| title | description | services | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
IP Groups in Azure Firewall |
IP groups allow you to group and manage IP addresses for Azure Firewall rules. |
firewall |
vhorne |
firewall |
conceptual |
04/06/2020 |
victorh |
Important
This public preview is provided without a service level agreement and should not be used for production workloads. Certain features may not be supported, may have constrained capabilities, or may not be available in all Azure locations. See the Supplemental Terms of Use for Microsoft Azure Previews for details.
IP Groups allow you to group and manage IP addresses for Azure Firewall rules in the following ways:
- As a source address in DNAT rules
- As a source or destination address in network rules
- As a source address in application rules
An IP Group can have a single IP address, multiple IP addresses, or one or more IP address ranges.
IP Groups can be reused in Azure Firewall DNAT, network, and application rules for multiple firewalls across regions and subscriptions in Azure. Group names must be unique. You can configure an IP Group in the Azure portal, Azure CLI, or REST API. A sample template is provided to help you get started.
The following IPv4 address format examples are valid to use in IP Groups:
- Single address: 10.0.0.0
- CIDR notation: 10.1.0.0/32
- Address range: 10.2.0.0-10.2.0.31
An IP Group can be created using the Azure portal, Azure CLI, or REST API. For more information, see Create an IP Group (preview).
-
In the Azure portal search bar, type IP Groups and select it. You can see the list of the IP Groups, or you can select Add to create a new IP Group.
-
Select an IP Group to open the overview page. You can edit, add, or delete IP addresses or IP Groups.
You can see all the IP addresses in the IP Group and the rules or resources that are associated with it. To delete an IP Group, you must first dissociate the IP Group from the resource that is using it.
- To view or edit the IP addresses, select IP Addresses under Settings on the left pane.
- To add a single or multiple IP address(es), select Add IP Addresses. This opens the Drag or Browse page for an upload, or you can enter the address manually.
- Selecting the ellipses (…) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select Edit or Delete at the top.
- Finally, can export the file in the CSV file format.
Note
If you delete all the IP addresses in an IP Group while it is still in use in a rule, that rule is skipped.
You can now select IP Group as a Source type or Destination type for the IP address(es) when you create Azure Firewall DNAT, application, or network rules.
Note
IP Groups are not supported in Firewall Policy. It is currently only supported with traditional firewall rules.
IP Groups are available in all public cloud regions.
For 50 IP Groups or less, you can have a maximum of 5000 individual IP addresses each per firewall instance. For 51 to 100 IP Groups, you can have 500 individual IP address each per firewall instance.
| IP Groups | # IP addresses | Notation | Rule |
|---|---|---|---|
| IPGroup1 | 4096 | 10.0.0.0/20 | Rule1 |
| IPGroup2 | 3 | 196.0.0.0 - 196.0.0.2 | Rule1 |
| IPGroup3 | 1 | 1.2.3.4 | Rule1 |
| Total 4100 | |||
| IP Groups | # IP addresses | Notation | Rule |
|---|---|---|---|
| IPGroup1 | 4096 | 10.0.0.0/20 | Rule1 |
| IPGroup2 | 4096 | 11.0.0.0/20 | Rule1 |
| Total 8192 |
| IP Groups | # IP addresses | Notation | Rule |
|---|---|---|---|
| IPGroup1 | 8192 | 10.0.0.0/20, 11.0.0.0/20 | Rule1 |
| Total 8192 |
| IP Groups | # IP addresses | Notation | Rule |
|---|---|---|---|
| IPGroup1 | 4096 | 10.0.0.0/20 | Rule1 |
| IPGroup2 | 4096 | 11.0.0.0/20 | Rule2 |
| Total 8192 |
The following Azure PowerShell cmdlets can be used to create and manage IP Groups:
- New-AzIpGroup
- Remove-AzIPGroup
- Get-AzIpGroup
- Set-AzIpGroup
- New-AzFirewallNetworkRule
- New-AzFirewallApplicationRule
- New-AzFirewallNatRule
- Learn how to deploy and configure an Azure Firewall.