Merge pull request #10674 from Azure/ipgroup_azfw_branch

AzureFirewall with IpGroups (LATEST)
2019-12-09 14:47:47 +08:00 · 2019-12-09 14:47:47 +08:00 · d4b0a2caca
--- a/src/Network/Network.Test/ScenarioTests/AzureFirewallIpGroupTests.cs
+++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallIpGroupTests.cs
@ -0,0 +1,38 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Test.ScenarioTests;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Commands.Network.Test.ScenarioTests
+{
+    public class AzureFirewallIpGroupTests : NetworkTestRunner
+    {
+        public AzureFirewallIpGroupTests(ITestOutputHelper output)
+            : base(output)
+        {
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallIpGroup()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallIpGroup");
+        }
+    }
+}
--- a/src/Network/Network.Test/ScenarioTests/AzureFirewallIpGroupTests.ps1
+++ b/src/Network/Network.Test/ScenarioTests/AzureFirewallIpGroupTests.ps1
@ -0,0 +1,248 @@
+#----------------------------------------------------------------------------------
+
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+function Check-CmdletReturnType
+{
+    param($cmdletName, $cmdletReturn)
+
+    $cmdletData = Get-Command $cmdletName
+    Assert-NotNull $cmdletData
+    [array]$cmdletReturnTypes = $cmdletData.OutputType.Name | Foreach-Object { return ($_ -replace "Microsoft.Azure.Commands.Network.Models.","") }
+    [array]$cmdletReturnTypes = $cmdletReturnTypes | Foreach-Object { return ($_ -replace "System.","") }
+    $realReturnType = $cmdletReturn.GetType().Name -replace "Microsoft.Azure.Commands.Network.Models.",""
+    return $cmdletReturnTypes -contains $realReturnType
+}
+
+
+<#
+.SYNOPSIS
+Test creating new IpGroups
+#>
+function Test-AzureFirewallIpGroup
+{
+      # Setup
+      $rgname = Get-ResourceGroupName
+      $rglocation = Get-ProviderLocation ResourceManagement "southcentralus"
+      $location = Get-ProviderLocation ResourceManagement "southcentralus"
+      $ipGroupLocation = Get-ProviderLocation ResourceManagement "southcentralus"
+      $ipGroupName1 = Get-ResourceName
+      $ipGroupName2 = Get-ResourceName
+    
+      $azureFirewallName = Get-ResourceName 
+      #$resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+      #$location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
+  
+      $vnetName = Get-ResourceName
+      $subnetName = "AzureFirewallSubnet"
+      $publicIpName = Get-ResourceName
+  
+      # AzureFirewallApplicationRuleCollection
+      $someAppRuleCollectionName = "someAppRuleCollection"
+      $someAppRuleCollectionPriority = 100
+      $someAppRuleCollectionActionType = "Allow"
+  
+      # AzureFirewallApplicationRule 1
+      $someAppRuleName = "someAppRule"
+      $someAppRuleFqdn1 = "*bing.com"
+      $someAppRuleProtocol1 = "http:8080"
+      $someAppRulePort1 = 8080
+      $someAppRuleProtocolType1 = "http"
+  
+      # AzureFirewallApplicationRule 2
+      $someOtherAppRuleName = "someOtherAppRule"
+      $someOtherAppRuleFqdn1 = "sql1.database.windows.net"
+      $someOtherAppRuleProtocol1 = "mssql:1433"
+      $someOtherAppRulePort1 = 1433
+      $someOtherAppRuleProtocolType1 = "mssql"
+  
+      # AzureFirewallNetworkRuleCollection
+      $networkRcName = "networkRc"
+      $networkRcPriority = 200
+      $networkRcActionType = "Deny"
+  
+
+      # AzureFirewallNetworkRule 1
+      $someNetworkRuleName = "networkRule"
+      $someNetworkRuleDesc = "desc1"
+      $someNetworkRuleSourceAddress1 = "10.0.0.0"
+      $someNetworkRuleSourceAddress2 = "111.1.0.0/24"
+      $someNetworkRuleDestinationAddress1 = "*"
+      $someNetworkRuleProtocol1 = "UDP"
+      $someNetworkRuleProtocol2 = "TCP"
+      $someNetworkRuleProtocol3 = "ICMP"
+      $someNetworkRuleDestinationPort1 = "90"
+  
+      # AzureFirewallNatRuleCollection
+      $someNatRuleCollectionName = "natRc"
+      $someNatRuleCollectionPriority = 200
+  
+      # AzureFirewallNatRule 2
+      $someNatRuleName = "natRule2"
+      $someNatRuleDesc = "desc2"
+      $someNatRuleSourceAddress1 = "10.0.0.0"
+      $someNatRuleSourceAddress2 = "111.1.0.0/24"
+      $someNatRuleProtocol1 = "UDP"
+      $someNatRuleProtocol2 = "TCP"
+      $someNatRuleDestinationPort1 = "95"
+      $someNatRuleTranslatedFqdn = "server1.internal.com"
+      $someNatRuleTranslatedPort = "96"
+
+    try
+    {
+      # Create the resource group
+      New-AzResourceGroup -Name $rgname -Location $rglocation -Tags @{ testtag = "testval" } 
+
+      # Create IpGroup
+      $ipGroup1 = New-AzIpGroup -ResourceGroupName $rgname -location $ipgroupLocation -Name $ipGroupName1 -IpAddress 10.0.0.0/24,11.9.0.0/24
+      $returnedIpGroup1 = Get-AzIpGroup -ResourceGroupName $rgname -Name $ipGroupName1
+      Assert-AreEqual $returnedIpGroup1.ResourceGroupName $ipGroup1.ResourceGroupName	
+      Assert-AreEqual $returnedIpGroup1.Name $ipGroup1.Name
+
+      $ipGroup2 = New-AzIpGroup -ResourceGroupName $rgname -location $ipgroupLocation -Name $ipGroupName2 -IpAddress 12.0.0.0/24,13.9.0.0/24
+      $returnedIpGroup2 = Get-AzIpGroup -ResourceGroupName $rgname -Name $ipGroupName2
+      Assert-AreEqual $returnedIpGroup2.ResourceGroupName $ipGroup2.ResourceGroupName	
+      Assert-AreEqual $returnedIpGroup2.Name $ipGroup2.Name
+      
+      # Create the Virtual Network
+      $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+      $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $ipGroupLocation -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+      # Get full subnet details
+      $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
+
+      # Create public ip
+      $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard
+
+      # Create AzureFirewall (with no rules, ThreatIntel is in Alert mode by default)
+      $azureFirewall = New-AzFirewall –Name $azureFirewallName -ResourceGroupName $rgname -Location $location -VirtualNetworkName $vnetName -PublicIpName $publicIpName
+   
+      #
+      #  Application Rule Section
+      #
+      
+      # Create Application Rules
+      $someAppRule = New-AzFirewallApplicationRule -Name $someAppRuleName -SourceIpGroup $ipGroup1.Id -Protocol $someAppRuleProtocol1 -TargetFqdn $someAppRuleFqdn1
+
+      $someOtherAppRule = New-AzFirewallApplicationRule -Name $someOtherAppRuleName -SourceIpGroup $ipGroup1.Id,$ipGroup2.Id -Protocol $someOtherAppRuleProtocol1 -TargetFqdn $someOtherAppRuleFqdn1
+
+      # Create Application Rule Collection with 1 rule
+      $someAppRuleCollection = New-AzFirewallApplicationRuleCollection -Name $someAppRuleCollectionName -Priority $someAppRuleCollectionPriority -Rule $someAppRule -ActionType $someAppRuleCollectionActionType
+           
+      # Add a rule to the rule collection using AddRule method
+      $someAppRuleCollection.AddRule($someOtherAppRule)
+
+      # Add ApplicationRuleCollections to the Firewall using method AddApplicationRuleCollection
+      $azureFirewall.AddApplicationRuleCollection($someAppRuleCollection)
+
+         
+      #
+      #  Network Rule Section
+      #
+
+      # Create Network Rule
+      
+      $someNetworkRule = New-AzFirewallNetworkRule -Name $someNetworkRuleName -Description $someNetworkRuleDesc -Protocol $someNetworkRuleProtocol1, $someNetworkRuleProtocol2 -SourceAddress $someNetworkRuleSourceAddress1, $someNetworkRuleSourceAddress2 -SourceIpGroup $ipGroup1.Id -DestinationIpGroup $ipGroup2.Id -DestinationPort $someNetworkRuleDestinationPort1
+      $someNetworkRule.AddProtocol($someNetworkRuleProtocol3)
+
+      # Create Network Rule Collection
+      $someNetworkRuleCollection = New-AzFirewallNetworkRuleCollection -Name $networkRcName -Priority $networkRcPriority -Rule $someNetworkRule -ActionType $networkRcActionType
+
+      # Add this Network Rule to the rule collection
+      #$someNetworkRuleCollection.AddRule($someNetworkRule)
+
+      # Add NetworkRuleCollections to the Firewall using method AddNetworkRuleCollection
+      $azureFirewall.AddNetworkRuleCollection($someNetworkRuleCollection)
+
+      #
+      #  NAT Rule Section
+      #
+
+      # Create  NAT rule
+      $someNatRule = New-AzFirewallNatRule -Name $someNatRuleName -Description $someNatRuleDesc -Protocol $someNatRuleProtocol1 -SourceIpGroup $ipGroup1.Id, $ipGroup2.Id -DestinationAddress $publicip.IpAddress -DestinationPort $someNatRuleDestinationPort1 -TranslatedFqdn $someNatRuleTranslatedFqdn -TranslatedPort $someNatRuleTranslatedPort
+      $someNatRule.AddProtocol($someNatRuleProtocol2)
+      
+      # Create a NAT Rule Collection
+      $someNatRuleCollection = New-AzFirewallNatRuleCollection -Name $someNatRuleCollectionName -Priority $someNatRuleCollectionPriority -Rule $someNatRule
+      
+      # Add  NAT Rule to rule Collection
+      #$someNatRuleCollection.AddRule($someNatRule)
+
+      # Add NatRuleCollections to the Firewall using method AddNatRuleCollection
+      $azureFirewall.AddNatRuleCollection($someNatRuleCollection)
+ 
+      # Set AzureFirewall
+      #Set-AzFirewall -AzureFirewall $azureFirewall
+
+      # Get AzureFirewall
+      #$getAzureFirewall = Get-AzFirewall -name $azureFirewallName -ResourceGroupName $rgName
+
+      $getAzureFirewall = $azureFirewall
+
+      #
+      # Verification - Application Rule 
+      #
+
+      # Verify application rule collection 2
+      $someAppRuleCollection2 = $getAzureFirewall.GetApplicationRuleCollectionByName($someAppRuleCollectionName)
+
+      # Verify application rule
+      $getSomeAppRule = $someAppRuleCollection2.GetRuleByName($someAppRule.Name)
+      Assert-AreEqual 1 $getSomeAppRule.SourceIpGroups.Count
+
+      $getSomeOtherAppRule = $someAppRuleCollection2.GetRuleByName($someOtherAppRule.Name)
+      Assert-AreEqual 2 $getSomeOtherAppRule.SourceIpGroups.Count
+            
+      #
+      # Verification - Network Rule 
+      #
+
+       # Verify Network rule collection 2
+      $someNetworkRuleCollection2 = $getAzureFirewall.GetNetworkRuleCollectionByName($someNetworkRuleCollection.Name)
+
+      # Verify Network rule
+      $getSomeNetworkRule = $someNetworkRuleCollection2.GetRuleByName($someNetworkRule.Name)
+      Assert-AreEqual 1 $getSomeNetworkRule.SourceIpGroups.Count
+      Assert-AreEqual 1 $getSomeNetworkRule.DestinationIpGroups.Count
+
+      #
+      # Verification - NAT Rule 
+      #
+      $someNatRuleCollection2 = $getAzureFirewall.GetNatRuleCollectionByName($someNatRuleCollection.Name)
+      $getSomeNatRule = $someNatRuleCollection2.GetRuleByName($someNatRule.Name)
+      Assert-AreEqual 2 $getSomeNatRule.SourceIpGroups.Count  
+
+	  # Delete IpGroup
+	  $deleteIpGroup = Remove-AzIpGroup -ResourceGroupName $rgname -Name $ipGroupName1 -PassThru -Force
+      Assert-AreEqual true $deleteIpGroup
+
+      $deleteIpGroup = Remove-AzIpGroup -ResourceGroupName $rgname -Name $ipGroupName2 -PassThru -Force
+      Assert-AreEqual true $deleteIpGroup
+
+      # Delete AzureFirewall
+      $delete = Remove-AzFirewall -ResourceGroupName $rgname -name $azureFirewallName -PassThru -Force
+      Assert-AreEqual true $delete
+
+      # Delete VirtualNetwork 
+      $delete = Remove-AzVirtualNetwork -ResourceGroupName $rgname -name $vnetName -PassThru -Force
+      Assert-AreEqual true $delete
+
+    }
+    finally
+    {
+      # Cleanup
+      Clean-ResourceGroup $rgname
+    }
+
+
+}
--- a/src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallIpGroupTests/TestAzureFirewallIpGroup.json
+++ b/src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallIpGroupTests/TestAzureFirewallIpGroup.json
--- a/src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallIpGroupTests/TestListAzureFirewallIpGroup.json
+++ b/src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallIpGroupTests/TestListAzureFirewallIpGroup.json
--- a/src/Network/Network/AzureFirewall/ApplicationRule/NewAzureFirewallApplicationRuleCommand.cs
+++ b/src/Network/Network/AzureFirewall/ApplicationRule/NewAzureFirewallApplicationRuleCommand.cs
@ -41,11 +41,15 @@ namespace Microsoft.Azure.Commands.Network
        public string Description { get; set; }

        [Parameter(
-            Mandatory = false,
-            HelpMessage = "The source addresses of the rule")]
-        [ValidateNotNullOrEmpty]
+           Mandatory = false,
+           HelpMessage = "The source addresses of the rule")]
        public string[] SourceAddress { get; set; }

+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The source ipgroup of the rule")]
+        public string[] SourceIpGroup { get; set; }
+
        [Parameter(
            Mandatory = true,
            ParameterSetName = AzureFirewallApplicationRuleParameterSets.TargetFqdn,
@ -84,6 +88,7 @@ namespace Microsoft.Azure.Commands.Network
                Name = this.Name,
                Description = this.Description,
                SourceAddresses = this.SourceAddress?.ToList(),
+                SourceIpGroups = this.SourceIpGroup?.ToList(),
                Protocols = protocolsAsWeExpectThem,
                TargetFqdns = this.TargetFqdn?.ToList(),
                FqdnTags = this.FqdnTag?.ToList()
--- a/src/Network/Network/AzureFirewall/NatRule/NewAzureFirewallNatRuleCommand.cs
+++ b/src/Network/Network/AzureFirewall/NatRule/NewAzureFirewallNatRuleCommand.cs
@ -23,7 +23,7 @@ using MNM = Microsoft.Azure.Management.Network.Models;
 namespace Microsoft.Azure.Commands.Network
 {
    [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallNatRule", SupportsShouldProcess = true), OutputType(typeof(PSAzureFirewallNatRule))]
-    public class NewAzureFirewallNatRuleCommand : NetworkBaseCmdlet
+    public class NewAzureFirewallNatRuleCommand : AzureFirewallBaseCmdlet
    {
        [Parameter(
            Mandatory = true,
@ -38,11 +38,15 @@ namespace Microsoft.Azure.Commands.Network
        public string Description { get; set; }

        [Parameter(
-            Mandatory = true,
+            Mandatory = false,
            HelpMessage = "The source addresses of the rule")]
-        [ValidateNotNullOrEmpty]
        public string[] SourceAddress { get; set; }

+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The source ipgroup of the rule")]
+        public string[] SourceIpGroup { get; set; }
+
        [Parameter(
            Mandatory = true,
            HelpMessage = "The destination addresses of the rule")]
@ -90,6 +94,12 @@ namespace Microsoft.Azure.Commands.Network
            // Add some validation based on the type of RuleCollection (SNAT will be supported later)
            // if (MNM.AzureFirewallNatRCActionType.Dnat.Equals(ActionType))
            {
+               // One of SourceAddress or SourceIpGroup must be present
+               if ((SourceAddress == null) && (SourceIpGroup == null))
+               {
+                  throw new ArgumentException("Either SourceAddress or SourceIpGroup is required.");
+               }
+
                if (DestinationAddress.Length != 1)
                {
                    throw new ArgumentException("Only one destination address is accepted.", nameof(DestinationAddress));
@ -126,19 +136,20 @@ namespace Microsoft.Azure.Commands.Network
                ValidateIsSinglePortNotRange(TranslatedPort);
            }

-            var networkRule = new PSAzureFirewallNatRule
+            var natRule = new PSAzureFirewallNatRule
            {
                Name = this.Name,
                Description = this.Description,
                Protocols = this.Protocol?.ToList(),
                SourceAddresses = this.SourceAddress?.ToList(),
+                SourceIpGroups = this.SourceIpGroup?.ToList(),
                DestinationAddresses = this.DestinationAddress?.ToList(),
                DestinationPorts = this.DestinationPort?.ToList(),
                TranslatedAddress = this.TranslatedAddress,
                TranslatedFqdn = this.TranslatedFqdn,
                TranslatedPort = this.TranslatedPort
            };
-            WriteObject(networkRule);
+            WriteObject(natRule);
        }

        private void ValidateIsSingleIpNotRange(string ipStr)
--- a/src/Network/Network/AzureFirewall/NetworkRule/NewAzureFirewallNetworkRuleCommand.cs
+++ b/src/Network/Network/AzureFirewall/NetworkRule/NewAzureFirewallNetworkRuleCommand.cs
@ -23,7 +23,7 @@ using MNM = Microsoft.Azure.Management.Network.Models;
 namespace Microsoft.Azure.Commands.Network
 {
    [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallNetworkRule", SupportsShouldProcess = true), OutputType(typeof(PSAzureFirewallNetworkRule))]
-    public class NewAzureFirewallNetworkRuleCommand : NetworkBaseCmdlet
+    public class NewAzureFirewallNetworkRuleCommand : AzureFirewallBaseCmdlet
    {
        [Parameter(
            Mandatory = true,
@ -38,17 +38,26 @@ namespace Microsoft.Azure.Commands.Network
        public string Description { get; set; }

        [Parameter(
-            Mandatory = true,
+            Mandatory = false,
            HelpMessage = "The source addresses of the rule")]
-        [ValidateNotNullOrEmpty]
        public string[] SourceAddress { get; set; }

+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The source ipgroup of the rule")]
+        public string[] SourceIpGroup { get; set; }
+
        [Parameter(
            Mandatory = false,
            HelpMessage = "The destination addresses of the rule")]
-        [ValidateNotNullOrEmpty]
        public string[] DestinationAddress { get; set; }

+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The destination ipgroup of the rule")]
+        public string[] DestinationIpGroup { get; set; }
+
        [Parameter(
            Mandatory = false,
            HelpMessage = "The destination FQDN of the rule")]
@ -76,6 +85,12 @@ namespace Microsoft.Azure.Commands.Network
        {
            base.Execute();

+            // One of SourceAddress or SourceIpGroup must be present
+            if ((SourceAddress == null) && (SourceIpGroup == null))
+            {
+                throw new ArgumentException("Either SourceAddress or SourceIpGroup is required.");
+            }
+
            if (DestinationFqdn != null)
            {
                foreach (string fqdn in DestinationFqdn)
@ -87,13 +102,13 @@ namespace Microsoft.Azure.Commands.Network
            // Only one of DestinationAddress or DestinationFqdns is allowed
            if ((DestinationAddress != null) && (DestinationFqdn != null))
            {
-                throw new ArgumentException("Both DestinationAddress and DestinationFqdns not allowed");
+                throw new ArgumentException("Both DestinationAddress and DestinationFqdns not allowed.");
            }

            // One of DestinationAddress or DestinationFqdns must be present
-            if ((DestinationAddress == null) && (DestinationFqdn == null))
+            if ((DestinationAddress == null) && (DestinationFqdn == null) && (DestinationIpGroup == null))
            {
-                throw new ArgumentException("Either DestinationAddress or DestinationFqdns is required");
+                throw new ArgumentException("DestinationAddress,DestinationIpGroup or DestinationFqdns is required.");
            }

            var networkRule = new PSAzureFirewallNetworkRule
@ -102,7 +117,9 @@ namespace Microsoft.Azure.Commands.Network
                Description = this.Description,
                Protocols = this.Protocol?.ToList(),
                SourceAddresses = this.SourceAddress?.ToList(),
+                SourceIpGroups = this.SourceIpGroup?.ToList(),
                DestinationAddresses = this.DestinationAddress?.ToList(),
+                DestinationIpGroups = this.DestinationIpGroup?.ToList(),
                DestinationFqdns = this.DestinationFqdn?.ToList(),
                DestinationPorts = this.DestinationPort?.ToList()
            };
--- a/src/Network/Network/ChangeLog.md
+++ b/src/Network/Network/ChangeLog.md
@ -20,6 +20,7 @@

 ## Upcoming Release
 * Update references in .psd1 to use relative path
+* Support for IpGroups in AzureFirewall Application,Nat & Network Rules.

 ## Version 2.1.0
 * Change `Start-AzVirtualNetworkGatewayConnectionPacketCapture.md` and `Start-AzVirtualnetworkGatewayPacketCapture.md` FilterData option examples.
--- a/src/Network/Network/IpGroup/GetIpGroupCommand.cs
+++ b/src/Network/Network/IpGroup/GetIpGroupCommand.cs
@ -29,7 +29,7 @@ namespace Microsoft.Azure.Commands.Network
    {
        [Parameter(
            ParameterSetName = IpGroupParameterSetNames.ByName,
-            Mandatory = true,
+            Mandatory = false,
            ValueFromPipelineByPropertyName = true,
            HelpMessage = "The resource group name.")]
        [ValidateNotNullOrEmpty]
@ -59,10 +59,6 @@ namespace Microsoft.Azure.Commands.Network

        public override void ExecuteCmdlet()
        {
-            if (!this.IsIpGroupsPresent(this.ResourceGroupName, this.Name))
-            {
-                throw new System.ArgumentException(string.Format(Microsoft.Azure.Commands.Network.Properties.Resources.ResourceNotFound, this.Name));
-            }

            base.ExecuteCmdlet();

@ -70,7 +66,7 @@ namespace Microsoft.Azure.Commands.Network
            {
                var resourceInfo = new ResourceIdentifier(ResourceId);
                ResourceGroupName = resourceInfo.ResourceGroupName;
-                Name = resourceInfo.ResourceName;
+                Name = resourceInfo.ResourceName; 
            }

            if (ShouldGetByName(ResourceGroupName, Name))
--- a/src/Network/Network/Models/AzureFirewall/PSAzureFirewallApplicationRule.cs
+++ b/src/Network/Network/Models/AzureFirewall/PSAzureFirewallApplicationRule.cs
@ -38,6 +38,9 @@ namespace Microsoft.Azure.Commands.Network.Models
        [JsonProperty(Order = 6)]
        public List<PSAzureFirewallApplicationRuleProtocol> Protocols { get; set; }

+        [JsonProperty(Order = 7)]
+        public List<string> SourceIpGroups { get; set; }
+
        [JsonIgnore]
        public string ProtocolsText
        {
@ -50,6 +53,12 @@ namespace Microsoft.Azure.Commands.Network.Models
            get { return JsonConvert.SerializeObject(SourceAddresses, Formatting.Indented); }
        }

+        [JsonIgnore]
+        public string SourceIpGroupsText
+        {
+            get { return JsonConvert.SerializeObject(SourceIpGroups, Formatting.Indented); }
+        }
+
        [JsonIgnore]
        public string TargetFqdnsText
        {
--- a/src/Network/Network/Models/AzureFirewall/PSAzureFirewallNatRule.cs
+++ b/src/Network/Network/Models/AzureFirewall/PSAzureFirewallNatRule.cs
@ -28,6 +28,8 @@ namespace Microsoft.Azure.Commands.Network.Models

        public List<string> SourceAddresses { get; set; }

+        public List<string> SourceIpGroups { get; set; }
+
        public List<string> DestinationAddresses { get; set; }

        public List<string> DestinationPorts { get; set; }
@ -50,6 +52,12 @@ namespace Microsoft.Azure.Commands.Network.Models
            get { return JsonConvert.SerializeObject(SourceAddresses, Formatting.Indented); }
        }

+        [JsonIgnore]
+        public string SourceIpGroupsText
+        {
+            get { return JsonConvert.SerializeObject(SourceIpGroups, Formatting.Indented); }
+        }
+
        [JsonIgnore]
        public string DestinationAddressesText
        {
--- a/src/Network/Network/Models/AzureFirewall/PSAzureFirewallNetworkRule.cs
+++ b/src/Network/Network/Models/AzureFirewall/PSAzureFirewallNetworkRule.cs
@ -30,6 +30,10 @@ namespace Microsoft.Azure.Commands.Network.Models

        public List<string> DestinationAddresses { get; set; }

+        public List<string> SourceIpGroups { get; set; }
+
+        public List<string> DestinationIpGroups { get; set; }
+
        public List<string> DestinationFqdns { get; set; }

        public List<string> DestinationPorts { get; set; }
@ -46,12 +50,24 @@ namespace Microsoft.Azure.Commands.Network.Models
            get { return JsonConvert.SerializeObject(SourceAddresses, Formatting.Indented); }
        }

+        [JsonIgnore]
+        public string SourceIpGroupsText
+        {
+            get { return JsonConvert.SerializeObject(SourceIpGroups, Formatting.Indented); }
+        }
+
        [JsonIgnore]
        public string DestinationAddressesText
        {
            get { return JsonConvert.SerializeObject(DestinationAddresses, Formatting.Indented); }
        }

+        [JsonIgnore]
+        public string DestinationIpGroupsText
+        {
+            get { return JsonConvert.SerializeObject(DestinationIpGroups, Formatting.Indented); }
+        }
+
        [JsonIgnore]
        public string DestinationFqdnsText
        {
--- a/src/Network/Network/Network.format.ps1xml
+++ b/src/Network/Network/Network.format.ps1xml
@ -3408,6 +3408,10 @@
                <Label>SourceAddresses</Label>
                <PropertyName>SourceAddressesText</PropertyName>
              </ListItem>
+              <ListItem>
+                <Label>SourceIpGroups</Label>
+                <PropertyName>SourceIpGroupsText</PropertyName>
+              </ListItem>
              <ListItem>
                <Label>TargetFqdns</Label>
                <PropertyName>TargetFqdnsText</PropertyName>
@ -3480,6 +3484,10 @@
                <Label>SourceAddresses</Label>
                <PropertyName>SourceAddressesText</PropertyName>
              </ListItem>
+              <ListItem>
+                <Label>SourceIpGroups</Label>
+                <PropertyName>SourceIpGroupsText</PropertyName>
+              </ListItem>
              <ListItem>
                <Label>DestinationAddresses</Label>
                <PropertyName>DestinationAddressesText</PropertyName>
@ -3552,10 +3560,18 @@
                <Label>SourceAddresses</Label>
                <PropertyName>SourceAddressesText</PropertyName>
              </ListItem>
+              <ListItem>
+                <Label>SourceIpGroups</Label>
+                <PropertyName>SourceIpGroupsText</PropertyName>
+              </ListItem>
              <ListItem>
                <Label>DestinationAddresses</Label>
                <PropertyName>DestinationAddressesText</PropertyName>
              </ListItem>
+              <ListItem>
+                <Label>DestinationIpGroups</Label>
+                <PropertyName>DestinationIpGroupsText</PropertyName>
+              </ListItem>
              <ListItem>
                <Label>DestinationPorts</Label>
                <PropertyName>DestinationPortsText</PropertyName>
--- a/src/Network/Network/help/New-AzFirewallApplicationRule.md
+++ b/src/Network/Network/help/New-AzFirewallApplicationRule.md
@ -16,14 +16,15 @@ Creates a Firewall Application Rule.
 ### TargetFqdn (Default)
 ```
 New-AzFirewallApplicationRule -Name <String> [-Description <String>] [-SourceAddress <String[]>]
- -TargetFqdn <String[]> -Protocol <String[]> [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-SourceIpGroup <String[]>] -TargetFqdn <String[]> -Protocol <String[]>
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```

 ### FqdnTag
 ```
 New-AzFirewallApplicationRule -Name <String> [-Description <String>] [-SourceAddress <String[]>]
- -FqdnTag <String[]> [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-SourceIpGroup <String[]>] -FqdnTag <String[]> [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
 ```

 ## DESCRIPTION
@ -139,6 +140,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```

+### -SourceIpGroup
+The source ipgroup of the rule
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -TargetFqdn
 Specifies a list of domain names filtered by this rule.
 The asterisk character, '*', is accepted only as the first character of an FQDN in the list. When used, the asterisk matches any number of characters. (e.g. '*msn.com' will match msn.com and all its subdomains)
--- a/src/Network/Network/help/New-AzFirewallNatRule.md
+++ b/src/Network/Network/help/New-AzFirewallNatRule.md
@ -14,9 +14,10 @@ Creates a Firewall NAT Rule.
 ## SYNTAX

 ```
-New-AzFirewallNatRule -Name <String> [-Description <String>] -SourceAddress <String[]>
- -DestinationAddress <String[]> -DestinationPort <String[]> -Protocol <String[]> -TranslatedAddress <String>
- -TranslatedPort <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+New-AzFirewallNatRule -Name <String> [-Description <String>] [-SourceAddress <String[]>]
+ [-SourceIpGroup <String[]>] -DestinationAddress <String[]> -DestinationPort <String[]> -Protocol <String[]>
+ [-TranslatedAddress <String>] [-TranslatedFqdn <String>] -TranslatedPort <String>
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```

 ## DESCRIPTION
@ -64,7 +65,7 @@ Accept wildcard characters: False
 ```

 ### -DestinationAddress
-The destination addresses of the rule.
+The destination addresses of the rule

 ```yaml
 Type: System.String[]
@ -134,7 +135,22 @@ Type: System.String[]
 Parameter Sets: (All)
 Aliases:

-Required: True
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SourceIpGroup
+The source ipgroup of the rule
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
 Position: Named
 Default value: None
 Accept pipeline input: False
@ -149,7 +165,22 @@ Type: System.String
 Parameter Sets: (All)
 Aliases:

-Required: True
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TranslatedFqdn
+The translated FQDN for this NAT rule
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
 Position: Named
 Default value: None
 Accept pipeline input: False
--- a/src/Network/Network/help/New-AzFirewallNetworkRule.md
+++ b/src/Network/Network/help/New-AzFirewallNetworkRule.md
@ -15,7 +15,8 @@ Creates a Firewall Network Rule.

 ```
 New-AzFirewallNetworkRule -Name <String> [-Description <String>] -SourceAddress <String[]>
- -DestinationAddress <String[]> -DestinationPort <String[]> -Protocol <String[]>
+ [-SourceIpGroup <String[]>] [-DestinationAddress <String[]>] [-DestinationIpGroup <String[]>]
+ [-DestinationFqdn <String[]>] -DestinationPort <String[]> -Protocol <String[]>
 [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```

@ -85,7 +86,37 @@ Type: System.String[]
 Parameter Sets: (All)
 Aliases:

-Required: True
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DestinationFqdn
+The destination FQDN of the rule
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DestinationIpGroup
+The destination ipgroup of the rule
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
 Position: Named
 Default value: None
 Accept pipeline input: False
@ -153,6 +184,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```

+### -SourceIpGroup
+The source ipgroup of the rule
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.