I have spent quite a few hours figuring out how to deploy Azure’s new Secured Virtual Hub, an extension of Azure Virtual WAN, deployed using ARM templates (JSON). A lot of the bits are either not documented or incorrectly documented. One of the frustrating bits to deploy was the Azure Firewall resource – and the online examples did not help.
The issue was that the 2 sources I could find did not include public IP addresses on the firewall:
- The quick start for Secured Virtual Hub on docs.microsoft.com
- The new Enterprise-Scale “well-architected” Framework, found in Cloud Adoption Framework
Digging to solve that uncovered:
- The examples used quite an old API version, 2019-08-01, to deploy the Microsoft.Network/azureFirewalls resource.
- There was no example of how to add a public IP address to the firewall in Secured Virtual Hub because it was not possible with that API – SVH is quite different from a VNet deployment because you do have direct access to the underlying hub virtual network.
- Being an old API, we lose features such as SNAT for non-RFC1918 addresses (important in universities and public sector) and the newer custom & proxy DNS features.
In my digging, I did uncover that the ARM reference for the Azure Firewall was incorrect, but I did uncover a new, barely-documented property called hubIPAddresses; I knew this property was the key to solving the public IP address issue. So I thought about what was going on and how I was going to solve it.
I ended up doing what I would normally do if I did not have a quick start template to start with:
- Deploy the resource(s) by hand in the Azure Portal
- Observe the options – there was a slide control for the quantity of firewall public IP addresses
- Export the resulting template
And … there was the solution:
- There is a new, undocumented API version for the Azure Firewall resource: 2020-05-01
- There is a new object property called hubIPAddresses that contains an object sub-property called publicIps. You can set a string value called count to control how many public IP addresses that Azure will assign (on your behalf) to the firewall – you do not need to create the public IP address resources.