Hi everyone, In a previous post, I showed you how to deploy an Azure Firewall. Today I will show you how to create and manage IP Groups in your Azure Firewall using PowerShell and Azure CLI. This Azure resource can be used in network rules, application rules, and DNAT rules for multiple firewalls across regions and subscriptions and makes it easy for you to manage the rules on your Azure Firewall.

Important: The IP Group names must be unique.

Azure PowerShell Workaround

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.

If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Once you set your default subscription, you’re ready to start.

Set the variables

Here, we define the characteristics of our environment and the resource’s properties.

Create an Azure IP Group

First, I will create an IP group, and in the same command, I already define some IPs and set the resource labels. For this, I will use the New-AzIpGroup cmdlet with the following syntax.

 New-AzIpGroup

Update an Azure IP Group

Once the resource is created, it can be modified using the following commands. It is important not to forget to run the Set-AzIpGroup cmdlet to apply the changes to the IP Group configuration.

If you want to add a single IP or CIDR notation, you should use the following commands.

But if you want to add a range of IPs, you should use the following commands.

To remove an IP from the IP Group, you should use the following command.

If you want to delete all the IPs defined in the IP Group, you can use the following command.

Get the IP addresses of an Azure IP Group

To list all the IPs defined in the IP Group, you should use the Get-AzIpGroup cmdlet with the following syntax.

Delete an Azure IP Group

Finally, if you want to remove the resource, you should use the Remove-AzIpGroup cmdlet with the following syntax.

Important: To delete an IP Group, you must first dissociate from the resource using it.

Azure CLI Workaround

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.

First, we define the characteristics of our environment and store the values in variables.

Create an Azure IP Group

First, I will create an IP group, and in the same command, I already define some IPs and set the resource labels. To do this, I will use the following command.

IP Groups

Update an Azure IP Group

Once the IpGroup is created, it can be modified using the following commands. To add a single IP or CIDR notation, you should use the following command.

Likewise, if you want to add an IP range, you should use the following command.
To remove an item from the IP address list. You should use the index number; keep in mind that the first item in the list corresponds to index 0.

If you want to delete all the IPs defined in the IpGroup, you can use the following command.

Get the IP addresses of an Azure IP Group

You should use the following command to get the list of all the IPs defined in the IpGroup.

Delete an Azure IP Group

Finally, if you want to remove the IP Group resource, you should use the following command.

Important: To delete an IP Group, you must first dissociate from the resource using it.

Thanks for reading my post. I hope you find it helpful.

In the following posts, I will explain how to configure an application rule, network rule, and DNAT rule in Azure Firewall.

If you want to know more about Azure IP Groups, check out this link.