Added default rules for azure. Closes: https://github.com/gvlproject/cloudbridge/issues/106

cloudbridge/cloud/providers/azure/resources.py

@@ -150,13 +150,13 @@ class AzureVMFirewallRuleContainer(BaseVMFirewallRuleContainer):
         super(AzureVMFirewallRuleContainer, self).__init__(provider, firewall)
 
     def list(self, limit=None, marker=None):
+        # Filter out firewall rules with priority < 3500 because values
+        # between 3500 and 4096 are assumed to be owned by cloudbridge
+        # default rules.
         # pylint:disable=protected-access
-        rules = (
-            [AzureVMFirewallRule(self.firewall, rule) for rule
-             in self.firewall._vm_firewall.security_rules] +
-            [AzureVMFirewallRule(self.firewall, rule) for rule
-             in self.firewall._vm_firewall.default_security_rules
-             if rule.destination_address_prefix == "Internet"])
+        rules = [AzureVMFirewallRule(self.firewall, rule) for rule
+                 in self.firewall._vm_firewall.security_rules
+                 if rule.priority < 3500]
         return ClientPagedResultList(self._provider, rules,
                                      limit=limit, marker=marker)
 
@@ -185,18 +185,18 @@ class AzureVMFirewallRuleContainer(BaseVMFirewallRuleContainer):
 
         count = len(self.firewall._vm_firewall.security_rules) + 1
         rule_name = "Rule - " + str(count)
-        priority = count * 100
+        priority = 1000 + count
         destination_port_range = str(from_port) + "-" + str(to_port)
         source_port_range = '*'
         destination_address_prefix = "*"
         access = "Allow"
         direction = ("Inbound" if direction == TrafficDirection.INBOUND
                      else "Outbound")
-        parameters = {"protocol": protocol,
+        parameters = {"priority": priority,
+                      "protocol": protocol,
                       "source_port_range": source_port_range,
-                      "destination_port_range": destination_port_range,
-                      "priority": priority,
                       "source_address_prefix": cidr,
+                      "destination_port_range": destination_port_range,
                       "destination_address_prefix": destination_address_prefix,
                       "access": access,
                       "direction": direction}

cloudbridge/cloud/providers/azure/services.py

@@ -74,8 +74,33 @@ class AzureVMFirewallService(BaseVMFirewallService):
             parameters['tags'].update(Description=description)
 
         fw = self.provider.azure_client.create_vm_firewall(name, parameters)
-        cb_fw = AzureVMFirewall(self.provider, fw)
 
+        # Add default rules to negate azure default rules.
+        # See: https://github.com/gvlproject/cloudbridge/issues/106
+        # pylint:disable=protected-access
+        for rule in fw.default_security_rules:
+            rule_name = "cb-override-" + rule.name
+            # Transpose rules to priority 4001 onwards, because
+            # only 0-4096 are allowed for custom rules
+            rule.priority = rule.priority - 61440
+            rule.access = "Deny"
+            self._provider.azure_client.create_vm_firewall_rule(
+                fw.name, rule_name, rule)
+
+        # Add a new custom rule allowing all outbound traffic to the internet
+        parameters = {"priority": 3000,
+                      "protocol": "*",
+                      "source_port_range": "*",
+                      "source_address_prefix": "*",
+                      "destination_port_range": "*",
+                      "destination_address_prefix": "Internet",
+                      "access": "Allow",
+                      "direction": "Outbound"}
+        result = self._provider.azure_client.create_vm_firewall_rule(
+            fw.name, "cb-default-internet-outbound", parameters)
+        fw.security_rules.append(result)
+
+        cb_fw = AzureVMFirewall(self.provider, fw)
         return cb_fw
 
     def find(self, name, limit=None, marker=None):