Azure Firewall Application Rules - "MSSQL" not available in Rule Collection Groups

Tarjei Ylvisåker 56 Reputation points
2024-08-16T15:28:26.0766667+00:00

Hi,

 

Working on a IaC project for Azure Firewall.

 

Have created Azure Firewall, Azure Firewall Policy and working on implementing rules using Rule Collection Groups modules.

 

In the Portal, Application Groups support protocol type "http", "https" and "mssql". However, when provisioning this using the Rule Collection Group module, that is just not an option at all, only HTTP and HTTPS is available:

User's image  

However, in the Azure Firewall module, you have all three:User's image I am more fan of doing this modular to have more flexibility, so would like to avoid having to do the rules directly in the Azure Firewall module. 

 

Is there any particular reason for why Mssql is not available directly from "Rule Collection Group" module?

 

Is there any Github issue page for Azure networking where I could report this?

 

Thanks!

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
674 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee
    2024-08-19T06:17:58.9833333+00:00

    @Tarjei Ylvisåker ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know why "Mssql" is not listed under the Rule Collection Group module of Azure Firewall Policy

    I just did a lab with Terraform and I was successfully able to use "Mssql". 

    resource "azurerm_resource_group" "fwrg" {
  name     = "fwrg2"
  location = "West Europe"
}

resource "azurerm_firewall_policy" "fwpolicy" {
  name                = "fwpolicy"
  resource_group_name = azurerm_resource_group.fwrg.name
  location            = azurerm_resource_group.fwrg.location
}

resource "azurerm_firewall_policy_rule_collection_group" "rcg" {
  name               = "rcg"
  firewall_policy_id = azurerm_firewall_policy.fwpolicy.id
  priority           = 500

  application_rule_collection {
    name     = "app_rule_collection1"
    priority = 500
    action   = "Deny"
    rule {
      name = "app_rule_collection1_rule1"
      protocols {
        type = "Mssql"
        port = 1433
      }
      protocols {
        type = "Http"
        port = 1234
      }
      source_addresses  = ["10.0.0.1"]
      destination_fqdns = ["*.microsoft.com"]
    }
  }
    
  }

    NOTE :

    • The "protocols" does not take any random values, it in face verifies if you input on of the three : ["Http","Https","Mssql"]
    • See :
      • User's image
    • However, you can use non standard ports without any issues.

    Looks like the documentation is not updated, I shall reach out to internal teams to get the documented up to date

    Meanwhile, please let us know if we can be of any further assistance here.

    Thanks,

    Kapil

    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.