Blog Post

Azure Network Security Blog
4 MIN READ

Runbook to manage Azure Firewall Back ups

tobiotolorin's avatar
tobiotolorin
Icon for Microsoft rankMicrosoft
Jan 19, 2022
Azure Firewall is a managed stateful network security service that recently became generally available for premium features across most Azure regions, providing capabilities such as TLS inspection, U...
Updated Jan 28, 2022
Version 3.0
azure firewall
azure firewall manager
azure network security
Jmudhar90's avatar
Jmudhar90
Copper Contributor
Apr 04, 2024

Hello, 

 

I have managed to update the script and got it working. 

 

Azure Run As account has been retired so Managed Identities System Assigned is being used. I also added a Contributor Role Assignments in Identity within the Automation Account. 

 

Please use the following: 

 

<#

****************************************************************************************************************************
This Azure Automation runbook automates Azure Firewall backups. It takes snapshots at different instances or schedules and 
saves them to a Blob storage container. It also deletes old backups from blob storage.
****************************************************************************************************************************

.DESCRIPTION
    You should use this Runbook if you want to manage Azure Firewall backups in Blob storage or just want to export the current configuration. It
    works as a power runbook.
    
#>

param(
    [parameter(Mandatory=$true)]
    [String] $ResourceGroupName,
    [parameter(Mandatory=$true)]
    [String] $AzureFirewallName,
    [parameter(Mandatory=$true)]
    [String] $AzureFirewallPolicy,
    [parameter(Mandatory=$true)]
    [String]$StorageAccountName,
    [parameter(Mandatory=$true)]
    [String]$StorageKey,
    [parameter(Mandatory=$true)]
    [string]$BlobContainerName,
    [parameter(Mandatory=$true)]
    [Int32]$RetentionDays
)

$ErrorActionPreference = 'stop'

function Login() {
    $connectionName = "AzureRunAsConnection"
    try {
        # Connect using Managed Identity
        Write-Verbose "Connecting to Azure with Managed Identity..." -Verbose
        Connect-AzAccount -Identity

        # Example of using Service Principal
        # $servicePrincipalCredentials = Get-Credential
        # $null = Connect-AzAccount -ServicePrincipal -Credential $servicePrincipalCredentials
    }
    catch {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}

function Create-newContainer([string]$blobContainerName$storageContext) {
    Write-Verbose "Creating '$blobContainerName' blob container space for storage..." -Verbose
    if (Get-AzureStorageContainer -ErrorAction "Stop" -Context $storageContext | Where-Object { $_.Name -eq $blobContainerName }) {
        Write-Verbose "Container '$blobContainerName' already exists" -Verbose
    } else {
        New-AzureStorageContainer -ErrorAction "Stop" -Name $blobContainerName -Permission Off -Context $storageContext
        Write-Verbose "Container '$blobContainerName' created" -Verbose
    }
}

function Export-To-Storageaccount([string]$resourceGroupName, [string]$AzureFirewallName, [string]$storageKey, [string]$blobContainerName,$storageContext) {
    Write-Verbose "Starting Azure Firewall current configuration export in json..." -Verbose
    try {
        $BackupFilename = $AzureFirewallName + (Get-Date).ToString("yyyyMMddHHmm") + ".json"
        $BackupFilePath = ($env:TEMP + "\" + $BackupFilename)
        $AzureFirewallId = (Get-AzFirewall -Name $AzureFirewallName -ResourceGroupName $resourceGroupName).id
        $FirewallPolicyID = (Get-AzFirewallPolicy -Name $AzureFirewallPolicy -ResourceGroupName $resourceGroupName).id
        Export-AzResourceGroup -ResourceGroupName $resourceGroupName -SkipAllParameterization -Resource @($AzureFirewallId$FirewallPolicyID) -Path $BackupFilePath
        #Export value and store with name created
        Write-Output "Submitting request to dump Azure Firewall configuration"
        $blobname = $BackupFilename
        $output = Set-AzureStorageBlobContent -File $BackupFilePath -Blob $blobname -Container $blobContainerName -Context $storageContext -Force -ErrorAction stop
    }
    #send out message if backup fails
    catch {
        $ErrorMessage = "BackUp not created. Please check the input values."
        throw $ErrorMessage
    }
}

function Remove-Older-Backups([int]$retentionDays, [string]$blobContainerName$storageContext) {
    Write-Output "Removing backups older than '$retentionDays' days from blob: '$blobContainerName'"
    $isOldDate = [DateTime]::UtcNow.AddDays(-$retentionDays)
    $blobs = Get-AzureStorageBlob -Container $blobContainerName -Context $storageContext
    foreach ($blob in ($blobs | Where-Object { $_.LastModified.UtcDateTime -lt $isOldDate -and $_.BlobType -eq "BlockBlob" })) {
        Write-Verbose ("Removing blob: " + $blob.Name) -Verbose
        Remove-AzureStorageBlob -Blob $blob.Name -Container $blobContainerName -Context $storageContext
    }
}

Write-Verbose "Starting database backup..." -Verbose

$StorageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageKey

#login to Azure
Login
Import-Module Az.Network
Import-Module Az.Resources

Create-newContainer `
    -blobContainerName $blobContainerName `
    -storageContext $storageContext
    
Export-To-Storageaccount `
    -resourceGroupName $ResourceGroupName `
    -AzureFirewallName $AzureFirewallName `
    -storageKey $StorageKey `
    -blobContainerName $BlobContainerName `
    -storageContext $storageContext
    
Remove-Older-Backups `
    -retentionDays $RetentionDays `
    -storageContext $StorageContext `
    -blobContainerName $BlobContainerName
    
Write-Verbose "Azure Firewall current configuration back up completed." -Verbose