IP Groups in Azure Firewall
If you are planning on using Azure Firewall you will definitely need to start using IP Groups. This will make your life so much easier and save you a lot of time in future changes because it will allow you to group and manage IP addresses for Azure Firewall rules.
IP groups can be used in the following places:
- Source address in network rules
- Source address in DNAT rules
- Source address in application rules
- Destination address in network rules
An IP Group can have the following as a source:
- Single IP address (example: 192.168.1.1)
- Multiple IP addresses
- IP Address ranges (example: 10.1.0.0-10.1.255.255 or 10.2.0.0/24)
- Multiple IP ranges
- Combinations of the above
IP Groups can be reused in Azure Firewall DNAT, network, and application rules for multiple firewalls across regions and subscriptions in Azure. Group names must be unique. You can configure an IP Group in the Azure portal, Azure CLI, or REST API.
Create IP Group (Azure Portal)
Go to the Azure Portal and go to IP Groups (Use the search bar if not in your last used icons)
On the IP Groups page click on Create
Fill in the name of your desired IP Group
Now fill in the IP Addresses that you want to assign to this group
Review the ranges that you’ve entered
Now that is finished, you can go to your Azure Firewall and select the just created IP Group
Create IP Group (PowerShell)
If you want to automate the creation of IP Groups, you can use the following command to create an IP Group:
$ipGroup = @{
Name = '2Azure Demo IP Group'
ResourceGroupName = 'Firewall'
Location = 'West Europe'
IpAddress = @('10.2.0.0/24', '192.168.1.1')
}
New-AzIpGroup @ipGroup
IP address limits
You can have a maximum of 200 IP Groups per firewall with a maximum 5000 individual IP addresses or IP prefixes per each IP Group.