Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New naming/schema for Firewall Policy #13629

Closed
saisujithreddym opened this issue May 22, 2020 · 2 comments · Fixed by Azure/azure-cli-extensions#1861
Closed

New naming/schema for Firewall Policy #13629

saisujithreddym opened this issue May 22, 2020 · 2 comments · Fixed by Azure/azure-cli-extensions#1861
Assignees
Labels
Network az network vnet/lb/nic/dns/etc...
Milestone

Comments

@saisujithreddym
Copy link

Is your feature request related to a problem? Please describe.
The backend schema for the firewall policy is going to change from 2020-05-01 api version. If CLI automatically updates the api version to call a new sdk everytime the sdk is updated, we need to make this change ASAP.

Describe the solution you'd like
Current Scenario:
CLI is consuming the firewall policy schema in the format of RuleGroups, Rules and RuleConditions. However it is shown to the user in the format of RuleCollectionsGroup, RuleCollections and Rule.

Going Forward:
The changes made to map the Rulegroups/Rule/RuleConditions -> RuleCollectionsGroup/RuleCollections/Rules on the CLI side will be moved to the backend. So we need not map this on the CLI side as backend sends the right schema of RuleCollectionsGroup/RuleCollections/Rules starting with the api version 2020-05-01. We need changes on the CLI to consume the new schema

Describe alternatives you've considered
We do not have an alternative as this change is already rolledout on the backend and this is a requirement

Additional context
Swagger Changes for reference: Azure/azure-rest-api-specs#9356.
Please note that the SDK is not released yet. So we will have to generate a local sdk to test the changes and use the api version 2020-05-01 when making the call to get the new schema

@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels May 22, 2020
@yonzhan yonzhan added the Network az network vnet/lb/nic/dns/etc... label May 22, 2020
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label May 22, 2020
@yonzhan yonzhan added this to the S171 milestone May 22, 2020
@yonzhan
Copy link
Collaborator

yonzhan commented May 22, 2020

add to S171

@yonzhan yonzhan modified the milestones: S171, S172 Jun 3, 2020
@yonzhan yonzhan added OKR3.2 Candidate feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that OKR3.2 Candidate labels Jun 3, 2020
@yonzhan yonzhan modified the milestones: S172, S171 Jun 3, 2020
@tejasshah7
Copy link

Just to give more information. As part of this change, there is a new rule type that will have to be supported:

Basically the format for Nat Rule which should get added as part of this would be like this:

az network firewall policy rule-collection-group collection rule add --collection-name
--name
--policy-name
--resource-group
--rule-collection-group-name
--rule-type {ApplicationRule, NetworkRule, NatRule}
[--description]
[--destination-addresses]
[--destination-ports]
[--fqdn-tags]
[--ip-protocols {Any, ICMP, TCP, UDP}]
[--protocols]
[--source-addresses]
[--target-fqdns]
[--translated-address]
[--translated-port]

For rule type NAT Rule, following fields apply:
translated-address
translated-port

And following fields do not apply
fqdn-tags
target-fqdns

And the Nat rule collection command will have to change to:
az network firewall policy rule-collection-group collection add-nat-collection --collection-priority
--name
--policy-name
--resource-group
--rule-collection-group-name
[--action {DNAT, SNAT}]
[--rule-name]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Network az network vnet/lb/nic/dns/etc...
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants