@drunk-pulumi/azure 0.0.19

package/VNet/FirewallPolicies/CloudPCFirewallPolicy.js

@@ -0,0 +1,303 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const Location_1 = require("../../Common/Location");
+exports.default = ({ name, location, vnetAddressSpace, enableCloudPcRules = true, enableDeveloperResources = true, enableAzureResources = true, allowIpCheckApi = true, allowFullOutboundAddress, }) => {
+    location = (0, Location_1.getLocation)(location);
+    const networkRules = new Array();
+    const applicationRules = new Array();
+    if (allowFullOutboundAddress) {
+        networkRules.push({
+            ruleType: 'NetworkRule',
+            name: 'allow-out-all',
+            description: 'Allow out all',
+            ipProtocols: ['TCP'],
+            sourceAddresses: allowFullOutboundAddress,
+            destinationAddresses: ['*'],
+            destinationPorts: ['443'],
+        });
+    }
+    if (enableCloudPcRules) {
+        networkRules.push({
+            ruleType: 'NetworkRule',
+            name: 'allow-AVD-traffic',
+            description: 'AVD traffic',
+            ipProtocols: ['TCP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationAddresses: ['169.254.169.254', '168.63.129.16'],
+            destinationPorts: ['80'],
+        }, {
+            ruleType: 'NetworkRule',
+            name: 'allow-AVD-WA',
+            description: 'AVD WA',
+            ipProtocols: ['TCP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationAddresses: ['23.102.135.246'],
+            destinationPorts: ['1688'],
+        }, {
+            ruleType: 'NetworkRule',
+            name: 'allow-time-sync',
+            description: 'Win time sync',
+            ipProtocols: ['UDP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationFqdns: ['time.windows.com'],
+            destinationPorts: ['123'],
+        }, {
+            ruleType: 'NetworkRule',
+            name: 'allow-AzureDevOps',
+            description: 'AzureDevOps',
+            ipProtocols: ['TCP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationAddresses: [
+                '13.107.6.0/24',
+                '13.107.9.0/24',
+                '13.107.42.0/24',
+                '13.107.43.0/24',
+            ],
+            destinationPorts: ['443'],
+        }, {
+            ruleType: 'NetworkRule',
+            name: 'allow-ServiceBus',
+            description: 'ServiceBus',
+            ipProtocols: ['TCP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationFqdns: ['servicebus.windows.net'],
+            destinationPorts: [
+                '5671',
+                '5672',
+                '9350',
+                '9351',
+                '9352',
+                '9353',
+                '9354',
+            ],
+        }, {
+            ruleType: 'NetworkRule',
+            name: 'allow-Azure',
+            description: 'Allows Azure',
+            ipProtocols: ['TCP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationAddresses: [
+                `ApiManagement.SoutheastAsia`,
+                `AzureCloud.SoutheastAsia`,
+                `AzureContainerRegistry.SoutheastAsia`,
+                `AzureCosmosDB.SoutheastAsia`,
+                `AzureKeyVault.SoutheastAsia`,
+                `EventHub.SoutheastAsia`,
+                `MicrosoftContainerRegistry.SoutheastAsia`,
+                `ServiceBus.SoutheastAsia`,
+                `Storage.SoutheastAsia`,
+            ],
+            destinationPorts: ['443'],
+        }, {
+            ruleType: 'NetworkRule',
+            name: 'allow-Azure-Db',
+            description: 'Allows Azure Sql',
+            ipProtocols: ['TCP'],
+            sourceAddresses: vnetAddressSpace,
+            destinationAddresses: [`Sql.SoutheastAsia`],
+            destinationPorts: ['1433', '1434', '11000-11999', '14000-14999'],
+        });
+        applicationRules.push({
+            ruleType: 'ApplicationRule',
+            name: 'allow-AVD-vvd',
+            description: 'WindowsVirtualDesktop traffic',
+            sourceAddresses: allowFullOutboundAddress,
+            fqdnTags: ['WindowsVirtualDesktop'],
+        }, {
+            ruleType: 'ApplicationRule',
+            name: 'allow-AVD-Diagnostics',
+            description: 'WindowsVirtualDesktop Diagnostics',
+            sourceAddresses: allowFullOutboundAddress,
+            //protocols: [{ protocolType: 'Https', port: 443 }],
+            fqdnTags: ['WindowsDiagnostics'],
+        }, {
+            ruleType: 'ApplicationRule',
+            name: 'allow-AVD-Update',
+            description: 'WindowsVirtualDesktop Update',
+            sourceAddresses: allowFullOutboundAddress,
+            //protocols: [{ protocolType: 'Https', port: 443 }],
+            fqdnTags: ['WindowsUpdate'],
+        }, {
+            ruleType: 'ApplicationRule',
+            name: 'allow-AVD-times',
+            description: 'Allow ADV Times',
+            protocols: [{ protocolType: 'Https', port: 443 }],
+            sourceAddresses: allowFullOutboundAddress,
+            targetFqdns: ['*.core.windows.net', '*.servicebus.windows.net'],
+        });
+    }
+    if (enableDeveloperResources) {
+        applicationRules.push({
+            ruleType: 'ApplicationRule',
+            name: 'allow-others-https',
+            description: 'Allow others HTTPs',
+            protocols: [{ protocolType: 'Https', port: 443 }],
+            sourceAddresses: allowFullOutboundAddress,
+            targetFqdns: [
+                '*.digicert.com',
+                //Draw.io
+                'draw.io',
+                'draw.net',
+                '*.draw.io',
+                '*.draw.net',
+                '*.diagrams.net',
+                'python.org',
+                '*.pulumi.com',
+            ],
+        }, {
+            ruleType: 'ApplicationRule',
+            name: 'allow-others-http',
+            description: 'Allow others HTTP',
+            protocols: [{ protocolType: 'Http', port: 80 }],
+            sourceAddresses: allowFullOutboundAddress,
+            targetFqdns: ['*.digicert.com'],
+        }, {
+            ruleType: 'ApplicationRule',
+            name: 'allow-choco',
+            description: 'Allow choco',
+            protocols: [
+                { protocolType: 'Http', port: 80 },
+                { protocolType: 'Https', port: 443 },
+            ],
+            sourceAddresses: allowFullOutboundAddress,
+            targetFqdns: ['*.chocolatey.org', 'chocolatey.org'],
+        });
+    }
+    if (enableAzureResources) {
+        applicationRules.push({
+            ruleType: 'ApplicationRule',
+            name: 'allow-azure-resources',
+            description: 'Allows Azure Resources',
+            protocols: [{ protocolType: 'Https', port: 443 }],
+            sourceAddresses: allowFullOutboundAddress,
+            targetFqdns: [
+                //AKS
+                '*.hcp.southeastasia.azmk8s.io',
+                'dl.k8s.io',
+                '*.googleapis.com',
+                //Azure DevOps
+                '*.dev.azure.com',
+                '*.vsassets.io',
+                '*gallerycdn.vsassets.io',
+                '*vstmrblob.vsassets.io',
+                'aadcdn.msauth.net',
+                'aadcdn.msftauth.net',
+                'aex.dev.azure.com',
+                'aexprodea1.vsaex.visualstudio.com',
+                'amcdn.msftauth.net',
+                'amp.azure.net',
+                'app.vssps.dev.azure.com',
+                'app.vssps.visualstudio.com',
+                '*.vssps.visualstudio.com',
+                'azure.microsoft.com',
+                'azurecomcdn.azureedge.net',
+                'cdn.vsassets.io',
+                'dev.azure.com',
+                'go.microsoft.com',
+                'graph.microsoft.com',
+                'live.com',
+                'login.live.com',
+                'login.microsoftonline.com',
+                'management.azure.com',
+                'management.core.windows.net',
+                'microsoft.com',
+                'microsoftonline.com',
+                'static2.sharepointonline.com',
+                'visualstudio.com',
+                'vsrm.dev.azure.com',
+                'vstsagentpackage.azureedge.net',
+                'windows.net',
+                'login.microsoftonline.com',
+                'app.vssps.visualstudio.com',
+                'transwap.visualstudio.com',
+                '*.blob.core.windows.net',
+                'transwap.vsrm.visualstudio.com',
+                'transwap.vstmr.visualstudio.com',
+                'transwap.pkgs.visualstudio.com',
+                'transwap.vssps.visualstudio.com',
+                //Office 365
+                'transwapo365-my.sharepoint.com',
+                'admin.microsoft.com',
+                '*.office365.com',
+                '*.outlook.com',
+                '*.office.com',
+                '*.outlook.office.com',
+                'attachments.office.net',
+                '*.protection.outlook.com',
+                '*.mail.protection.outlook.com',
+                '*.officeapps.live.com',
+                '*.online.office.com',
+                'office.live.com',
+                '*.aria.microsoft.com',
+                '*.events.data.microsoft.com',
+                '*.o365weve.com',
+                'amp.azure.net',
+                'appsforoffice.microsoft.com',
+                'assets.onestore.ms',
+                'auth.gfx.ms',
+                'c1.microsoft.com',
+                'contentstorage.osi.office.net',
+                'dgps.support.microsoft.com',
+                'docs.microsoft.com',
+                'msdn.microsoft.com',
+                'platform.linkedin.com',
+                'prod.msocdn.com',
+                'shellprod.msocdn.com',
+                '*.cdn.office.net',
+                'support.content.office.net',
+                'support.microsoft.com',
+                'technet.microsoft.com',
+                'videocontent.osi.office.net',
+                'videoplayercdn.osi.office.net',
+                'identity.nel.measure.office.net',
+                //Azure
+                '*.login.microsoftonline.com',
+                '*.aadcdn.microsoftonline-p.com',
+                '*.aka.ms',
+                '*.applicationinsights.io',
+                '*.azure.com',
+                '*.azure.net',
+                '*.azure-api.net',
+                '*.azuredatalakestore.net',
+                '*.azureedge.net',
+                '*.loganalytics.io',
+                '*.microsoft.com',
+                '*.microsoftonline.com',
+                '*.microsoftonline-p.com',
+                '*.msauth.net',
+                '*.msftauth.net',
+                '*.trafficmanager.net',
+                '*.visualstudio.com',
+                '*.windows.net',
+                '*.windows-int.net',
+                '*.wns.windows.com',
+                '*.activity.windows.com',
+                '*.mp.microsoft.com',
+                //PowerBI
+                '*.powerbi.com',
+                '*.analysis.windows.net',
+                '*.frontend.clouddatahub.net',
+                '*.msftncsi.com',
+                '*.dc.services.visualstudio.com',
+            ],
+        });
+    }
+    if (allowIpCheckApi) {
+        applicationRules.push({
+            ruleType: 'ApplicationRule',
+            name: 'allow-ip-checks',
+            description: 'Allows Ip Checks',
+            protocols: [{ protocolType: 'Https', port: 443 }],
+            sourceAddresses: allowFullOutboundAddress,
+            targetFqdns: ['*.ipify.org', '*.myip.com', 'ip.me'],
+        });
+    }
+    return [
+        {
+            name,
+            networkRules,
+            applicationRules,
+        },
+    ];
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ2xvdWRQQ0ZpcmV3YWxsUG9saWN5LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL1ZOZXQvRmlyZXdhbGxQb2xpY2llcy9DbG91ZFBDRmlyZXdhbGxQb2xpY3kudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFHQSxvREFBb0Q7QUFhcEQsa0JBQWUsQ0FBQyxFQUNkLElBQUksRUFDSixRQUFRLEVBQ1IsZ0JBQWdCLEVBQ2hCLGtCQUFrQixHQUFHLElBQUksRUFDekIsd0JBQXdCLEdBQUcsSUFBSSxFQUMvQixvQkFBb0IsR0FBRyxJQUFJLEVBQzNCLGVBQWUsR0FBRyxJQUFJLEVBQ3RCLHdCQUF3QixHQUNsQixFQUE0QixFQUFFO0lBQ3BDLFFBQVEsR0FBRyxJQUFBLHNCQUFXLEVBQUMsUUFBUSxDQUFDLENBQUM7SUFFakMsTUFBTSxZQUFZLEdBQUcsSUFBSSxLQUFLLEVBQXlDLENBQUM7SUFDeEUsTUFBTSxnQkFBZ0IsR0FBRyxJQUFJLEtBQUssRUFFL0IsQ0FBQztJQUVKLElBQUksd0JBQXdCLEVBQUUsQ0FBQztRQUM3QixZQUFZLENBQUMsSUFBSSxDQUFDO1lBQ2hCLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxlQUFlO1lBQ3JCLFdBQVcsRUFBRSxlQUFlO1lBQzVCLFdBQVcsRUFBRSxDQUFDLEtBQUssQ0FBQztZQUNwQixlQUFlLEVBQUUsd0JBQXdCO1lBQ3pDLG9CQUFvQixFQUFFLENBQUMsR0FBRyxDQUFDO1lBQzNCLGdCQUFnQixFQUFFLENBQUMsS0FBSyxDQUFDO1NBQzFCLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxJQUFJLGtCQUFrQixFQUFFLENBQUM7UUFDdkIsWUFBWSxDQUFDLElBQUksQ0FDZjtZQUNFLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxtQkFBbUI7WUFDekIsV0FBVyxFQUFFLGFBQWE7WUFDMUIsV0FBVyxFQUFFLENBQUMsS0FBSyxDQUFDO1lBQ3BCLGVBQWUsRUFBRSxnQkFBZ0I7WUFDakMsb0JBQW9CLEVBQUUsQ0FBQyxpQkFBaUIsRUFBRSxlQUFlLENBQUM7WUFDMUQsZ0JBQWdCLEVBQUUsQ0FBQyxJQUFJLENBQUM7U0FDekIsRUFDRDtZQUNFLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxjQUFjO1lBQ3BCLFdBQVcsRUFBRSxRQUFRO1lBQ3JCLFdBQVcsRUFBRSxDQUFDLEtBQUssQ0FBQztZQUNwQixlQUFlLEVBQUUsZ0JBQWdCO1lBQ2pDLG9CQUFvQixFQUFFLENBQUMsZ0JBQWdCLENBQUM7WUFDeEMsZ0JBQWdCLEVBQUUsQ0FBQyxNQUFNLENBQUM7U0FDM0IsRUFDRDtZQUNFLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxpQkFBaUI7WUFDdkIsV0FBVyxFQUFFLGVBQWU7WUFDNUIsV0FBVyxFQUFFLENBQUMsS0FBSyxDQUFDO1lBQ3BCLGVBQWUsRUFBRSxnQkFBZ0I7WUFDakMsZ0JBQWdCLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQztZQUN0QyxnQkFBZ0IsRUFBRSxDQUFDLEtBQUssQ0FBQztTQUMxQixFQUNEO1lBQ0UsUUFBUSxFQUFFLGFBQWE7WUFDdkIsSUFBSSxFQUFFLG1CQUFtQjtZQUN6QixXQUFXLEVBQUUsYUFBYTtZQUMxQixXQUFXLEVBQUUsQ0FBQyxLQUFLLENBQUM7WUFDcEIsZUFBZSxFQUFFLGdCQUFnQjtZQUNqQyxvQkFBb0IsRUFBRTtnQkFDcEIsZUFBZTtnQkFDZixlQUFlO2dCQUNmLGdCQUFnQjtnQkFDaEIsZ0JBQWdCO2FBQ2pCO1lBQ0QsZ0JBQWdCLEVBQUUsQ0FBQyxLQUFLLENBQUM7U0FDMUIsRUFDRDtZQUNFLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxrQkFBa0I7WUFDeEIsV0FBVyxFQUFFLFlBQVk7WUFDekIsV0FBVyxFQUFFLENBQUMsS0FBSyxDQUFDO1lBQ3BCLGVBQWUsRUFBRSxnQkFBZ0I7WUFDakMsZ0JBQWdCLEVBQUUsQ0FBQyx3QkFBd0IsQ0FBQztZQUM1QyxnQkFBZ0IsRUFBRTtnQkFDaEIsTUFBTTtnQkFDTixNQUFNO2dCQUNOLE1BQU07Z0JBQ04sTUFBTTtnQkFDTixNQUFNO2dCQUNOLE1BQU07Z0JBQ04sTUFBTTthQUNQO1NBQ0YsRUFDRDtZQUNFLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxhQUFhO1lBQ25CLFdBQVcsRUFBRSxjQUFjO1lBQzNCLFdBQVcsRUFBRSxDQUFDLEtBQUssQ0FBQztZQUNwQixlQUFlLEVBQUUsZ0JBQWdCO1lBRWpDLG9CQUFvQixFQUFFO2dCQUNwQiw2QkFBNkI7Z0JBQzdCLDBCQUEwQjtnQkFDMUIsc0NBQXNDO2dCQUN0Qyw2QkFBNkI7Z0JBQzdCLDZCQUE2QjtnQkFDN0Isd0JBQXdCO2dCQUN4QiwwQ0FBMEM7Z0JBQzFDLDBCQUEwQjtnQkFDMUIsdUJBQXVCO2FBQ3hCO1lBQ0QsZ0JBQWdCLEVBQUUsQ0FBQyxLQUFLLENBQUM7U0FDMUIsRUFDRDtZQUNFLFFBQVEsRUFBRSxhQUFhO1lBQ3ZCLElBQUksRUFBRSxnQkFBZ0I7WUFDdEIsV0FBVyxFQUFFLGtCQUFrQjtZQUMvQixXQUFXLEVBQUUsQ0FBQyxLQUFLLENBQUM7WUFDcEIsZUFBZSxFQUFFLGdCQUFnQjtZQUNqQyxvQkFBb0IsRUFBRSxDQUFDLG1CQUFtQixDQUFDO1lBQzNDLGdCQUFnQixFQUFFLENBQUMsTUFBTSxFQUFFLE1BQU0sRUFBRSxhQUFhLEVBQUUsYUFBYSxDQUFDO1NBQ2pFLENBQ0YsQ0FBQztRQUVGLGdCQUFnQixDQUFDLElBQUksQ0FDbkI7WUFDRSxRQUFRLEVBQUUsaUJBQWlCO1lBQzNCLElBQUksRUFBRSxlQUFlO1lBQ3JCLFdBQVcsRUFBRSwrQkFBK0I7WUFDNUMsZUFBZSxFQUFFLHdCQUF3QjtZQUN6QyxRQUFRLEVBQUUsQ0FBQyx1QkFBdUIsQ0FBQztTQUNwQyxFQUNEO1lBQ0UsUUFBUSxFQUFFLGlCQUFpQjtZQUMzQixJQUFJLEVBQUUsdUJBQXVCO1lBQzdCLFdBQVcsRUFBRSxtQ0FBbUM7WUFDaEQsZUFBZSxFQUFFLHdCQUF3QjtZQUN6QyxvREFBb0Q7WUFDcEQsUUFBUSxFQUFFLENBQUMsb0JBQW9CLENBQUM7U0FDakMsRUFDRDtZQUNFLFFBQVEsRUFBRSxpQkFBaUI7WUFDM0IsSUFBSSxFQUFFLGtCQUFrQjtZQUN4QixXQUFXLEVBQUUsOEJBQThCO1lBQzNDLGVBQWUsRUFBRSx3QkFBd0I7WUFDekMsb0RBQW9EO1lBQ3BELFFBQVEsRUFBRSxDQUFDLGVBQWUsQ0FBQztTQUM1QixFQUNEO1lBQ0UsUUFBUSxFQUFFLGlCQUFpQjtZQUMzQixJQUFJLEVBQUUsaUJBQWlCO1lBQ3ZCLFdBQVcsRUFBRSxpQkFBaUI7WUFDOUIsU0FBUyxFQUFFLENBQUMsRUFBRSxZQUFZLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUUsQ0FBQztZQUNqRCxlQUFlLEVBQUUsd0JBQXdCO1lBQ3pDLFdBQVcsRUFBRSxDQUFDLG9CQUFvQixFQUFFLDBCQUEwQixDQUFDO1NBQ2hFLENBQ0YsQ0FBQztJQUNKLENBQUM7SUFFRCxJQUFJLHdCQUF3QixFQUFFLENBQUM7UUFDN0IsZ0JBQWdCLENBQUMsSUFBSSxDQUNuQjtZQUNFLFFBQVEsRUFBRSxpQkFBaUI7WUFDM0IsSUFBSSxFQUFFLG9CQUFvQjtZQUMxQixXQUFXLEVBQUUsb0JBQW9CO1lBQ2pDLFNBQVMsRUFBRSxDQUFDLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7WUFDakQsZUFBZSxFQUFFLHdCQUF3QjtZQUN6QyxXQUFXLEVBQUU7Z0JBQ1gsZ0JBQWdCO2dCQUVoQixTQUFTO2dCQUNULFNBQVM7Z0JBQ1QsVUFBVTtnQkFDVixXQUFXO2dCQUNYLFlBQVk7Z0JBQ1osZ0JBQWdCO2dCQUVoQixZQUFZO2dCQUNaLGNBQWM7YUFDZjtTQUNGLEVBQ0Q7WUFDRSxRQUFRLEVBQUUsaUJBQWlCO1lBQzNCLElBQUksRUFBRSxtQkFBbUI7WUFDekIsV0FBVyxFQUFFLG1CQUFtQjtZQUNoQyxTQUFTLEVBQUUsQ0FBQyxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLEVBQUUsRUFBRSxDQUFDO1lBQy9DLGVBQWUsRUFBRSx3QkFBd0I7WUFDekMsV0FBVyxFQUFFLENBQUMsZ0JBQWdCLENBQUM7U0FDaEMsRUFDRDtZQUNFLFFBQVEsRUFBRSxpQkFBaUI7WUFDM0IsSUFBSSxFQUFFLGFBQWE7WUFDbkIsV0FBVyxFQUFFLGFBQWE7WUFDMUIsU0FBUyxFQUFFO2dCQUNULEVBQUUsWUFBWSxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsRUFBRSxFQUFFO2dCQUNsQyxFQUFFLFlBQVksRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLEdBQUcsRUFBRTthQUNyQztZQUNELGVBQWUsRUFBRSx3QkFBd0I7WUFDekMsV0FBVyxFQUFFLENBQUMsa0JBQWtCLEVBQUUsZ0JBQWdCLENBQUM7U0FDcEQsQ0FDRixDQUFDO0lBQ0osQ0FBQztJQUVELElBQUksb0JBQW9CLEVBQUUsQ0FBQztRQUN6QixnQkFBZ0IsQ0FBQyxJQUFJLENBQUM7WUFDcEIsUUFBUSxFQUFFLGlCQUFpQjtZQUMzQixJQUFJLEVBQUUsdUJBQXVCO1lBQzdCLFdBQVcsRUFBRSx3QkFBd0I7WUFDckMsU0FBUyxFQUFFLENBQUMsRUFBRSxZQUFZLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUUsQ0FBQztZQUNqRCxlQUFlLEVBQUUsd0JBQXdCO1lBQ3pDLFdBQVcsRUFBRTtnQkFDWCxLQUFLO2dCQUNMLCtCQUErQjtnQkFDL0IsV0FBVztnQkFDWCxrQkFBa0I7Z0JBRWxCLGNBQWM7Z0JBQ2QsaUJBQWlCO2dCQUNqQixlQUFlO2dCQUNmLHlCQUF5QjtnQkFDekIsd0JBQXdCO2dCQUN4QixtQkFBbUI7Z0JBQ25CLHFCQUFxQjtnQkFDckIsbUJBQW1CO2dCQUNuQixtQ0FBbUM7Z0JBQ25DLG9CQUFvQjtnQkFDcEIsZUFBZTtnQkFDZix5QkFBeUI7Z0JBQ3pCLDRCQUE0QjtnQkFDNUIsMEJBQTBCO2dCQUMxQixxQkFBcUI7Z0JBQ3JCLDJCQUEyQjtnQkFDM0IsaUJBQWlCO2dCQUNqQixlQUFlO2dCQUNmLGtCQUFrQjtnQkFDbEIscUJBQXFCO2dCQUNyQixVQUFVO2dCQUNWLGdCQUFnQjtnQkFDaEIsMkJBQTJCO2dCQUMzQixzQkFBc0I7Z0JBQ3RCLDZCQUE2QjtnQkFDN0IsZUFBZTtnQkFDZixxQkFBcUI7Z0JBQ3JCLDhCQUE4QjtnQkFDOUIsa0JBQWtCO2dCQUNsQixvQkFBb0I7Z0JBQ3BCLGdDQUFnQztnQkFDaEMsYUFBYTtnQkFDYiwyQkFBMkI7Z0JBQzNCLDRCQUE0QjtnQkFDNUIsMkJBQTJCO2dCQUMzQix5QkFBeUI7Z0JBQ3pCLGdDQUFnQztnQkFDaEMsaUNBQWlDO2dCQUNqQyxnQ0FBZ0M7Z0JBQ2hDLGlDQUFpQztnQkFFakMsWUFBWTtnQkFDWixnQ0FBZ0M7Z0JBQ2hDLHFCQUFxQjtnQkFDckIsaUJBQWlCO2dCQUNqQixlQUFlO2dCQUNmLGNBQWM7Z0JBQ2Qsc0JBQXNCO2dCQUN0Qix3QkFBd0I7Z0JBQ3hCLDBCQUEwQjtnQkFDMUIsK0JBQStCO2dCQUMvQix1QkFBdUI7Z0JBQ3ZCLHFCQUFxQjtnQkFDckIsaUJBQWlCO2dCQUNqQixzQkFBc0I7Z0JBQ3RCLDZCQUE2QjtnQkFDN0IsZ0JBQWdCO2dCQUNoQixlQUFlO2dCQUNmLDZCQUE2QjtnQkFDN0Isb0JBQW9CO2dCQUNwQixhQUFhO2dCQUNiLGtCQUFrQjtnQkFDbEIsK0JBQStCO2dCQUMvQiw0QkFBNEI7Z0JBQzVCLG9CQUFvQjtnQkFDcEIsb0JBQW9CO2dCQUNwQix1QkFBdUI7Z0JBQ3ZCLGlCQUFpQjtnQkFDakIsc0JBQXNCO2dCQUN0QixrQkFBa0I7Z0JBQ2xCLDRCQUE0QjtnQkFDNUIsdUJBQXVCO2dCQUN2Qix1QkFBdUI7Z0JBQ3ZCLDZCQUE2QjtnQkFDN0IsK0JBQStCO2dCQUMvQixpQ0FBaUM7Z0JBRWpDLE9BQU87Z0JBQ1AsNkJBQTZCO2dCQUM3QixnQ0FBZ0M7Z0JBQ2hDLFVBQVU7Z0JBQ1YsMEJBQTBCO2dCQUMxQixhQUFhO2dCQUNiLGFBQWE7Z0JBQ2IsaUJBQWlCO2dCQUNqQiwwQkFBMEI7Z0JBQzFCLGlCQUFpQjtnQkFDakIsbUJBQW1CO2dCQUNuQixpQkFBaUI7Z0JBQ2pCLHVCQUF1QjtnQkFDdkIseUJBQXlCO2dCQUN6QixjQUFjO2dCQUNkLGdCQUFnQjtnQkFDaEIsc0JBQXNCO2dCQUN0QixvQkFBb0I7Z0JBQ3BCLGVBQWU7Z0JBQ2YsbUJBQW1CO2dCQUNuQixtQkFBbUI7Z0JBQ25CLHdCQUF3QjtnQkFDeEIsb0JBQW9CO2dCQUVwQixTQUFTO2dCQUNULGVBQWU7Z0JBQ2Ysd0JBQXdCO2dCQUN4Qiw2QkFBNkI7Z0JBQzdCLGdCQUFnQjtnQkFDaEIsZ0NBQWdDO2FBQ2pDO1NBQ0YsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELElBQUksZUFBZSxFQUFFLENBQUM7UUFDcEIsZ0JBQWdCLENBQUMsSUFBSSxDQUFDO1lBQ3BCLFFBQVEsRUFBRSxpQkFBaUI7WUFDM0IsSUFBSSxFQUFFLGlCQUFpQjtZQUN2QixXQUFXLEVBQUUsa0JBQWtCO1lBQy9CLFNBQVMsRUFBRSxDQUFDLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7WUFDakQsZUFBZSxFQUFFLHdCQUF3QjtZQUN6QyxXQUFXLEVBQUUsQ0FBQyxhQUFhLEVBQUUsWUFBWSxFQUFFLE9BQU8sQ0FBQztTQUNwRCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsT0FBTztRQUNMO1lBQ0UsSUFBSTtZQUNKLFlBQVk7WUFDWixnQkFBZ0I7U0FDakI7S0FDRixDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/VNet/FirewallPolicy.d.ts

@@ -0,0 +1,28 @@
+import { input as inputs, enums } from '@pulumi/azure-native/types';
+import { Input, Resource } from '@pulumi/pulumi';
+import { BasicResourceArgs, DefaultResourceArgs } from '../types';
+import { FirewallRuleProps } from './FirewallRules/types';
+export declare const denyOtherAppRule: inputs.network.ApplicationRuleArgs;
+interface PolicyRulesProps extends BasicResourceArgs {
+    firewallPolicyName: Input<string>;
+    priority?: number;
+    rules: Array<FirewallRuleProps>;
+    enableDenyOtherAppRule?: boolean;
+    dependsOn?: Input<Input<Resource>[]> | Input<Resource>;
+}
+export declare const linkRulesToPolicy: ({ firewallPolicyName, priority, group, name, rules, enableDenyOtherAppRule, dependsOn, }: PolicyRulesProps) => import("@pulumi/azure-native/network/firewallPolicyRuleCollectionGroup").FirewallPolicyRuleCollectionGroup;
+interface Props extends BasicResourceArgs, Omit<DefaultResourceArgs, 'monitoring'>, Omit<PolicyRulesProps, 'firewallPolicyName' | 'rules'> {
+    basePolicyId?: Input<string>;
+    dnsSettings?: Input<inputs.network.DnsSettingsArgs>;
+    transportSecurityCA?: inputs.network.FirewallPolicyCertificateAuthorityArgs;
+    sku?: enums.network.FirewallPolicySkuTier;
+    insights?: {
+        defaultWorkspaceId?: Input<string>;
+        workspaces: Array<{
+            regions: Input<string>;
+            workspaceId?: Input<string>;
+        }>;
+    };
+}
+declare const _default: ({ name, group, basePolicyId, dnsSettings, transportSecurityCA, insights, sku, dependsOn, }: Props) => import("@pulumi/azure-native/network/firewallPolicy").FirewallPolicy;
+export default _default;

package/VNet/FirewallPolicy.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.linkRulesToPolicy = exports.denyOtherAppRule = void 0;
+const network = require("@pulumi/azure-native/network");
+const types_1 = require("@pulumi/azure-native/types");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const Naming_1 = require("../Common/Naming");
+exports.denyOtherAppRule = {
+    name: 'deny-others-websites',
+    ruleType: 'ApplicationRule',
+    description: 'Deny All Others websites',
+    sourceAddresses: ['*'],
+    targetFqdns: ['*'],
+    protocols: [
+        { protocolType: 'Http', port: 80 },
+        { protocolType: 'Https', port: 443 },
+        { protocolType: 'Mssql', port: 1433 },
+    ],
+};
+const linkRulesToPolicy = ({ firewallPolicyName, priority = 200, group, name, rules, enableDenyOtherAppRule, dependsOn, }) => {
+    const ruleCollections = new Array();
+    let p = 200;
+    rules.forEach((r, i) => {
+        if (r.dnatRules && r.dnatRules.length > 0) {
+            ruleCollections.push({
+                name: `${r.name}-dnat`,
+                priority: i + p++,
+                action: {
+                    type: types_1.enums.network.FirewallPolicyNatRuleCollectionActionType.DNAT,
+                },
+                ruleCollectionType: 'FirewallPolicyNatRuleCollection',
+                rules: r.dnatRules,
+            });
+        }
+        if (r.networkRules && r.networkRules.length > 0) {
+            ruleCollections.push({
+                name: `${r.name}-net`,
+                priority: i + p++,
+                action: {
+                    type: types_1.enums.network.FirewallPolicyFilterRuleCollectionActionType
+                        .Allow,
+                },
+                ruleCollectionType: 'FirewallPolicyFilterRuleCollection',
+                rules: r.networkRules,
+            });
+        }
+        if (r.applicationRules && r.applicationRules.length > 0) {
+            ruleCollections.push({
+                name: `${r.name}-app`,
+                priority: i + 200 + p++,
+                action: {
+                    type: types_1.enums.network.FirewallPolicyFilterRuleCollectionActionType
+                        .Allow,
+                },
+                ruleCollectionType: 'FirewallPolicyFilterRuleCollection',
+                rules: r.applicationRules,
+            });
+        }
+    });
+    if (enableDenyOtherAppRule) {
+        //Denied others
+        ruleCollections.push({
+            name: `${name}-deny-others`,
+            priority: 6001,
+            action: {
+                type: types_1.enums.network.FirewallPolicyFilterRuleCollectionActionType.Allow,
+            },
+            ruleCollectionType: 'FirewallPolicyFilterRuleCollection',
+            rules: [exports.denyOtherAppRule],
+        });
+    }
+    const groupName = (0, Naming_1.getFirewallPolicyGroupName)(name);
+    return new network.FirewallPolicyRuleCollectionGroup(groupName, {
+        name: groupName,
+        ...group,
+        firewallPolicyName,
+        priority,
+        ruleCollections,
+    }, { dependsOn });
+};
+exports.linkRulesToPolicy = linkRulesToPolicy;
+exports.default = ({ name, group, basePolicyId, dnsSettings, transportSecurityCA, insights, sku = types_1.enums.network.FirewallPolicySkuTier.Basic, dependsOn, }) => {
+    name = (0, Naming_1.getFirewallPolicyName)(name);
+    const policy = new network.FirewallPolicy(name, {
+        firewallPolicyName: name,
+        ...group,
+        sku: { tier: sku },
+        basePolicy: basePolicyId ? { id: basePolicyId } : undefined,
+        dnsSettings,
+        threatIntelMode: types_1.enums.network.AzureFirewallThreatIntelMode.Deny,
+        transportSecurity: transportSecurityCA
+            ? { certificateAuthority: transportSecurityCA }
+            : undefined,
+        insights: insights
+            ? {
+                isEnabled: true,
+                logAnalyticsResources: {
+                    defaultWorkspaceId: { id: insights.defaultWorkspaceId },
+                    workspaces: insights.workspaces.map((i) => ({
+                        region: i.regions,
+                        workspaceId: { id: i.workspaceId },
+                    })),
+                },
+            }
+            : undefined,
+        tags: AzureEnv_1.defaultTags,
+    }, { dependsOn });
+    return policy;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiRmlyZXdhbGxQb2xpY3kuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvVk5ldC9GaXJld2FsbFBvbGljeS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSx3REFBd0Q7QUFDeEQsc0RBQW9FO0FBR3BFLGlEQUFpRDtBQUNqRCw2Q0FHMEI7QUFHYixRQUFBLGdCQUFnQixHQUF1QztJQUNsRSxJQUFJLEVBQUUsc0JBQXNCO0lBQzVCLFFBQVEsRUFBRSxpQkFBaUI7SUFDM0IsV0FBVyxFQUFFLDBCQUEwQjtJQUN2QyxlQUFlLEVBQUUsQ0FBQyxHQUFHLENBQUM7SUFDdEIsV0FBVyxFQUFFLENBQUMsR0FBRyxDQUFDO0lBQ2xCLFNBQVMsRUFBRTtRQUNULEVBQUUsWUFBWSxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsRUFBRSxFQUFFO1FBQ2xDLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsR0FBRyxFQUFFO1FBQ3BDLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsSUFBSSxFQUFFO0tBQ3RDO0NBQ0YsQ0FBQztBQVVLLE1BQU0saUJBQWlCLEdBQUcsQ0FBQyxFQUNoQyxrQkFBa0IsRUFDbEIsUUFBUSxHQUFHLEdBQUcsRUFDZCxLQUFLLEVBQ0wsSUFBSSxFQUNKLEtBQUssRUFDTCxzQkFBc0IsRUFDdEIsU0FBUyxHQUNRLEVBQUUsRUFBRTtJQUNyQixNQUFNLGVBQWUsR0FBRyxJQUFJLEtBQUssRUFLOUIsQ0FBQztJQUVKLElBQUksQ0FBQyxHQUFHLEdBQUcsQ0FBQztJQUNaLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxFQUFFLEVBQUU7UUFDckIsSUFBSSxDQUFDLENBQUMsU0FBUyxJQUFJLENBQUMsQ0FBQyxTQUFTLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzFDLGVBQWUsQ0FBQyxJQUFJLENBQUM7Z0JBQ25CLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQyxJQUFJLE9BQU87Z0JBQ3RCLFFBQVEsRUFBRSxDQUFDLEdBQUcsQ0FBQyxFQUFFO2dCQUNqQixNQUFNLEVBQUU7b0JBQ04sSUFBSSxFQUFFLGFBQUssQ0FBQyxPQUFPLENBQUMseUNBQXlDLENBQUMsSUFBSTtpQkFDbkU7Z0JBQ0Qsa0JBQWtCLEVBQUUsaUNBQWlDO2dCQUNyRCxLQUFLLEVBQUUsQ0FBQyxDQUFDLFNBQVM7YUFDbkIsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELElBQUksQ0FBQyxDQUFDLFlBQVksSUFBSSxDQUFDLENBQUMsWUFBWSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUNoRCxlQUFlLENBQUMsSUFBSSxDQUFDO2dCQUNuQixJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUMsSUFBSSxNQUFNO2dCQUNyQixRQUFRLEVBQUUsQ0FBQyxHQUFHLENBQUMsRUFBRTtnQkFDakIsTUFBTSxFQUFFO29CQUNOLElBQUksRUFBRSxhQUFLLENBQUMsT0FBTyxDQUFDLDRDQUE0Qzt5QkFDN0QsS0FBSztpQkFDVDtnQkFDRCxrQkFBa0IsRUFBRSxvQ0FBb0M7Z0JBQ3hELEtBQUssRUFBRSxDQUFDLENBQUMsWUFBWTthQUN0QixDQUFDLENBQUM7UUFDTCxDQUFDO1FBRUQsSUFBSSxDQUFDLENBQUMsZ0JBQWdCLElBQUksQ0FBQyxDQUFDLGdCQUFnQixDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUN4RCxlQUFlLENBQUMsSUFBSSxDQUFDO2dCQUNuQixJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUMsSUFBSSxNQUFNO2dCQUNyQixRQUFRLEVBQUUsQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDLEVBQUU7Z0JBQ3ZCLE1BQU0sRUFBRTtvQkFDTixJQUFJLEVBQUUsYUFBSyxDQUFDLE9BQU8sQ0FBQyw0Q0FBNEM7eUJBQzdELEtBQUs7aUJBQ1Q7Z0JBQ0Qsa0JBQWtCLEVBQUUsb0NBQW9DO2dCQUN4RCxLQUFLLEVBQUUsQ0FBQyxDQUFDLGdCQUFnQjthQUMxQixDQUFDLENBQUM7UUFDTCxDQUFDO0lBQ0gsQ0FBQyxDQUFDLENBQUM7SUFFSCxJQUFJLHNCQUFzQixFQUFFLENBQUM7UUFDM0IsZUFBZTtRQUNmLGVBQWUsQ0FBQyxJQUFJLENBQUM7WUFDbkIsSUFBSSxFQUFFLEdBQUcsSUFBSSxjQUFjO1lBQzNCLFFBQVEsRUFBRSxJQUFJO1lBQ2QsTUFBTSxFQUFFO2dCQUNOLElBQUksRUFBRSxhQUFLLENBQUMsT0FBTyxDQUFDLDRDQUE0QyxDQUFDLEtBQUs7YUFDdkU7WUFDRCxrQkFBa0IsRUFBRSxvQ0FBb0M7WUFDeEQsS0FBSyxFQUFFLENBQUMsd0JBQWdCLENBQUM7U0FDMUIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELE1BQU0sU0FBUyxHQUFHLElBQUEsbUNBQTBCLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFDbkQsT0FBTyxJQUFJLE9BQU8sQ0FBQyxpQ0FBaUMsQ0FDbEQsU0FBUyxFQUNUO1FBQ0UsSUFBSSxFQUFFLFNBQVM7UUFDZixHQUFHLEtBQUs7UUFDUixrQkFBa0I7UUFDbEIsUUFBUTtRQUNSLGVBQWU7S0FDaEIsRUFDRCxFQUFFLFNBQVMsRUFBRSxDQUNkLENBQUM7QUFDSixDQUFDLENBQUM7QUFsRlcsUUFBQSxpQkFBaUIscUJBa0Y1QjtBQXFCRixrQkFBZSxDQUFDLEVBQ2QsSUFBSSxFQUNKLEtBQUssRUFFTCxZQUFZLEVBQ1osV0FBVyxFQUVYLG1CQUFtQixFQUNuQixRQUFRLEVBQ1IsR0FBRyxHQUFHLGFBQUssQ0FBQyxPQUFPLENBQUMscUJBQXFCLENBQUMsS0FBSyxFQUMvQyxTQUFTLEdBQ0gsRUFBRSxFQUFFO0lBQ1YsSUFBSSxHQUFHLElBQUEsOEJBQXFCLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFbkMsTUFBTSxNQUFNLEdBQUcsSUFBSSxPQUFPLENBQUMsY0FBYyxDQUN2QyxJQUFJLEVBQ0o7UUFDRSxrQkFBa0IsRUFBRSxJQUFJO1FBQ3hCLEdBQUcsS0FBSztRQUNSLEdBQUcsRUFBRSxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUU7UUFFbEIsVUFBVSxFQUFFLFlBQVksQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsWUFBWSxFQUFFLENBQUMsQ0FBQyxDQUFDLFNBQVM7UUFDM0QsV0FBVztRQUVYLGVBQWUsRUFBRSxhQUFLLENBQUMsT0FBTyxDQUFDLDRCQUE0QixDQUFDLElBQUk7UUFDaEUsaUJBQWlCLEVBQUUsbUJBQW1CO1lBQ3BDLENBQUMsQ0FBQyxFQUFFLG9CQUFvQixFQUFFLG1CQUFtQixFQUFFO1lBQy9DLENBQUMsQ0FBQyxTQUFTO1FBRWIsUUFBUSxFQUFFLFFBQVE7WUFDaEIsQ0FBQyxDQUFDO2dCQUNFLFNBQVMsRUFBRSxJQUFJO2dCQUNmLHFCQUFxQixFQUFFO29CQUNyQixrQkFBa0IsRUFBRSxFQUFFLEVBQUUsRUFBRSxRQUFRLENBQUMsa0JBQWtCLEVBQUU7b0JBQ3ZELFVBQVUsRUFBRSxRQUFRLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQzt3QkFDMUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPO3dCQUNqQixXQUFXLEVBQUUsRUFBRSxFQUFFLEVBQUUsQ0FBQyxDQUFDLFdBQVcsRUFBRTtxQkFDbkMsQ0FBQyxDQUFDO2lCQUNKO2FBQ0Y7WUFDSCxDQUFDLENBQUMsU0FBUztRQUNiLElBQUksRUFBRSxzQkFBVztLQUNsQixFQUNELEVBQUUsU0FBUyxFQUFFLENBQ2QsQ0FBQztJQUVGLE9BQU8sTUFBTSxDQUFDO0FBQ2hCLENBQUMsQ0FBQyJ9

package/VNet/FirewallRules/AksFirewallRules.d.ts

@@ -0,0 +1,24 @@
+import { Input } from '@pulumi/pulumi';
+import { FirewallRuleResults } from './types';
+interface BasicRuleProps {
+    startPriority: number;
+}
+interface NatRuleProps extends BasicRuleProps {
+    publicIpAddresses: Input<string>[];
+    dNATs: [
+        {
+            name: string;
+            allowHttp?: boolean;
+            externalIpAddress: Input<string>;
+            internalIpAddress: Input<string>;
+        }
+    ];
+}
+interface AksNetProps extends BasicRuleProps {
+    location?: string;
+    vnetAddressSpace: Array<Input<string>>;
+}
+export interface AksFirewallProps extends BasicRuleProps, NatRuleProps, AksNetProps {
+}
+declare const _default: ({ startPriority, vnetAddressSpace, ...others }: AksFirewallProps) => FirewallRuleResults;
+export default _default;