Basic SKU management NIC changes (#18916)
* Made Mangement NIC required for basic sku * Added unit tests for basic sku management NIC * Updated changelog Co-authored-by: Gizachew Eshetie <v-geshetie@microsoft.com>
This commit is contained in:
Родитель
36af7d13e2
Коммит
2db9b49a3c
|
@ -136,6 +136,7 @@ namespace Commands.Network.Test.ScenarioTests
|
|||
{
|
||||
TestRunner.RunTestScript("Test-AzureFirewallVirtualHubAllocateDeallocated");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
[Trait(Category.AcceptanceType, Category.CheckIn)]
|
||||
[Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
|
||||
|
@ -143,5 +144,13 @@ namespace Commands.Network.Test.ScenarioTests
|
|||
{
|
||||
TestRunner.RunTestScript("Test-AzureFirewallBasicSku");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
[Trait(Category.AcceptanceType, Category.CheckIn)]
|
||||
[Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
|
||||
public void TestAzureFirewallManagementNICBasicSku()
|
||||
{
|
||||
TestRunner.RunTestScript("Test-AzureFirewallManagementNICBasicSku");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1773,3 +1773,100 @@ function Test-AzureFirewallBasicSku {
|
|||
Clean-ResourceGroup $rgname
|
||||
}
|
||||
}
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Tests AzureFirewall Management NIC Basic Sku
|
||||
#>
|
||||
function Test-AzureFirewallManagementNICBasicSku {
|
||||
# Setup
|
||||
$rgname = Get-ResourceGroupName
|
||||
$azureFirewallName = Get-ResourceName
|
||||
$resourceTypeParent = "Microsoft.Network/AzureFirewalls"
|
||||
$location = Get-ProviderLocation $resourceTypeParent "eastus"
|
||||
|
||||
$vnetName = Get-ResourceName
|
||||
$subnetName = "AzureFirewallSubnet"
|
||||
$mgmtSubnetName = "AzureFirewallManagementSubnet"
|
||||
$publicIp1Name = Get-ResourceName
|
||||
$mgmtPublicIpName = Get-ResourceName
|
||||
$skuTier = "Basic"
|
||||
|
||||
try {
|
||||
# Create the resource group
|
||||
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
|
||||
|
||||
# Create the Virtual Network
|
||||
$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
|
||||
$mgmtSubnet = New-AzVirtualNetworkSubnetConfig -Name $mgmtSubnetName -AddressPrefix 10.0.100.0/24
|
||||
$vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet,$mgmtSubnet
|
||||
|
||||
# Get full subnet details
|
||||
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
|
||||
$mgmtSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $mgmtSubnetName
|
||||
|
||||
# Create public ips
|
||||
$publicip1 = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIp1Name -location $location -AllocationMethod Static -Sku Standard
|
||||
$mgmtPublicIp = New-AzPublicIpAddress -ResourceGroupName $rgname -name $mgmtPublicIpName -location $location -AllocationMethod Static -Sku Standard
|
||||
|
||||
# Try to create basic sku Firewall without ManagementPublicIpAddress and Verify
|
||||
Assert-ThrowsContains { New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -PublicIpAddress $publicip1 -SkuTier $skuTier } "ManagementPublicIpAddress is required for Azure Firewalls with Basic SKU"
|
||||
|
||||
# Create AzureFirewall with a Management PIP
|
||||
$azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetwork $vnet -ManagementPublicIpAddress $mgmtPublicIp -SkuTier $skuTier
|
||||
|
||||
# Get AzureFirewall
|
||||
$getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgname
|
||||
|
||||
#verification
|
||||
Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
|
||||
Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
|
||||
Assert-NotNull $getAzureFirewall.Location
|
||||
Assert-AreEqual (Normalize-Location $location) $getAzureFirewall.Location
|
||||
Assert-NotNull $getAzureFirewall.Etag
|
||||
|
||||
Assert-Null $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
|
||||
Assert-NotNull $getAzureFirewall.ManagementIpConfiguration
|
||||
Assert-NotNull $getAzureFirewall.ManagementIpConfiguration.Subnet.Id
|
||||
Assert-NotNull $getAzureFirewall.ManagementIpConfiguration.PublicIpAddress.Id
|
||||
Assert-AreEqual $mgmtSubnet.Id $getAzureFirewall.ManagementIpConfiguration.Subnet.Id
|
||||
Assert-AreEqual $mgmtPublicIp.Id $getAzureFirewall.ManagementIpConfiguration.PublicIpAddress.Id
|
||||
|
||||
# Add PIP
|
||||
$getAzureFirewall.AddPublicIpAddress($publicip1)
|
||||
|
||||
# Set AzureFirewall
|
||||
Set-AzFirewall -AzureFirewall $getAzureFirewall
|
||||
|
||||
# Get AzureFirewall
|
||||
$getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName
|
||||
|
||||
#verification
|
||||
Assert-AreEqual $rgName $getAzureFirewall.ResourceGroupName
|
||||
Assert-AreEqual $azureFirewallName $getAzureFirewall.Name
|
||||
Assert-NotNull $getAzureFirewall.Location
|
||||
Assert-AreEqual $location $getAzureFirewall.Location
|
||||
Assert-NotNull $getAzureFirewall.Etag
|
||||
|
||||
Assert-AreEqual 1 @($getAzureFirewall.IpConfigurations).Count
|
||||
Assert-NotNull $getAzureFirewall.IpConfigurations[0].Subnet.Id
|
||||
Assert-NotNull $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
|
||||
Assert-NotNull $getAzureFirewall.IpConfigurations[0].PrivateIpAddress
|
||||
Assert-AreEqual $subnet.Id $getAzureFirewall.IpConfigurations[0].Subnet.Id
|
||||
Assert-AreEqual $publicip1.Id $getAzureFirewall.IpConfigurations[0].PublicIpAddress.Id
|
||||
|
||||
# Delete AzureFirewall
|
||||
$delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
|
||||
Assert-AreEqual true $delete
|
||||
|
||||
# Delete VirtualNetwork
|
||||
$delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force
|
||||
Assert-AreEqual true $delete
|
||||
|
||||
$list = Get-AzFirewall -ResourceGroupName $rgname
|
||||
Assert-AreEqual 0 @($list).Count
|
||||
}
|
||||
finally {
|
||||
# Cleanup
|
||||
Clean-ResourceGroup $rgname
|
||||
}
|
||||
}
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -330,9 +330,15 @@ namespace Microsoft.Azure.Commands.Network
|
|||
|
||||
if (this.virtualNetwork != null)
|
||||
{
|
||||
firewall.Allocate(this.virtualNetwork, this.publicIpAddresses, this.ManagementPublicIpAddress);
|
||||
if (firewall.Sku != null && firewall.Sku.Tier.Equals(MNM.AzureFirewallSkuTier.Basic))
|
||||
{
|
||||
firewall.AllocateBasicSku(this.virtualNetwork, this.publicIpAddresses, this.ManagementPublicIpAddress);
|
||||
}
|
||||
else
|
||||
{
|
||||
firewall.Allocate(this.virtualNetwork, this.publicIpAddresses, this.ManagementPublicIpAddress);
|
||||
}
|
||||
}
|
||||
|
||||
firewall.ValidateDNSProxyRequirements();
|
||||
}
|
||||
|
||||
|
|
|
@ -19,6 +19,8 @@
|
|||
--->
|
||||
|
||||
## Upcoming Release
|
||||
* Enabled Azure Firewall forced tunneling by default (AzureFirewallManagementSubnet and ManagementPublicIpAddress are required) whenever basic sku firewall is created.
|
||||
- `New-AzFirewall`
|
||||
* Fixed bug that causes an overflow due to incorrect SNAT private ranges IP validation.
|
||||
* Added new cmdlets to create/manage L4(TCP/TLS) objects for ApplicationGateway:
|
||||
- `Get-AzApplicationGatewayListener`
|
||||
|
|
|
@ -207,7 +207,66 @@ namespace Microsoft.Azure.Commands.Network.Models
|
|||
|
||||
this.IpConfigurations[0].Subnet = new PSResourceId { Id = firewallSubnet.Id };
|
||||
}
|
||||
public void AllocateBasicSku(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] publicIpAddresses, PSPublicIpAddress ManagementPublicIpAddress)
|
||||
{
|
||||
if (virtualNetwork == null)
|
||||
{
|
||||
throw new ArgumentNullException(nameof(virtualNetwork), "Virtual Network cannot be null!");
|
||||
}
|
||||
|
||||
if (ManagementPublicIpAddress == null)
|
||||
{
|
||||
throw new ArgumentNullException(nameof(ManagementPublicIpAddress), "ManagementPublicIpAddress is required for Azure Firewalls with Basic SKU!");
|
||||
}
|
||||
|
||||
PSSubnet firewallMgmtSubnet = null;
|
||||
try
|
||||
{
|
||||
firewallMgmtSubnet = virtualNetwork.Subnets.Single(subnet => AzureFirewallMgmtSubnetName.Equals(subnet.Name));
|
||||
}
|
||||
catch (InvalidOperationException)
|
||||
{
|
||||
throw new ArgumentException($"Virtual Network {virtualNetwork.Name} should contain a Subnet named {AzureFirewallMgmtSubnetName}");
|
||||
}
|
||||
|
||||
PSSubnet firewallSubnet = null;
|
||||
try
|
||||
{
|
||||
firewallSubnet = virtualNetwork.Subnets.Single(subnet => AzureFirewallSubnetName.Equals(subnet.Name));
|
||||
}
|
||||
catch (InvalidOperationException)
|
||||
{
|
||||
throw new ArgumentException($"Virtual Network {virtualNetwork.Name} should contain a Subnet named {AzureFirewallSubnetName}");
|
||||
}
|
||||
|
||||
this.ManagementIpConfiguration = new PSAzureFirewallIpConfiguration
|
||||
{
|
||||
Name = AzureFirewallMgmtIpConfigurationName,
|
||||
PublicIpAddress = new PSResourceId { Id = ManagementPublicIpAddress.Id },
|
||||
Subnet = new PSResourceId { Id = firewallMgmtSubnet.Id }
|
||||
};
|
||||
|
||||
this.IpConfigurations = new List<PSAzureFirewallIpConfiguration>();
|
||||
|
||||
if (publicIpAddresses != null && publicIpAddresses.Count() > 0)
|
||||
{
|
||||
for (var i = 0; i < publicIpAddresses.Count(); i++)
|
||||
{
|
||||
this.IpConfigurations.Add(
|
||||
new PSAzureFirewallIpConfiguration
|
||||
{
|
||||
Name = $"{AzureFirewallIpConfigurationName}{i}",
|
||||
PublicIpAddress = new PSResourceId { Id = publicIpAddresses[i].Id }
|
||||
});
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
this.IpConfigurations.Add(new PSAzureFirewallIpConfiguration { Name = $"{AzureFirewallIpConfigurationName}{0}" });
|
||||
}
|
||||
|
||||
this.IpConfigurations[0].Subnet = new PSResourceId { Id = firewallSubnet.Id };
|
||||
}
|
||||
public void Deallocate()
|
||||
{
|
||||
if (this.Sku.Name.Equals("AZFW_Hub", StringComparison.OrdinalIgnoreCase))
|
||||
|
|
Загрузка…
Ссылка в новой задаче