Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] FirewallPolicyRuleGroup data returned is incomplete for IPGroup based DNAT rules. #1295

Open
krsanty opened this issue Feb 8, 2022 · 5 comments
Open

[BUG] FirewallPolicyRuleGroup data returned is incomplete for IPGroup based DNAT rules. #1295

krsanty opened this issue Feb 8, 2022 · 5 comments

Comments

@krsanty
Copy link

krsanty commented Feb 8, 2022
edited
Loading

Bug Description
On test environment, we have Firewall Manager set up and have added DNAT rules to it. Getting FirewallPolicyRuleGroup using GetAsync, returns the correct FirewallPolicyRuleGroup. However, the Rules that is returns does not contain SourceAddresses if the rule is IP Group as source type. For IP Address as source type, rule returned has correct SourceAddresses.

client.FirewallPolicyRuleGroups.GetAsync(fwPolicyResourceGroupName, fwPolicyName, fwPolicyCollGroupName);

Here's the RuleCondition when Rule is IP Group as source (note the SourceAddresses):

{Microsoft.Azure.Management.Network.Fluent.Models.NetworkRuleCondition}
    Description: null
    DestinationAddresses: Count = 1
    DestinationPorts: Count = 1
    IpProtocols: Count = 1
    Name: "p4-2604"
    **SourceAddresses: Count = 0**

In addition, when we try to create new DNAT rule based on IP Group, it throws an exception Microsoft.Rest.Azure.CloudException: 'The request is invalid.'.
The SourceAddresses that is being passed is List of IPGroup ResourceID. Code snippet used to test is below.

To Reproduce
Steps to reproduce the behavior:

  1. On Azure Portal, add DNAT rule with IP Group as source type to Firewall Policy using Firewall Manager.
  2. Fetch the FirewallPolicyRuleGroup using SDK
  3. Examine the Rules returned. SourceAddresses will be empty for IP Group based rules only.
  4. Thru CreateOrUpdateAsync method, try adding a DNAT rule having source as IP Group resource

Code Snippet

var natRuleCondition = new NetworkRuleCondition(
				name: newRuleName,
				ipProtocols: new List<FirewallPolicyRuleConditionNetworkProtocol> { FirewallPolicyRuleConditionNetworkProtocol.TCP},
				sourceAddresses: new List<string> {ipGroupResourceId},
				destinationAddresses: new List<string> {destPublicIpAddress},
				destinationPorts: new List<string> {destPort});

var firewallPolicyRule=new FirewallPolicyNatRule(
				name: newRuleName,
				priority:300,
				action:new FirewallPolicyNatRuleAction(FirewallPolicyNatRuleActionType.DNAT),
				translatedAddress: translatedIpAddress,
				translatedPort: translatedPort,
				ruleCondition: natRuleCondition);

grp.Rules.Add(firewallPolicyRule);

var result=await client.FirewallPolicyRuleGroups.CreateOrUpdateWithHttpMessagesAsync(fwPolicyResourceGroupName,
				fwPolicyName, fwPolicyCollGroupName, grp);

Expected behavior

  1. FirewallPolicyRuleGroups.GetAsync should return Rules with SourceAddresses populated for IPGroup based rules.
  2. Should be able to add IPGroup source type DNAT rule to Firewall policy group.
@krsanty
Copy link
Author

krsanty commented Feb 9, 2022

Adding more troubleshooting details based on the network traffic capturing done:

Here' the REST API request being sent out when using the above SDK :

{
  "properties": {
    "priority": 300,
    "rules": [
      {
        "ruleType": "FirewallPolicyNatRule",
        "action": {
          "type": "DNAT"
        },
        "translatedAddress": "x.x.65.132",
        "translatedPort": "166",
        "ruleCondition": {
          "ruleConditionType": "NetworkRuleCondition",
          "ipProtocols": [
            "TCP"
          ],
          "sourceAddresses": [
            "/subscriptions/xxxxxxxxxx/resourcegroups/p4devorch-eastus-rg/providers/Microsoft.Network/ipGroups/p4devorch-eastus-ip-group"
          ],
          "destinationAddresses": [
            "x.x.210.188"
          ],
          "destinationPorts": [
            "1666"
          ],
          "name": "test",
          "description": ""
        },
        "name": "santy-rule",
        "priority": 300
      }
    ]
  },
  "name": "DefaultDnatRuleCollectionGroup",
  "id": "/subscriptions/xxxxxx/resourceGroups/xxxx/providers/Microsoft.Network/firewallpolicies/FirewallPolicy_p1dev-useast-fw/ruleGroups/DefaultDnatRuleCollectionGroup"
}

and the Response is:

{
  "Message": "The request is invalid.",
  "ModelState": {
    "resource": [
      "{\"Status\":\"Failed\",\"Error\":{\"Code\":\"FirewallPolicyRuleConditionInvalidIpAddressOrRangeFormat\",\"Message\":\"Firewall Policy Rule Condition test: Invalid IP address value or range /subscriptions/77c23643-4427-4fdb-88f5-d40e12804425/resourcegroups/p4devorch-eastus-rg/providers/Microsoft.Network/ipGroups/p4devorch-eastus-ip-group.\",\"Target\":null}}"
    ]
  }
}

Not sure how to send the IPGroup as part of Policy rule creation... The earlier shared code works if the IPGroup Resource Id is replaced by an IP address.

@weidongxu-microsoft
Copy link
Member

@krsanty
This SDK is in maintenance mode. It is recommended to switch to https://aka.ms/azsdk/dotnet/mgmt

@krsanty
Copy link
Author

krsanty commented Feb 9, 2022

That is still in pre-release, any timelines for the release?

@weidongxu-microsoft
Copy link
Member

That is still in pre-release, any timelines for the release?

Should be within a month or so (however it already got delayed multiple times).

@krsanty
Copy link
Author

krsanty commented Feb 21, 2022

Decided to go ahead with Azure REST API. Will switch to new SDK once it is released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krsanty @weidongxu-microsoft