Quick tip: Runbook script to start and stop your Azure Firewall

If you are trying to save money on your Azure subscription, the best way is to stop the resources you are not using. In this blog post, we are going over a simple script that can be used as an Azure runbook to manage your Azure Firewall.

Unfortunately, there is no such option in the Azure Portal and there are more steps in the process than just a simple cmdlet start-azfirewall available at this time.

This script to manage your Azure Firewall uses four parameters, however, the last two are only used during the start operation.

  • Operation has two possible values, on or off
  • ResourceGroup: The script will look for the Firewall only on that resource group. If it is not specified, then all Azure Firewalls in your subscriptions will be used (be careful!).
  • FWPublicIPName: The public IP resource used by the firewall, if no value is provided the default azureFirewalls-ip will be used.
  • VNETName: The virtual network where the Azure Firewall is attached

I am placing the script in this blog, but I recommend you get the latest version in GitHub, which can be found here.

#
# Script: AzFwMaintenance.ps1
# Script by Anderson Patricio (AP6) https://github.com/andersonPatricio
#
param (
[string]$Operation = "Off",
[String]$ResourceGroup="",
[string]$FWPublicIPName = "azureFirewalls-ip",
[string]$VNETName='<VNET-Name>'
)
#Validating parameters...
If (!$VNETName){
$VNETName = Read-Host -Prompt "Please provide the Virtual Network Name (VNET) or Ctrl+C to abort?"
}
 
#Importing Az modules...
Import-Module Az.Resources
Import-Module Az.Network
 
#
# Script body
#
If (!$ResourceGroup){
Write-Host -ForegroundColor Yellow "Resource Group was not specified, the script will run in the entire subscription!"
$fws = Get-AzResource -ResourceType 'Microsoft.Network/azureFirewalls'
} Else{
$fws = Get-AzResource -ResourceType 'Microsoft.Network/azureFirewalls' -ResourceGroupName $ResourceGroup
}
If ($fws -eq $null) {
Write-Output "The Runbook could not find any Azure Firewall on the $ResourceGroup specified."
Exit
} Else {
Write-Output "We have found Azure Firewalls. We are going to validate and if doable we will take them $Operation."
}
 
if ($Operation -eq "on") {
Write-Output "Starting the Azure Firewall(s)..."
ForEach ($fw in $fws){
Write-Output $fw.Name
$azfw = Get-AzFirewall -Name $fw.Name -ResourceGroupName $ResourceGroup
$vPublicIP = Get-AzPublicIpAddress -Name $FWPublicIPName -ResourceGroupName $ResourceGroup
$vnet = Get-AzVirtualNetwork -ResourceGroupName $ResourceGroup -Name $VNETName
$azfw.Allocate($vnet,$vpublicip)
Set-AzFirewall -AzureFirewall $azfw
}
} Else {
Write-Output 'Stopping the Azure Firewall(s)...'
ForEach ($fw in $fws){
Write-Output "Stopping " $fw.Name
$azfw = Get-AzFirewall -Name $fw.name -ResourceGroupName $ResourceGroup
$azfw.Deallocate()
Set-AzFirewall -AzureFirewall $azfw
}
}

Featured image: Pixabay

About The Author

1 thought on “Quick tip: Runbook script to start and stop your Azure Firewall”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top