Regional Azure Firewall Policies #750
Assignees
Labels
Area: Networking 🌐
Issues / PR's related to Networking
Status: Long Term ⌛
We will do it, but will take a longer amount of time due to complexity/priorities
Type: Enhancement ✨
New feature or request
Comments
|
Hi @DavidLHannah, this a good call out! As you noted, this would be related to the multi-region issues you referenced. Although, multi-region is on our all-up ALZ backlog this is something that is still in the early phases of investigation. Will add this to the ALZ-Backlog as a long-term goal. |
github-project-automation
bot
moved this to Backlog
in Azure Landing Zones - Bicep - Public Roadmap
oZakari
moved this from Backlog
to In Progress
in Azure Landing Zones - Bicep - Public Roadmap
10 tasks
oZakari
added
Status: Long Term ⌛
oZakari
moved this from In Progress
to Done
in Azure Landing Zones - Bicep - Public Roadmap
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature end to end, including deployment scenario details under which the feature would occur.
When using the vwanConnectivity module to deploy multiple regional Virtual Hubs with Azure Firewall, only a single Azure Firewall Policy is deployed. This single policy is applied to all of the vHubs that are deployed. This means the firewall configurations will be the same in all regions.
In order to account for potential regional-specific configurations, support for multiple Azure Firewall Policies may be required.
Why is this feature important. Describe why this would be important for your organization and others. Would this impact similar orgs in the same way?
If we are properly designing for regional failover of resources with Private Endpoints, then we will also implement regional Azure Private DNS Resolvers. Refer here for further details: https://github.com/adstuart/azure-privatelink-multiregion
Considering this, the need will arise for providing unique DNS Proxy configurations on the Azure Firewall in each region where a Azure Private DNS Resolver is deployed.
Potentially related to #375 & #387
Feature Implementation
An Azure Firewall Policy resource should be created and applied to each Azure Firewall that is deployed in a region.
The parAzFirewallDnsServers parameter could be moved to part of the parVirtualWanHubs parameter, such that each hub may be associated with specific regional DNS resolvers.
Potentially deploy additional firewall policy that could act as the Parent Policy to all other policies deployed in the vWAN.
Check previous GitHub issues
Code of Conduct
The text was updated successfully, but these errors were encountered: