From 86711de873f9f9d4cea6a0a1a7fc349e5946fd90 Mon Sep 17 00:00:00 2001
From: James Robinson <james.em.robinson@gmail.com>
Date: Mon, 15 Apr 2024 12:18:57 +0100
Subject: [PATCH 1/2] :sparkles: Add AllowExternalAzureAutomationOperations
 firewall network rule

---
 .../infrastructure/stacks/shm/firewall.py           | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py
index 71543607ce..c060517f00 100644
--- a/data_safe_haven/infrastructure/stacks/shm/firewall.py
+++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py
@@ -484,8 +484,8 @@ def __init__(
                             destination_ports=["53"],
                             name="AllowExternalDnsResolver",
                             protocols=[
-                                network.AzureFirewallNetworkRuleProtocol.UDP,
                                 network.AzureFirewallNetworkRuleProtocol.TCP,
+                                network.AzureFirewallNetworkRuleProtocol.UDP,
                             ],
                             source_addresses=[props.subnet_identity_servers_iprange],
                         ),
@@ -496,6 +496,17 @@ def __init__(
                     name=f"{stack_name}-all",
                     priority=1010,
                     rules=[
+                        network.AzureFirewallNetworkRuleArgs(
+                            description="Allow external Azure Automation requests",
+                            destination_addresses=["GuestAndHybridManagement"],
+                            destination_ports=["*"],
+                            name="AllowExternalAzureAutomationOperations",
+                            protocols=[
+                                network.AzureFirewallNetworkRuleProtocol.TCP,
+                                network.AzureFirewallNetworkRuleProtocol.UDP,
+                            ],
+                            source_addresses=["*"],
+                        ),
                         network.AzureFirewallNetworkRuleArgs(
                             description="Allow external NTP requests",
                             destination_addresses=ntp_ip_addresses,

From ff3e07e90175ecd02c0623bea84d70854ec9255c Mon Sep 17 00:00:00 2001
From: James Robinson <james.em.robinson@gmail.com>
Date: Mon, 15 Apr 2024 12:29:25 +0100
Subject: [PATCH 2/2] :bug: Restore AllowExternalAzureAutomationOperations
 application rule

---
 data_safe_haven/infrastructure/stacks/shm/firewall.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py
index c060517f00..2e003341e7 100644
--- a/data_safe_haven/infrastructure/stacks/shm/firewall.py
+++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py
@@ -313,8 +313,10 @@ def __init__(
                             description="Allow external Azure Automation requests",
                             name="AllowExternalAzureAutomationOperations",
                             protocols=[
-                                network.AzureFirewallNetworkRuleProtocol.TCP,
-                                network.AzureFirewallNetworkRuleProtocol.UDP,
+                                network.AzureFirewallApplicationRuleProtocolArgs(
+                                    port=443,
+                                    protocol_type="Https",
+                                )
                             ],
                             source_addresses=["*"],
                             target_fqdns=[