Skip to main content

Using IP Groups for Azure Firewall Policies

· 4 min read
Hasan Gural

Hello Friends, We will take a look at how to use IP Groups for Azure Firewall Policies. We will create an IP Group, add some IP addresses to it and then use it in a Firewall Policy. Before we start, ensure that you have the latest version of the Azure PowerShell module installed.

IP Group allows you to group IP addresses and then use them in Firewall Policies. You can create an IP Group in the Azure Portal or using PowerShell. Let's start with PowerShell.

Create an IP Group

First, we need to create an IP Group variable. We will use the following IP addresses for this example. The cmdlet we will use is New-AzIpGroup. That cmdlet will create an IP Group in the specified Resource Group. We will use the following parameters:

  • Name: The name of the IP Group
  • Description: The description of the IP Group
  • ResourceGroupName: The name of the Resource Group
  • Location: The location of the IP Group
  • IpAddresses: The IP addresses that will be added to the IP Group

$IPGroups = @{

Name = "FirstIPGroup"
Tag = @{"Desc" = "My First IP Group"}
ResourceGroupName = "rg-ipgroups-uks"
Location = "UK South"
IpAddress = @(
"192.168.10.0/24",
"10.10.10.0/24"
)
}

As you can see, we have created an IP Group variable. We will use that variable to create the IP Group. Let's create the IP Group.


# The following cmdlet will create an IP Group in the specified Resource Group
# It will use the parameters we have defined in the $IPGroups variable

New-AzIpGroup @IPGroups

After the IP Group is created, we can see it in the Azure Portal. PowerShell will return the following output:

What if you want to create multiple IP Groups?

If you want to create multiple IP Groups, you can use a loop. Let's create a loop that will create multiple IP Groups. Imagine that you have lists of IP Groups in PowerShell variable. You can use a loop to create multiple IP Groups. Let's create a loop that will create multiple IP Groups.

$multipleIPGroups = @(

@{
Name = "FirstIPGroup"
Tag = @{"Desc" = "My First IP Group"}
ResourceGroupName = "rg-ipgroups-uks"
Location = "UK South"
IpAddress = @(
"192.168.10.0/24",
"10.10.10.0/24"
)
}
@{
Name = "SecondIPGroup"
Tag = @{"Desc" = "My Second IP Group"}
ResourceGroupName = "rg-ipgroups-uks"
Location = "UK South"
IpAddress = @(
"192.168.20.0/24",
"172.168.20.0/24"
)
}

)

As you can see, we have created a variable that contains multiple IP Groups. We will use that variable to create multiple IP Groups. Let's create multiple IP Groups.


ForEach( $IPGroup in $multipleIPGroups ) {

try {

Write-Output "Creating IP Group $($IPGroup.Name)"

New-AzIpGroup @IPGroup -ErrorAction SilentlyContinue | Out-Null
}
catch {

Write-Error "Error creating IP Group $($IPGroup.Name)"
throw $_.Exception

}

}

Result of successful execution:

I know that there are many ways to create multiple IP Groups. I just wanted to show you how to create various IP Groups using a loop. You can use ARM templates, Azure CLI, or any other method to create multiple IP Groups. You can extend the code to create various IP Groups using any way you want. It could be a CSV file, a JSON file, or any other file format that contains IP Groups. It will be very useful if you want to manage IP Groups in a centralized way.

I have just attached a screenshot of the Azure Portal. You can see that we have created multiple IP Groups.

Thanks for reading this trough. I hope you found this helpful. If you have any questions, please feel free to reach out to me.