Using New-AzureFirewallRule with multiple ports or IP ranges

calendar May 11, 2020 · 1 min read · microsoft azure powershell  ·
Share on: linkedin copy

When creating an Azure Firewall rule with multiple ports or IP ranges using the PowerShell New-AzureFirewallRule cmdlet, you may get an error like this:

1Invalid IP address value or range or Service Tag 192.168.64.0/18,10.1.0.0/16.
2StatusCode: 400
3ReasonPhrase: Bad Request
4ErrorCode: AzureFirewallRuleInvalidIpAddressOrRangeFormat

or

1Invalid port value or range. User ports must be in [1, 65535]
2StatusCode: 400
3ReasonPhrase: Bad Request
4ErrorCode: AzureFirewallRuleInvalidPortOrRangeFormat

The incorrect code causing these messages refers to the Source Address or Destination Port as a comma-delimited string as you would use in the Azure Portal, as shown here:

1#Incorrect Code
2$netRule = New-AzFirewallNetworkRule `
3-Name "FirewallRule1" -Description "Rule for HTTP,SMB traffic" `
4-Protocol "TCP" `
5-SourceAddress "192.168.64.0/18,10.1.0.0/16" `
6-DestinationAddress "172.20.1.1/28" `
7-DestinationPort "139,445,80"

However, the cmdlet wants an array of strings to be passed here rather than a comma-delimited string value, so ("192.168.64.0/18","10.1.0.0/16") rather than "192.168.54.0/18,10.1.0.0/16". The correct version of the above code snippet is as follows:

1#Corrected Code
2$netRule = New-AzFirewallNetworkRule `
3-Name "FirewallRule1" -Description "Rule for HTTP,SMB traffic " `
4-Protocol "TCP" `
5-SourceAddress ("192.168.64.0/18","10.1.0.0/16") `
6-DestinationAddress "172.20.1.1/28" `
7-DestinationPort ("139","445","80")