In this post, I will outline how you can back up your Azure Firewall, enabling you to rebuild it in case it is accidentally/maliciously deleted or re-configured by an authorized person.
With the Azure Firewall adding new features, we should expect more customers to start using it. And if you are using it like I do with my customers, it’s the centre of everything and it can quickly contain a lot of collections/rules which took a long time to write.
Wait – what new features? Obviously, Threat Detection (using the MS security graph) is killer, but support for up to 100 public IP addresses was announced and is imminent, availability zones are there now for this mission critical service, application rule FQDN support was added for SQL databases, and HD Insight tags are in preview.
So back on topic: how do I backup Azure Firewall? It’s actually pretty simple. You will need to retrieve your firewall’s resource ID:
$AzureFirewallId = (Get-AzFirewall -Name "MyFirewall" -ResourceGroupName "MyVnetRg").id
Then you will export a JSON copy of the firewall:
$BackupFileName = ".\MyFirewallBackup.json" Export-AzResourceGroup -ResourceGroupName "MyVnetRg" -Resource $AzureFirewallId -SkipAllParameterization -Path $BackupFileName
And that’s the guts of it! To do a restore you simply redeploy the JSON file to the resource group:
New-AzResourceGroupDeployment -name "FirewallRestoreJob" -ResourceGroupName "MyVnetRg" -TemplateFile ".\MyFirewallBackup.json"
I’ve tested a delete and restore and it works. The magic here is using -SkipAllParameterization in the resource export to make the JSON file recreate exactly what was lost at the time of the backup/export.
If you wanted to get clever you could wrap up the backup cmdlets in an Azure Automation script. Add some lines to copy the alter the backup file name (date/time), and copy the backup to blob storage in a GPv2 storage account (with Lifecycle Management for automatic blob tiering and a protection policy to prevent deletion). And then you would schedule to the automation to run every day.
I apologize in advance for my lack of knowledge, but if you want to put the backup file in azure file storage, how do you specify that? Or did I miss it?
I’m running this inside of Cloud Shell and I had to add a step of
Set-AzContext -SubscriptionId “my subscription id” otherwise it won’t find my resource group. Even doing that now, once I run the Exort-AzResourceGroup, it comes back with
Export-AzResourceGroup: Path cannot be the empty string or all whitespace. (Parameter ‘path’)
I even tried removing the variable for the actual path that I put into the variable and still the same error. I’m trying to solve this but I thought that at least the first thing might be helpful to others.
I had the same problem however changing the relative path to the absolute path (Ex.: C:\Users\\Desktop\filename.json”) it worked.
I was able to avoid this error by using ‘./’ instead of ‘.\’ within cloud shell.