azure-powershell
azure-powershell copied to clipboard
Azure
Get-AzFirewall not including privateIpAddress
Description
We noted that the az network firewall show command will display privateIpAddress of the Firewall instance, while the Get-AzFirewall command will not.
Example outputs:
az CLI> az network firewall show --name myfw --resource-group myrg
...
"hubIpAddresses": {
"privateIpAddress": "<privateIp>",
"publicIPs": {
"addresses": [
{
"address": "<publicIp>"
}
],
"count": 1
}
},
...
Azure Powershell > $fw = Get-AzFirewall
Azure Powershell > ConvertTo-Json $fw.HubIPAddresses -Depth 4
{
"publicIPAddresses": null,
"PublicIPs": {
"Count": 1,
"Addresses": [
{
"Address": "<publicIp>"
}
]
}
}
Based on the debug output below it would seem that the Microsoft.Azure.Commands.Network.Models.PSAzureFirewallHubIpAddresses object perhaps is outdated...? or anyway fails to parse the privateIpAddress from the http response?
Issue script & Debug output
> $fw = Get-AzFirewall
DEBUG: <time> - GetAzureFirewallCommand begin processing with ParameterSet '__AllParameterSets'.
DEBUG: <time> - using account id '[email protected]'...
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '<tenantid>'
DEBUG: <time> - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'<tenantid>', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] Azure region was not configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time>] Found 2 cache accounts and 0 broker accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time>] Returning 2 accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] MSAL MSAL.NetCore with assembly version '4.30.1.0'. CorrelationId(<correlationId>)
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] === AcquireTokenSilent Parameters ===
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] LoginHint provided: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] Account provided: True
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] ForceRefresh: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - <correlationId>
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] === Token Acquisition (SilentRequest) started:
Authority Host: login.microsoftonline.com
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] Azure region was not configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] Access token is not expired. Returning the found cache entry. [Current time (08/01/2022 <time>) - Expiration Time (08/01/2022 10:29:59 +00:00) - Extended Expiration Time (08/01/2022 10:29:59 +00:00)]
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] Returning access token found in cache. RefreshOn exists ? False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] Fetched access token from host login.microsoftonline.com.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Microsoft Windows 10.0.22000 [08/01/2022 <time> - ] === Token Acquisition finished successfully. An access token was returned with Expiration Time: 08/01/2022 <time> +00:00 and Scopes https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2022-08-01T<time>+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '<tenantid>', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Network/azureFirewalls?api-version=2021-05-01
Headers:
x-ms-client-request-id : <guid>
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-id : <guid>
x-ms-correlation-request-id : <guid>
x-ms-arm-service-request-id : <guid>
Strict-Transport-Security : max-age=31536000; includeSubDomains
Server : Microsoft-HTTPAPI/2.0,Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: <remainingReads>
x-ms-routing-request-id : SWEDENCENTRAL:20220801T<time>Z:<guid>
X-Content-Type-Options : nosniff
Date : Mon, 01 Aug 2022 <time> GMT
Body:
{
"value": [
{
"name": "<my-firewall-name>",
"id": "/subscriptions/<subscriptionId>/resourceGroups/<my-resource-group>/providers/Microsoft.Network/azureFirewalls/<my-firewall-name>",
"etag": "W/\"<guid>\"",
"type": "Microsoft.Network/azureFirewalls",
"location": "westeurope",
"tags": {
<tags>
},
"properties": {
"provisioningState": "Succeeded",
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"additionalProperties": {},
"virtualHub": {
"id": "/subscriptions/<subscriptionId>/resourceGroups/<my-resource-group>/providers/Microsoft.Network/virtualHubs/<virtual-hub-name>"
},
"hubIPAddresses": {
"privateIPAddress": "<privateIp>",
"publicIPs": {
"addresses": [
{
"address": "<publicIp>"
}
],
"count": 1
}
},
"firewallPolicy": {
"id": "/subscriptions/<subscriptionId>/resourcegroups/<my-resource-group>/providers/Microsoft.Network/firewallPolicies/<firewall-policy-id>"
}
}
}
]
}
DEBUG: AzureQoSEvent: Module: Az.Network:4.16.1; CommandName: Get-AzFirewall; PSVersion: 7.2.5; IsSuccess: True; Duration: 00:00:00.2316562
DEBUG: Finish sending metric.
DEBUG: <time> - GetAzureFirewallCommand end processing.
> ConvertTo-Json $fw.HubIPAddresses -Depth 4
{
"publicIPAddresses": null,
"PublicIPs": {
"Count": 1,
"Addresses": [
{
"Address": "<publicIp>"
}
]
}
}
Environment data
> $PSVersionTable
Name Value
---- -----
PSVersion 7.2.5
PSEdition Core
GitCommitId 7.2.5
OS Microsoft Windows 10.0.22000
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
> Get-Module Az*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.7.6 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefa…
Script 4.16.1 Az.Network {Add-AzApplicationGatewayAuthenticationCertificat…
Error output
> Resolve-AzError
DEBUG: 12:02:59 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 12:02:59 - using account id '[email protected]'...
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.7.6; CommandName: Resolve-AzError; PSVersion: 7.2.5; IsSuccess: True; Duration: 00:00:00.0034960
DEBUG: Finish sending metric.
DEBUG: 12:02:59 - ResolveError end processing.
I saw there is a 4.18.0 version of Az.Network as well. I tried updating and can still reproduce the same issue.
Thank you for your feedback. This has been routed to the support team for assistance.
![msftbot[bot] avatar](https://avatars.githubusercontent.com/in/26612?v=4 "Published by a pub.dev verified publisher"){kind=small}
@emil-hedemalm-sj Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.
@emil-hedemalm-sj Could you please try to use the below workaround and check if that helps ?
$auth=Get-AzAccessToken
$authHeader= $auth.token
$subscriptionId='XXXXXXXXXXXXX
$resourceGroupName='RGName'
$firewallName='FirewallName'
$uri= "https://management.azure.com/subscriptions/" + $subscriptionId + "/resourceGroups/" + $resourceGroupName + "/providers/Microsoft.Network/azureFirewalls/" + $firewallName + "?api-version=2021-08-01"
$output=Invoke-WebRequest -Uri $uri -Method GET -Headers @{"Authorization"="Bearer $authHeader"}
$output | ConvertFrom-Json | select -ExpandProperty properties | select -ExpandProperty hubIPAddresses | Format-List
@emil-hedemalm-sj Could you please let me know if you had a chance to follow the above workaround ? Awaiting your reply.
That works locally, yes! Will try using it in the function/pipeline as well.
@emil-hedemalm-sj Thanks for the update. Let me know once that works in the function / pipeline. Awaiting your reply.
The work-around works fine in our functions and running them in Azure Pipelines. Do we know when the Cmdlet would be updated with a fix?
@emil-hedemalm-sj I am checking this with the Azure Firewall Product owners. Awaiting their reply now.
@emil-hedemalm-sj We have created an internal workitem for the fix for tracking purpose. There is no ETA on when the fix would be released. We will archive this thread for now. I will update this thread once I have an update to share.