $ApplicationRule)
$cmd = "New-AzFirewallPolicyApplicationRule"
$parsedName = ParseRuleName($ApplicationRule.Name)
$cmd = $cmd + " -Name " + "'" + $parsedName + "'"
if ($ApplicationRule.SourceAddresses)
{
$ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
$cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
}
elseif ($ApplicationRule.SourceIpGroups)
{
$ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
$cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
}
if ($ApplicationRule.Description)
{
$cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
}
if ($ApplicationRule.TargetFqdns)
{
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
$cmd = $cmd + " -Protocol " + $protocols
$AppRule = $($ApplicationRule.TargetFqdns) -join ","
$cmd = $cmd + " -TargetFqdn " + $AppRule
}
if ($ApplicationRule.FqdnTags)
{
$cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
}
return $cmd
}
Function ParseRuleName
{
Param([Object] $RuleName)
if ($RuleName -match $InvalidCharsPattern) {
$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Cyan
return $newRuleName
}
return $RuleName
}
If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
{
New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
}
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
Write-Host "creating empty firewall policy"
if ($azfw.DNSEnableProxy) {
$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
}
else {
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
}
Write-Host $fwp.Name "created"
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
#Translate ApplicationRuleCollection
If ($azfw.ApplicationRuleCollections.Count -gt 0)
{
$firewallPolicyAppRuleCollections = @()
ForEach ($appRc in $azfw.ApplicationRuleCollections)
{
If ($appRc.Rules.Count -gt 0)
{
Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
$firewallPolicyAppRules = @()
ForEach ($appRule in $appRc.Rules)
{
$cmd = GetApplicationRuleCmd($appRule)
$firewallPolicyAppRule = Invoke-Expression $cmd
Write-Host "Created appRule " $firewallPolicyAppRule.Name
$firewallPolicyAppRules += $firewallPolicyAppRule
}
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
Write-Host "Created appRuleCollection " $fwpAppRuleCollection.Name
}
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
}
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name
}
#Translate NetworkRuleCollection
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
If ($azfw.NetworkRuleCollections.Count -gt 0)
{
$firewallPolicyNetRuleCollections = @()
ForEach ($rc in $azfw.NetworkRuleCollections)
{
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
$firewallPolicyNetRules = @()
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
elseif ($rule.SourceIpGroups)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
Write-Host "Created network rule " $firewallPolicyNetRule.Name
$firewallPolicyNetRules += $firewallPolicyNetRule
}
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
Write-Host "Created NetworkRuleCollection " $fwpNetRuleCollection.Name
}
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
}
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name
}
#Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, translated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"
If ($azfw.NatRuleCollections.Count -gt 0)
{
$firewallPolicyNatRuleCollections = @()
$priority = 100
ForEach ($rc in $azfw.NatRuleCollections)
{
$firewallPolicyNatRules = @()
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
@@ -188,18 +234,19 @@ If ($azfw.NatRuleCollections.Count -gt 0) {
{
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
$firewallPolicyNatRules += $firewallPolicyNatRule
}
$natRuleCollectionName = $rc.Name
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
$priority += 1
Write-Host "Created NAT RuleCollection " $fwpNatRuleCollection.Name
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
}
}
$natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created NAT RuleCollectionGroup " $natRuleGroup.Name
}
后续步骤
详细了解 Azure 防火墙管理器部署:Azure 防火墙管理器部署概述。