How to create IP Groups for Azure Firewall rules

Hi everyone, In a previous post, I showed you how to deploy an Azure Firewall. Today I will show you how to create and manage IP Groups in your Azure Firewall using PowerShell and Azure CLI. This Azure resource can be used in network rules, application rules, and DNAT rules for multiple firewalls across regions and subscriptions and makes it easy for you to manage the rules on your Azure Firewall. Important: The IP Group names must be unique.

Azure PowerShell Workaround #

If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Once you set your default subscription, you’re ready to start.

Set the variables #

Here, we define the characteristics of our environment and the resource’s properties.

$resourceGroupName="RG-DEMO-NE"
$location="North Europe"

Create an Azure IP Group #

First, I will create an IP group, and in the same command, I already define some IPs and set the resource labels. For this, I will use the New-AzIpGroup cmdlet with the following syntax.

New-AzIpGroup `
    -Name "IPG-DEMO-NE" `
    -ResourceGroupName $resourceGroupName `
    -Location $location `
    -IpAddress @('10.0.0.0/24', '192.168.1.10') `
    -Tag @{Environment="www.jorgebernhardt.com"}

Update an Azure IP Group #

Once the resource is created, it can be modified using the following commands. It is important not to forget to run the Set-AzIpGroup cmdlet to apply the changes to the IP Group configuration. If you want to add a single IP or CIDR notation, you should use the following commands.

$ipGroup = Get-AzIpGroup `
    -Name "IPG-DEMO-NE" `
    -ResourceGroupName $resourceGroupName`
    $ipGroup.IpAddresses.Add("192.168.11.0/24")
Set-AzIpGroup -IpGroup $ipGroup

But if you want to add a range of IPs, you should use the following commands.

$iprange=("10.3.0.1-10.3.0.31")
$ipGroup.IpAddresses.Add($iprange)
Set-AzIpGroup -IpGroup $ipGroup

To remove an IP from the IP Group, you should use the following command.

$ipGroup.IpAddresses.Remove("192.168.1.10")
Set-AzIpGroup -IpGroup $ipGroup

If you want to delete all the IPs defined in the IP Group, you can use the following command.

$ipGroup.IpAddresses.Clear()
Set-AzIpGroup -IpGroup $ipGroup

Get the IP addresses of an Azure IP Group #

To list all the IPs defined in the IP Group, you should use the Get-AzIpGroup cmdlet with the following syntax.

Get-AzIpGroup `
    -Name "IPG-DEMO-NE" `
    -ResourceGroupName $resourceGroupName `
    | Select-Object Name, IpAddresses

Delete an Azure IP Group #

Finally, if you want to remove the resource, you should use the Remove-AzIpGroup cmdlet with the following syntax.

Remove-AzIpGroup `
    -ResourceGroupName $resourceGroupName `
    -Name $ipGroup.Name `
    -Force

Important: To delete an IP Group, you must first dissociate from the resource using it.

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.

resourceGroupName="RG-DEMO-NE"
location="NorthEurope"

Create an Azure IP Group #

First, I will create an IP group, and in the same command, I already define some IPs and set the resource labels. To do this, I will use the following command.

az network ip-group create \
--name IPG-DEMO-NE \
--resource-group $resourceGroupName \
--location $location \
--ip-addresses '10.0.0.0/24' '192.168.1.10' \
--tags Environment="www.JorgeBernhardt.com"

Update an Azure IP Group #

Once the IpGroup is created, it can be modified using the following commands. To add a single IP or CIDR notation, you should use the following command.

az network ip-group update \
--name IPG-DEMO-NE \
--add ipAddresses '192.168.11.0/24' \
-g $resourceGroupName

Likewise, if you want to add an IP range, you should use the following command.

az network ip-group update \
--name IPG-DEMO-NE \
--add ipAddresses '10.3.0.1-10.3.0.31' \
-g $resourceGroupName

To remove an item from the IP address list. You should use the index number; keep in mind that the first item in the list corresponds to index 0.

az network ip-group update \
--name IPG-DEMO-NE \
--remove ipAddresses 1 \
-g $resourceGroupName

If you want to delete all the IPs defined in the IpGroup, you can use the following command.

az network ip-group update \
--name IPG-DEMO-NE \
--remove ipAddresses \
-g $resourceGroupName

Get the IP addresses of an Azure IP Group #

You should use the following command to get the list of all the IPs defined in the IpGroup.

az network ip-group list \
--resource-group $resourceGroupName \
--query "\[\].{Name:name,IPs:ipAddresses}" -o yaml

Delete an Azure IP Group #

Finally, if you want to remove the IP Group resource, you should use the following command.

az network ip-group delete \
--name IPG-DEMO-NE \
--resource-group $resourceGroupName

Important: To delete an IP Group, you must first dissociate from the resource using it. Thanks for reading my post. I hope you find it helpful. In the following posts, I will explain how to configure an application rule, network rule, and DNAT rule in Azure Firewall. If you want to know more about Azure IP Groups, check out this link.