Set-AzFirewallPolicyRuleCollectionGroup 保存多个Rule Collection

使用Azure Powershell?设置?Rule Collection Group,?首先需要创建?Firewall policy。

在创建完firewall policy后，通过Azure Portal页面添加?Rule Collection Group。

然后就可以使用?Set-AzFirewallPolicyRuleCollectionGroup命令在Firewall policy中添加Rule Collection Group了。

以下是一个简单例子，通过Azure Powershell在Rule Collection Group中添加Rule Collection和Rules。

$resourceGroup = "test_rg"

$fprg = $resourceGroup

$targetfp = Get-AzFirewallPolicy -Name "testFWpolicy"?? -ResourceGroupName $fprg?? //获取Firewall Policy对象

$targetrcg = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName "vincentFWpolicy" -Name "network-segmentation-local"? -ResourceGroupName $resourceGroup?? //获取Rule Collection Group对象

$rules = @()

$RuleParameter = @{

??????? Name = "net-pde-to-external-prod-allowasdfajsdlflklkajlkfd"

??????? Protocol = "Any"

??????? sourceAddress = "*"

??????? DestinationAddress = "*"

??????? DestinationPort = "*"

}??

$rule = New-AzFirewallPolicyNetworkRule @RuleParameter

$NetworkRuleCollection = @{

??????? Name = "src-azure-network-rules-segmentation-allow"

??????? Priority = "666"

??????? ActionType = "Allow"

??????? Rule?????? = $rules += $rule

??? }? //在第一个Rule Collection中添加Rule

$NetworkRuleCategoryCollection = New-AzFirewallPolicyFilterRuleCollection @NetworkRuleCollection

$rules = @()

$RuleParameter = @{

??????? Name = "net-pde-to-external-prod-allow-all2"

??????? Protocol = "Any"

??????? sourceAddress = "*"

??????? DestinationAddress = "*"

??????? DestinationPort = "*"

}

$rule = New-AzFirewallPolicyNetworkRule @RuleParameter

$NetworkRuleCollection2 = @{

??????? Name = "src-azure-network-rules-segmentation-allowasdfasdf2"

??????? Priority = "888"

??????? ActionType = "Allow"

??????? Rule?????? = $rules += $rule

??? }?? //在第二个Rule Collection中添加Rule

$NetworkRuleCategoryCollection2 = New-AzFirewallPolicyFilterRuleCollection @NetworkRuleCollection2

//将以上创建的两个Rule Collection加入Rule Collection Group对象

$targetrcg.Properties.RuleCollection.Add($NetworkRuleCategoryCollection)

$targetrcg.Properties.RuleCollection.Add($NetworkRuleCategoryCollection2)

//设置保存Rule Collection Group并使其生效

Set-AzFirewallPolicyRuleCollectionGroup -FirewallPolicyName testFWpolicy -Name $targetrcg.Name? -Priority 112 -ResourceGroupName test_rg -RuleCollection? $targetrcg.Properties.RuleCollection

需要注意的问题：

Set-AzFirewallPolicyRuleCollectionGroup这个命令执行的是Overwrite操作，它会保存命令中的多个Rule Collection。同时会覆盖掉之前的配置，如果保存之前在Rule Collection Group中存在其他的Rule Collection，那么这些没有在命令中被写入的Rule Collection就会被擦除。所以如果想一次在Rule Collection Group中设置多个Rule Collection。需要在参数中指定多个Rule Collection的数组。

参考文档：

Set-AzFirewallPolicyRuleCollectionGroup (Az.Network) | Microsoft Learn