你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
New-AzFirewall
Creates a new Firewall in a resource group.
Syntax
New-AzFirewall
-Name <String>
-ResourceGroupName <String>
-Location <String>
[-PublicIpAddress <PSPublicIpAddress[]>]
[-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
[-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
[-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>]
[-PrivateRange <String[]>]
[-EnableDnsProxy]
[-DnsServer <String[]>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-Zone <String[]>]
[-SkuName <String>]
[-SkuTier <String>]
[-VirtualHubId <String>]
[-HubIPAddress <PSAzureFirewallHubIpAddresses>]
[-FirewallPolicyId <String>]
[-AllowActiveFTP]
[-EnableFatFlowLogging]
[-EnableUDPLogOptimization]
[-RouteServerId <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-AzFirewall
-Name <String>
-ResourceGroupName <String>
-Location <String>
-VirtualNetworkName <String>
[-PublicIpName <String>]
[-PublicIpAddress <PSPublicIpAddress[]>]
[-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
[-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
[-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>]
[-PrivateRange <String[]>]
[-EnableDnsProxy]
[-DnsServer <String[]>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-Zone <String[]>]
[-SkuName <String>]
[-SkuTier <String>]
[-VirtualHubId <String>]
[-HubIPAddress <PSAzureFirewallHubIpAddresses>]
[-FirewallPolicyId <String>]
[-AllowActiveFTP]
[-EnableFatFlowLogging]
[-EnableUDPLogOptimization]
[-RouteServerId <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-AzFirewall
-Name <String>
-ResourceGroupName <String>
-Location <String>
-VirtualNetwork <PSVirtualNetwork>
[-PublicIpAddress <PSPublicIpAddress[]>]
[-ManagementPublicIpAddress <PSPublicIpAddress>]
[-ApplicationRuleCollection <PSAzureFirewallApplicationRuleCollection[]>]
[-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
[-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>]
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>]
[-PrivateRange <String[]>]
[-EnableDnsProxy]
[-DnsServer <String[]>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-Zone <String[]>]
[-SkuName <String>]
[-SkuTier <String>]
[-VirtualHubId <String>]
[-HubIPAddress <PSAzureFirewallHubIpAddresses>]
[-FirewallPolicyId <String>]
[-AllowActiveFTP]
[-EnableFatFlowLogging]
[-EnableUDPLogOptimization]
[-RouteServerId <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The New-AzFirewall cmdlet creates an Azure Firewall.
Examples
Example 1: Create a Firewall attached to a virtual network
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. Since no rules were specified, the firewall will block all traffic (default behavior). Threat Intel will also run in default mode - Alert - which means malicious traffic will be logged, but not denied.
Example 2: Create a Firewall which allows all HTTPS traffic
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "https:443" -TargetFqdn "*"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection
This example creates a Firewall which allows all HTTPS traffic on port 443. Threat Intel will run in default mode - Alert - which means malicious traffic will be logged, but not denied.
Example 3: DNAT - redirect traffic destined to 10.1.2.3:80 to 10.2.3.4:8080
$rule = New-AzFirewallNatRule -Name "natRule" -Protocol "TCP" -SourceAddress "*" -DestinationAddress "10.1.2.3" -DestinationPort "80" -TranslatedAddress "10.2.3.4" -TranslatedPort "8080"
$ruleCollection = New-AzFirewallNatRuleCollection -Name "NatRuleCollection" -Priority 1000 -Rule $rule
New-AzFirewall -Name "azFw" -ResourceGroupName "rg" -Location centralus -NatRuleCollection $ruleCollection -ThreatIntelMode Off
This example created a Firewall which translated the destination IP and port of all packets destined to 10.1.2.3:80 to 10.2.3.4:8080 Threat Intel is turned off in this example.
Example 4: Create a Firewall with no rules and with Threat Intel in Alert mode
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ThreatIntelMode Alert
This example creates a Firewall which blocks all traffic (default behavior) and has Threat Intel running in Alert mode. This means alerting logs are emitted for malicious traffic before applying the other rules (in this case just the default rule - Deny All)
Example 5: Create a Firewall which allows all HTTP traffic on port 8080, but blocks malicious domains identified by Threat Intel
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "http:8080" -TargetFqdn "*"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny
This example creates a Firewall which allows all HTTP traffic on port 8080 unless it is considered malicious by Threat Intel. When running in Deny mode, unlike Alert, traffic considered malicious by Threat Intel is not just logged, but also blocked.
Example 6: Create a Firewall with no rules and with availability zones
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetworkName $vnet.Name -PublicIpName $pip.Name -Zone 1,2,3
This example creates a Firewall with all available availability zones.
Example 7: Create a Firewall with two or more Public IP Addresses
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -Name "vnet" -ResourceGroupName $rgName
$pip1 = New-AzPublicIpAddress -Name "AzFwPublicIp1" -ResourceGroupName "rg" -Sku "Basic" -Tier "Regional" -Location "centralus" -AllocationMethod Static
$pip2 = New-AzPublicIpAddress -Name "AzFwPublicIp2" -ResourceGroupName "rg" -Sku "Basic" -Tier "Regional" -Location "centralus" -AllocationMethod Static
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress @($pip1, $pip2)
This example creates a Firewall attached to virtual network "vnet" with two public IP addresses.
Example 8: Create a Firewall which allows MSSQL traffic to specific SQL database
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "mssql:1433" -TargetFqdn "sql1.database.windows.net"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ApplicationRuleCollection $ruleCollection -ThreatIntelMode Deny
This example creates a Firewall which allows MSSQL traffic on standard port 1433 to SQL database sql1.database.windows.net.
Example 9: Create a Firewall attached to a virtual hub
$rgName = "resourceGroupName"
$fp = Get-AzFirewallPolicy -ResourceGroupName $rgName -Name "fp"
$fpId = $fp.Id
$vHub = Get-AzVirtualHub -Name "hub"
$vHubId = $vHub.Id
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -SkuName AZFW_Hub -VirtualHubId $vHubId -FirewallPolicyId -$fpId
This example creates a Firewall attached to virtual hub "vHub". A firewall policy $fp will be attached to the firewall. This firewall allows/denies the traffic based on the rules mentioned in the firewall policy $fp. The virtual hub and the firewall should be in the same regions.
Example 10: Create a Firewall with threat intelligence allowlist setup
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$tiWhitelist = New-AzFirewallThreatIntelWhitelist -FQDN @("www.microsoft.com") -IpAddress @("8.8.8.8")
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ThreatIntelWhitelist $tiWhitelist
This example creates a Firewall that allowlists "www.microsoft.com" and "8.8.8.8" from threat intelligence
Example 11: Create a Firewall with customized private range setup
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -PrivateRange @("99.99.99.0/24", "66.66.0.0/16")
This example creates a Firewall that treats "99.99.99.0/24" and "66.66.0.0/16" as private ip ranges and won't snat traffic to those addresses
Example 12: Create a Firewall with a management subnet and Public IP address
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "managementPublicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -ManagementPublicIpAddress $mgmtPip
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. Since no rules were specified, the firewall will block all traffic (default behavior). Threat Intel will also run in default mode - Alert - which means malicious traffic will be logged, but not denied.
To support "forced tunneling" scenarios, this firewall will use the subnet "AzureFirewallManagementSubnet" and the management public IP address for its management traffic
Example 13: Create a Firewall with Firewall Policy attached to a virtual network
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
$fp = Get-AzFirewallPolicy -ResourceGroupName $rgName -Name "fp"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -FirewallPolicyId $fp
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. The rules and threat intelligence that will be applied to the firewall will be taken from the firewall policy
Example 14: Create a Firewall with DNS Proxy and DNS Servers
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -DnsServer @("10.10.10.1", "20.20.20.2")
This example creates a Firewall attached to virtual network "vnet" in the same resource group as the firewall. DNS Proxy is enabled for this firewall and 2 DNS Servers are provided. Also Require DNS Proxy for Network rules is set so if there are any Network rules with FQDNs then DNS proxy will be used for them too.
Example 15: Create a Firewall with multiple IPs. The Firewall can be associated with the Virtual Hub
$rgName = "resourceGroupName"
$vHub = Get-AzVirtualHub -Name "hub"
$vHubId = $vHub.Id
$fwpips = New-AzFirewallHubPublicIpAddress -Count 2
$hubIpAddresses = New-AzFirewallHubIpAddress -PublicIP $fwpips
$fw=New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location westus -SkuName AZFW_Hub -HubIPAddress $hubIpAddresses -VirtualHubId $vHubId
This example creates a Firewall attached to virtual hub "hub" in the same resource group as the firewall. The Firewall will be assigned 2 public IPs that are created implicitly.
Example 16: Create a Firewall with Allow Active FTP.
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -AllowActiveFTP
This example creates a Firewall with allow active FTP flag.
Example 17: Create a Firewall with a management subnet and no data Public IP address
$rgName = "resourceGroupName"
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "managementPublicIpName"
New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -ManagementPublicIpAddress $mgmtPip
This example creates a "forced tunneling" Firewall that uses the subnet "AzureFirewallManagementSubnet" and the management public IP address for its management traffic. In this scenario, users do not have to specify a data Public IP if they are only using firewall for private traffic only.
Parameters
-AllowActiveFTP
Allows Active FTP on the Firewall. By default it is disabled.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ApplicationRuleCollection
Specifies the collections of application rules for the new Firewall.
Type: | PSAzureFirewallApplicationRuleCollection[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-AsJob
Run cmdlet in the background
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure.
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DnsServer
The list of DNS Servers to be used for DNS resolution,
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EnableDnsProxy
Enable DNS Proxy. By default it is disabled.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EnableFatFlowLogging
Enable Fat Flow Logging. By default it is false.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EnableUDPLogOptimization
Enable UDP Log Optimization. By default it is false.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-FirewallPolicyId
The firewall policy attached to the firewall
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-HubIPAddress
The ip addresses for the firewall attached to a virtual hub
Type: | PSAzureFirewallHubIpAddresses |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Location
Specifies the region for the Firewall.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ManagementPublicIpAddress
One or more Public IP Addresses to use for management traffic. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall.
Type: | PSPublicIpAddress |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Name
Specifies the name of the Azure Firewall that this cmdlet creates.
Type: | String |
Aliases: | ResourceName |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-NatRuleCollection
The list of AzureFirewallNatRuleCollections
Type: | PSAzureFirewallNatRuleCollection[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-NetworkRuleCollection
The list of AzureFirewallNetworkRuleCollections
Type: | PSAzureFirewallNetworkRuleCollection[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PrivateRange
The private IP ranges to which traffic won't be SNAT'ed
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PublicIpAddress
One or more Public IP Addresses. The Public IP addresses must use Standard SKU and must belong to the same resource group as the Firewall. No input needed for Forced Tunneling Firewalls.
Type: | PSPublicIpAddress[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PublicIpName
Public Ip Name. The Public IP must use Standard SKU and must belong to the same resource group as the Firewall.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ResourceGroupName
Specifies the name of a resource group to contain the Firewall.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-RouteServerId
The Route Server Id for the firewall
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SkuName
The sku name for firewall
Type: | String |
Aliases: | Sku |
Accepted values: | AZFW_Hub, AZFW_VNet |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-SkuTier
The sku tier for firewall
Type: | String |
Accepted values: | Standard, Premium, Basic |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Tag
Key-value pairs in the form of a hash table. For example:
@{key0="value0";key1=$null;key2="value2"}
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ThreatIntelMode
Specifies the operation mode for Threat Intelligence. Default mode is Alert, not Off.
Type: | String |
Accepted values: | Alert, Deny, Off |
Position: | Named |
Default value: | Alert |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ThreatIntelWhitelist
The allowlist for Threat Intelligence
Type: | PSAzureFirewallThreatIntelWhitelist |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-VirtualHubId
The virtual hub that a firewall is attached to
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-VirtualNetwork
Virtual Network
Type: | PSVirtualNetwork |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-VirtualNetworkName
Specifies the name of the virtual network for which the Firewall will be deployed. Virtual network and Firewall must belong to the same resource group.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Zone
A list of availability zones denoting where the firewall needs to come from.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
PSAzureFirewallApplicationRuleCollection[]
PSAzureFirewallNatRuleCollection[]
PSAzureFirewallNetworkRuleCollection[]