Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit cf10a94

Browse files
committedAug 25, 2020
more updates from Gopi
1 parent 0475d89 commit cf10a94

File tree

3 files changed

+28
-35
lines changed

3 files changed

+28
-35
lines changed
 
Loading
Loading

‎articles/firewall-manager/rule-hierarchy.md

Lines changed: 28 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ services: firewall-manager
55
author: vhorne
66
ms.service: firewall-manager
77
ms.topic: how-to
8-
ms.date: 08/24/2020
8+
ms.date: 08/25/2020
99
ms.author: victorh
1010
---
1111

@@ -20,46 +20,34 @@ Azure Firewall policy allows you to define a rule hierarchy and enforce complian
2020

2121
## Solution overview
2222

23-
For this example, resource groups are used to enforce access scope. Subscriptions are another way to scope access. Each application team has their own independent set of resources, including firewalls.
24-
2523
The high-level steps for this example are:
2624

27-
1. Create separate resource groups for each application team.
28-
2. Create a base firewall policy in the security team resource group.
25+
1. Create a base firewall policy in the security team resource group.
2926
3. Define IT security-specific rules in the base policy. This adds a common set of rules to allow/deny traffic.
3027
4. Create application team policies that inherit the base policy.
3128
5. Define application team-specific rules in the policy. You can also migrate rules from pre-existing firewalls.
32-
6. Create Azure Active Directory custom roles to provide fine grained access to rule collection group within a resource group.
33-
7. Associate the policy to the firewall. An Azure firewall can have only one assigned policy. This requires each application team to have their own firewall.
34-
35-
## Contoso example
36-
37-
Contoso is a fictional company that wants to create a rule hierarchy for their application teams and control who can manage the firewall rules for each team.
29+
6. Create Azure Active Directory custom roles to provide fine grained access to rule collection group and add roles at a Firewall Policy scope.In the following example, Sales team members will be able to edit rule collection group for Sales teams Firewall Policy. The same applies to the Database and Engineering teams.
30+
7. Associate the policy to the corresponding firewall. An Azure firewall can have only one assigned policy. This requires each application team to have their own firewall.
3831

39-
Contoso has the following teams and requirements:
4032

41-
:::image type="content" source="media/rule-hierarchy/contoso-teams.png" alt-text="Contoso teams and requirements" border="false":::
4233

43-
Contoso will use the following steps to achieve this.
44-
45-
### Create the resource groups
46-
47-
A resource group for each team is created: SecurityResourceGroup, SalesResourceGroup, DatabaseResourceGroup, and EngineeringResourceGroup.
34+
:::image type="content" source="media/rule-hierarchy/contoso-teams.png" alt-text="Teams and requirements" border="false":::
4835

4936
### Create the firewall policies
5037

51-
The applications teams are separated using resource groups, so firewall policies are created in each resource group:
52-
5338
- A base firewall policy in the SecurityResourceGroup.
39+
40+
Create policies for each of the application teams:
41+
5442
- A Sales firewall policy in the SalesResourceGroup. The Sales firewall policy inherits the base firewall policy.
5543
- A Database firewall policy in the DatabaseResourceGroup. The Database firewall policy inherits base firewall policy.
5644
- An Engineering firewall policy in the EngineeringResourceGroup. The Engineering firewall policy also inherits the base firewall policy.
5745

58-
:::image type="content" source="media/rule-hierarchy/policy-hierarchy.png" alt-text="Contoso policy hierarchy" border="false":::
46+
:::image type="content" source="media/rule-hierarchy/policy-hierarchy.png" alt-text="Policy hierarchy" border="false":::
5947

60-
### Define custom roles
48+
### Create custom roles to access the rulecollectiongroups
6149

62-
Custom roles are defined for each application team. The role defines operations and scope. At Contoso, the application teams are allowed to edit rule collection groups for their respective applications.
50+
Custom roles are defined for each application team. The role defines operations and scope. The application teams are allowed to edit rule collection groups for their respective applications.
6351

6452
Use the following high-level procedure to define custom roles:
6553

@@ -98,22 +86,22 @@ Use the following high-level procedure to define custom roles:
9886
`*/read", "Microsoft.Network/*/read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write`
9987

10088
operation to the **Actions** property. Be sure to include a comma after the read operation. This action allows the user to create and update rule collection groups.
101-
6. In **AssignableScopes**, add your subscription ID and resource groups with the following format: 
89+
6. In **AssignableScopes**, add your subscription ID with the following format: 
10290

103-
`/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx/resourceGroups/SalesResourceGroup`
91+
`/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx`
10492

10593
You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.
10694
7. Delete the **Id** property line and change the **IsCustom** property to true.
107-
8. Change the **Name** and **Description** properties to *<Application team name> Rule Collection Group contributor* and *Lets you edit rule groups*
95+
8. Change the **Name** and **Description** properties to *AZFM Rule Collection Group Author* and *Users in this role can edit Firewall Policy rule collection groups*
10896

10997
Your JSON file should look similar to the following example:
11098

11199
```
112100
{
113101
114-
    "Name":  "<Application team name> Rule Collection Group contributor",
102+
    "Name":  "AZFM Rule Collection Group Author",
115103
    "IsCustom":  true,
116-
    "Description":  "Lets you edit rule groups",
104+
    "Description":  "Users in this role can edit Firewall Policy rule collection groups",
117105
    "Actions":  [
118106
                    "*/read",
119107
                    "Microsoft.Network/*/read",
@@ -126,15 +114,13 @@ Your JSON file should look similar to the following example:
126114
    "NotDataActions":  [
127115
                       ],
128116
    "AssignableScopes":  [
129-
                             "/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx/resourceGroups/SalesResourceGroup"]
117+
                             "/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx"]
130118
}
131119
```
132120
9. To create the new custom role, use the New-AzRoleDefinition command and specify the JSON role definition file.
133121

134122
`New-AzRoleDefinition -InputFile "C:\CustomRoles\RuleCollectionGroupRole.json`
135123

136-
Repeat the steps to create custom roles for all three application teams. Make sure to scope the resource group properly.
137-
138124
### List custom roles
139125

140126
To list all the custom roles, you can use the Get-AzRoleDefinition command:
@@ -143,15 +129,22 @@ To list all the custom roles, you can use the Get-AzRoleDefinition command:
143129

144130
You can also see the custom roles in the Azure portal. Go to your subscription, select **Access control (IAM)**, **Roles**.
145131

132+
:::image type="content" source="media/rule-hierarchy/sales-app-policy.png" alt-text="SalesAppPolicy":::
133+
134+
:::image type="content" source="media/rule-hierarchy/sales-app-policy-read.png" alt-text="SalesAppPolicy read permission":::
135+
146136
For more information, see [Tutorial: Create an Azure custom role using Azure PowerShell](../role-based-access-control/tutorial-custom-role-powershell.md).
147137

148138
### Add users to the custom role
149139

150-
On the portal in your subscription **Access control (IAM)**, **Roles**, you can add role assignments.
140+
On the portal you can add users to the AZFM Rule Collection Group Authors role.
141+
142+
1. From the portal, select the Application team firewall policy (for example, SalesAppPolicy).
143+
2. Select **Access Control**.
144+
3. Select **Add role assignment**.
145+
4. Add users/user groups (for example, the Sales team) to the role.
151146

152-
1. Add Sales Team members to the Sales Rule Collection Group contributor role.
153-
2. Add Database team members to the Database Rule Collection Group contributor role.
154-
3. Add Engineering team members to the Engineering Rule Collection Group contributor role.
147+
Repeat this procedure for the other firewall policies.
155148

156149
### Associate new policies with the firewall
157150

0 commit comments

Comments
 (0)
Please sign in to comment.