You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall-manager/rule-hierarchy.md
+28-35Lines changed: 28 additions & 35 deletions
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall-manager
5
5
author: vhorne
6
6
ms.service: firewall-manager
7
7
ms.topic: how-to
8
-
ms.date: 08/24/2020
8
+
ms.date: 08/25/2020
9
9
ms.author: victorh
10
10
---
11
11
@@ -20,46 +20,34 @@ Azure Firewall policy allows you to define a rule hierarchy and enforce complian
20
20
21
21
## Solution overview
22
22
23
-
For this example, resource groups are used to enforce access scope. Subscriptions are another way to scope access. Each application team has their own independent set of resources, including firewalls.
24
-
25
23
The high-level steps for this example are:
26
24
27
-
1. Create separate resource groups for each application team.
28
-
2. Create a base firewall policy in the security team resource group.
25
+
1. Create a base firewall policy in the security team resource group.
29
26
3. Define IT security-specific rules in the base policy. This adds a common set of rules to allow/deny traffic.
30
27
4. Create application team policies that inherit the base policy.
31
28
5. Define application team-specific rules in the policy. You can also migrate rules from pre-existing firewalls.
32
-
6. Create Azure Active Directory custom roles to provide fine grained access to rule collection group within a resource group.
33
-
7. Associate the policy to the firewall. An Azure firewall can have only one assigned policy. This requires each application team to have their own firewall.
34
-
35
-
## Contoso example
36
-
37
-
Contoso is a fictional company that wants to create a rule hierarchy for their application teams and control who can manage the firewall rules for each team.
29
+
6. Create Azure Active Directory custom roles to provide fine grained access to rule collection group and add roles at a Firewall Policy scope.In the following example, Sales team members will be able to edit rule collection group for Sales teams Firewall Policy. The same applies to the Database and Engineering teams.
30
+
7. Associate the policy to the corresponding firewall. An Azure firewall can have only one assigned policy. This requires each application team to have their own firewall.
38
31
39
-
Contoso has the following teams and requirements:
40
32
41
-
:::image type="content" source="media/rule-hierarchy/contoso-teams.png" alt-text="Contoso teams and requirements" border="false":::
42
33
43
-
Contoso will use the following steps to achieve this.
44
-
45
-
### Create the resource groups
46
-
47
-
A resource group for each team is created: SecurityResourceGroup, SalesResourceGroup, DatabaseResourceGroup, and EngineeringResourceGroup.
34
+
:::image type="content" source="media/rule-hierarchy/contoso-teams.png" alt-text="Teams and requirements" border="false":::
48
35
49
36
### Create the firewall policies
50
37
51
-
The applications teams are separated using resource groups, so firewall policies are created in each resource group:
52
-
53
38
- A base firewall policy in the SecurityResourceGroup.
39
+
40
+
Create policies for each of the application teams:
41
+
54
42
- A Sales firewall policy in the SalesResourceGroup. The Sales firewall policy inherits the base firewall policy.
55
43
- A Database firewall policy in the DatabaseResourceGroup. The Database firewall policy inherits base firewall policy.
56
44
- An Engineering firewall policy in the EngineeringResourceGroup. The Engineering firewall policy also inherits the base firewall policy.
### Create custom roles to access the rulecollectiongroups
61
49
62
-
Custom roles are defined for each application team. The role defines operations and scope. At Contoso, the application teams are allowed to edit rule collection groups for their respective applications.
50
+
Custom roles are defined for each application team. The role defines operations and scope. The application teams are allowed to edit rule collection groups for their respective applications.
63
51
64
52
Use the following high-level procedure to define custom roles:
65
53
@@ -98,22 +86,22 @@ Use the following high-level procedure to define custom roles:
operation to the **Actions** property. Be sure to include a comma after the read operation. This action allows the user to create and update rule collection groups.
101
-
6. In **AssignableScopes**, add your subscription ID and resource groups with the following format:
89
+
6. In **AssignableScopes**, add your subscription ID with the following format:
You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.
106
94
7. Delete the **Id** property line and change the **IsCustom** property to true.
107
-
8. Change the **Name** and **Description** properties to *<Applicationteamname> Rule Collection Group contributor* and *Lets you edit rule groups*
95
+
8. Change the **Name** and **Description** properties to *AZFM Rule Collection Group Author* and *Users in this role can edit Firewall Policy rule collection groups*
108
96
109
97
Your JSON file should look similar to the following example:
110
98
111
99
```
112
100
{
113
101
114
-
"Name": "<Application team name> Rule Collection Group contributor",
102
+
"Name": "AZFM Rule Collection Group Author",
115
103
"IsCustom": true,
116
-
"Description": "Lets you edit rule groups",
104
+
"Description": "Users in this role can edit Firewall Policy rule collection groups",
117
105
"Actions": [
118
106
"*/read",
119
107
"Microsoft.Network/*/read",
@@ -126,15 +114,13 @@ Your JSON file should look similar to the following example:
For more information, see [Tutorial: Create an Azure custom role using Azure PowerShell](../role-based-access-control/tutorial-custom-role-powershell.md).
147
137
148
138
### Add users to the custom role
149
139
150
-
On the portal in your subscription **Access control (IAM)**, **Roles**, you can add role assignments.
140
+
On the portal you can add users to the AZFM Rule Collection Group Authors role.
141
+
142
+
1. From the portal, select the Application team firewall policy (for example, SalesAppPolicy).
143
+
2. Select **Access Control**.
144
+
3. Select **Add role assignment**.
145
+
4. Add users/user groups (for example, the Sales team) to the role.
151
146
152
-
1. Add Sales Team members to the Sales Rule Collection Group contributor role.
153
-
2. Add Database team members to the Database Rule Collection Group contributor role.
154
-
3. Add Engineering team members to the Engineering Rule Collection Group contributor role.
147
+
Repeat this procedure for the other firewall policies.
0 commit comments