diff --git a/avm/res/network/azure-firewall/CHANGELOG.md b/avm/res/network/azure-firewall/CHANGELOG.md index 2c9f6c08d41..bc4224baa53 100644 --- a/avm/res/network/azure-firewall/CHANGELOG.md +++ b/avm/res/network/azure-firewall/CHANGELOG.md @@ -2,6 +2,16 @@ The latest version of the changelog can be found [here](https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/network/azure-firewall/CHANGELOG.md). +## 0.8.2 + +### Changes + +- Added `enableDnsProxy` parameter to support DNS proxy functionality on Azure Firewall. When enabled, the firewall acts as a DNS proxy and forwards DNS requests to configured DNS servers, which is required for network rules using FQDN destinations. + +### Breaking Changes + +- None + ## 0.8.1 ### Changes diff --git a/avm/res/network/azure-firewall/README.md b/avm/res/network/azure-firewall/README.md index 28396f4a07e..032cd1eed04 100644 --- a/avm/res/network/azure-firewall/README.md +++ b/avm/res/network/azure-firewall/README.md @@ -1919,6 +1919,7 @@ param virtualNetworkResourceId = '' | [`availabilityZones`](#parameter-availabilityzones) | array | The list of Availability zones to use for the zone-redundant resources. | | [`azureSkuTier`](#parameter-azureskutier) | string | Tier of an Azure Firewall. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | +| [`enableDnsProxy`](#parameter-enablednsproxy) | bool | Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers. | | [`enableForcedTunneling`](#parameter-enableforcedtunneling) | bool | Enable/Disable forced tunneling. | | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. | @@ -2393,6 +2394,14 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it - Required: No - Type: string +### Parameter: `enableDnsProxy` + +Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `enableForcedTunneling` Enable/Disable forced tunneling. diff --git a/avm/res/network/azure-firewall/main.bicep b/avm/res/network/azure-firewall/main.bicep index 53d18408e81..4a4f7049aee 100644 --- a/avm/res/network/azure-firewall/main.bicep +++ b/avm/res/network/azure-firewall/main.bicep @@ -75,6 +75,9 @@ param availabilityZones int[] = [1, 2, 3] @description('Optional. Enable/Disable forced tunneling.') param enableForcedTunneling bool = false +@description('Optional. Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers.') +param enableDnsProxy bool = false + import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingFullType[]? @@ -294,6 +297,13 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = { applicationRuleCollections: applicationRuleCollections ?? [] natRuleCollections: natRuleCollections ?? [] networkRuleCollections: networkRuleCollections ?? [] + ...(enableDnsProxy + ? { + additionalProperties: { + 'Network.DNS.EnableProxy': 'true' + } + } + : {}) } : { autoscaleConfiguration: { @@ -315,6 +325,13 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = { id: virtualHubResourceId } : null + ...(enableDnsProxy + ? { + additionalProperties: { + 'Network.DNS.EnableProxy': 'true' + } + } + : {}) } } diff --git a/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep index 3440dec8620..f8a91adba02 100644 --- a/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep +++ b/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep @@ -52,6 +52,7 @@ module testDeployment '../../../main.bicep' = [ params: { name: '${namePrefix}${serviceShort}001' azureSkuTier: 'Basic' + enableDnsProxy: true virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId location: resourceLocation threatIntelMode: 'Deny' diff --git a/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep index 9fff8069493..d2661b50b2a 100644 --- a/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep +++ b/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep @@ -207,6 +207,7 @@ module testDeployment '../../../main.bicep' = [ principalType: 'ServicePrincipal' } ] + enableDnsProxy: true availabilityZones: [ 1 2