Forum Discussion

objectclass's avatar
objectclass
Copper Contributor
Aug 16, 2024

Azure Firewall Application Rules - "MSSQL" not available in Rule Collection Groups

Hi,

 

Working on a IaC project for Azure Firewall.

 

Have created Azure Firewall, Azure Firewall Policy and working on implementing rules using Rule Collection Groups.

 

In the Portal, Application Groups support protocol type "http", "https" and "mssql".

However, when provisioning this using the Rule Collection Group module, that is just not an option at all, only HTTP and HTTPS is available:

 

 

 

However, in the Azure Firewall module, you have all three:

 

 

I am more fan of doing this modular, so would like to avoid having to do the rules directly in the Azure Firewall module. 

 

Is there any particular reason for why Mssql is not available directly from "Rule Collection Group" module?

 

Is there any Github issue page for Azure networking where I could report this?

 

Thanks!

  • kyazaferr's avatar
    kyazaferr
    Steel Contributor
    Nov 13, 2024

    Reason for the Limitation:

    • The MSSQL protocol is indeed available in the Azure Portal when configuring Application Rules in Azure Firewall, but as you've noticed, it's not directly available when using the Rule Collection Group module in IaC.
    • The Rule Collection Group module is part of the Azure Firewall Policy and seems to only expose HTTP and HTTPS as available protocol options in the current version of the Azure Firewall Policy module. The MSSQL protocol may be intentionally excluded or not yet fully integrated into the Rule Collection Group module's schema for IaC deployments.

    Possible Solutions & Workarounds:

    1. Use Azure Firewall Module Directly:
      • As you mentioned, the Azure Firewall module itself supports MSSQL in application rules. This may be the simplest workaround if you're not strictly against using it. You can create your rules directly within the Azure Firewall resource while maintaining your preference for modular code in other areas.
    2. Feature Request or Issue Reporting:
      • If you'd like to continue using the Rule Collection Group module and see MSSQL support added, you can report the issue to Microsoft.
      • Azure Firewall GitHub Issues: You can submit an issue or feature request via the Azure Networking GitHub repository (though it's not specifically dedicated to Firewall itself, this is often where issues related to ARM templates and resource configurations are discussed).
      • Alternatively, you can use Azure Feedback to request additional support for the MSSQL protocol in the Rule Collection Group module via the official feedback channels in the Azure portal.
    3. Terraform Module:
      • If you're using Terraform, it's worth checking if there is an updated module or an open pull request that might have added MSSQL support in the Rule Collection Group resource.
      • You can also submit a feature request on the Terraform Azure Provider GitHub if it's not already available.
    4. Hybrid Approach:
      • You could keep using the Rule Collection Group module for HTTP and HTTPS, and when you need to define MSSQL application rules, you can create a separate rule directly within the Azure Firewall module, as you've mentioned. This might be a balanced approach until full support is available in the Rule Collection Group module

Resources