CloudWiki
Resource

Firewall Policy Rule Collection Group

Microsoft Azure
Networking
In Azure Firewall Policy, a rule collection group is a container for one or more rule collections. A rule collection is a set of rules that define network traffic filtering behavior for a specific scenario, such as allowing access to a specific application or blocking traffic from a particular IP address range. The rule collection group allows you to group rule collections together and apply them to multiple Azure Firewall instances or virtual networks. You can define multiple rule collection groups within a single Azure Firewall Policy to allow for more granular control of network traffic. In each rule collection, you can define multiple rules that specify source and destination IP addresses, protocols, and ports. You can also define the action to take for traffic that matches the rule, such as allow or deny.‍
Terraform Name
terraform
azurerm_firewall_policy_rule_collection_group
Firewall Policy Rule Collection Group
attributes:

The following arguments are supported:

  • name - (Required) The name which should be used for this Firewall Policy Rule Collection Group. Changing this forces a new Firewall Policy Rule Collection Group to be created.
  • firewall_policy_id - (Required) The ID of the Firewall Policy where the Firewall Policy Rule Collection Group should exist. Changing this forces a new Firewall Policy Rule Collection Group to be created.
  • priority - (Required) The priority of the Firewall Policy Rule Collection Group. The range is 100-65000.
  • application_rule_collection - (Optional) One or more application_rule_collection blocks as defined below.
  • nat_rule_collection - (Optional) One or more nat_rule_collection blocks as defined below.
  • network_rule_collection - (Optional) One or more network_rule_collection blocks as defined below.

A application_rule_collection block supports the following:

  • name - (Required) The name which should be used for this application rule collection.
  • action - (Required) The action to take for the application rules in this collection. Possible values are Allow and Deny.
  • priority - (Required) The priority of the application rule collection. The range is 100 - 65000.
  • rule - (Required) One or more application_rule (application rule) blocks as defined below.

A network_rule_collection block supports the following:

  • name - (Required) The name which should be used for this network rule collection.
  • action - (Required) The action to take for the network rules in this collection. Possible values are Allow and Deny.
  • priority - (Required) The priority of the network rule collection. The range is 100 - 65000.
  • rule - (Required) One or more network_rule (network rule) blocks as defined below.

A nat_rule_collection block supports the following:

  • name - (Required) The name which should be used for this NAT rule collection.
  • action - (Required) The action to take for the NAT rules in this collection. Currently, the only possible value is Dnat.
  • priority - (Required) The priority of the NAT rule collection. The range is 100 - 65000.
  • rule - (Required) A nat_rule (NAT rule) block as defined below.

A application_rule (application rule) block supports the following:

  • name - (Required) The name which should be used for this rule.
  • description - (Optional) The description which should be used for this rule.
  • protocols - (Optional) One or more protocols blocks as defined below. Not required when specifying destination_fqdn_tags, but required when specifying destination_fqdns.
  • source_addresses - (Optional) Specifies a list of source IP addresses (including CIDR, IP range and *).
  • source_ip_groups - (Optional) Specifies a list of source IP groups.
  • destination_addresses - (Optional) Specifies a list of destination IP addresses (including CIDR, IP range and *).
  • destination_urls - (Optional) Specifies a list of destination URLs for which policy should hold. Needs Premium SKU for Firewall Policy. Conflicts with destination_fqdns.
  • destination_fqdns - (Optional) Specifies a list of destination FQDNs. Conflicts with destination_urls.
  • destination_fqdn_tags - (Optional) Specifies a list of destination FQDN tags.
  • terminate_tls - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). Must be true when using destination_urls. Needs Premium SKU for Firewall Policy.
  • web_categories - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of action above. Needs Premium SKU for Firewall Policy.

A network_rule (network rule) block supports the following:

  • name - (Required) The name which should be used for this rule.
  • protocols - (Required) Specifies a list of network protocols this rule applies to. Possible values are Any, TCP, UDP, ICMP.
  • destination_ports - (Required) Specifies a list of destination ports.
  • source_addresses - (Optional) Specifies a list of source IP addresses (including CIDR, IP range and *).
  • source_ip_groups - (Optional) Specifies a list of source IP groups.
  • destination_addresses - (Optional) Specifies a list of destination IP addresses (including CIDR, IP range and *) or Service Tags.
  • destination_ip_groups - (Optional) Specifies a list of destination IP groups.
  • destination_fqdns - (Optional) Specifies a list of destination FQDNs.

A nat_rule (NAT rule) block supports the following:

  • name - (Required) The name which should be used for this rule.
  • protocols - (Required) Specifies a list of network protocols this rule applies to. Possible values are TCP, UDP.
  • source_addresses - (Optional) Specifies a list of source IP addresses (including CIDR, IP range and *).
  • source_ip_groups - (Optional) Specifies a list of source IP groups.
  • destination_address - (Optional) The destination IP address (including CIDR).
  • destination_ports - (Optional) Specifies a list of destination ports. Only one destination port is supported in a NAT rule.
  • translated_address - (Optional) Specifies the translated address.
  • translated_fqdn - (Optional) Specifies the translated FQDN.

NOTE:

Exactly one of translated_address and translated_fqdn should be set.

  • translated_port - (Required) Specifies the translated port.

A protocols block supports the following:

  • type - (Required) Protocol type. Possible values are Http and Https.
  • port - (Required) Port number of the protocol. Range is 0-64000.

Associating resources with a
Firewall Policy Rule Collection Group
Resources do not "belong" to a
Firewall Policy Rule Collection Group
Rather, one or more Security Groups are associated to a resource.
Create
Firewall Policy Rule Collection Group
via Terraform:
The following HCL manages a Firewall Policy Rule Collection Group
Syntax:

resource "azurerm_resource_group" "example" {
 name     = "example-resources"
 location = "West Europe"
}

resource "azurerm_firewall_policy" "example" {
 name                = "example-fwpolicy"
 resource_group_name = azurerm_resource_group.example.name
 location            = azurerm_resource_group.example.location
}

resource "azurerm_firewall_policy_rule_collection_group" "example" {
 name               = "example-fwpolicy-rcg"
 firewall_policy_id = azurerm_firewall_policy.example.id
 priority           = 500
 application_rule_collection {
   name     = "app_rule_collection1"
   priority = 500
   action   = "Deny"
   rule {
     name = "app_rule_collection1_rule1"
     protocols {
       type = "Http"
       port = 80
     }
     protocols {
       type = "Https"
       port = 443
     }
     source_addresses  = ["10.0.0.1"]
     destination_fqdns = ["*.microsoft.com"]
   }
 }

 network_rule_collection {
   name     = "network_rule_collection1"
   priority = 400
   action   = "Deny"
   rule {
     name                  = "network_rule_collection1_rule1"
     protocols             = ["TCP", "UDP"]
     source_addresses      = ["10.0.0.1"]
     destination_addresses = ["192.168.1.1", "192.168.1.2"]
     destination_ports     = ["80", "1000-2000"]
   }
 }

 nat_rule_collection {
   name     = "nat_rule_collection1"
   priority = 300
   action   = "Dnat"
   rule {
     name                = "nat_rule_collection1_rule1"
     protocols           = ["TCP", "UDP"]
     source_addresses    = ["10.0.0.1", "10.0.0.2"]
     destination_address = "192.168.1.1"
     destination_ports   = ["80"]
     translated_address  = "192.168.0.1"
     translated_port     = "8080"
   }
 }
}

Create
Firewall Policy Rule Collection Group
via CLI:
Parametres:

az network firewall policy rule-collection-group create --name
                                                       --policy-name
                                                       --priority
                                                       --resource-group

Example:

az network firewall policy rule-collection-group create --collection-name "WebTrafficRules" --priority 100 --action "Allow" --rule-name "Allow-HTTP" --protocols "Http=80" --destination-addresses "10.0.0.0/24" --destination-ports "*" --firewall-policy-name "MyFirewallPolicy" --resource-group "MyResourceGroup"

aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Best Practices for
Firewall Policy Rule Collection Group

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Microsoft Azure