Az network firewall update when created in extended zones is failing #32895
Description
Describe the bug
Rule and collection CRUD commands (create, delete) on an Azure Firewall deployed in an extended location (edge zone) fail with InvalidExtendedLocation error.
PR #8892 (Azure/azure-cli-extensions#8892) added --edge-zone support for az network firewall create by updating the AAZ-generated commands to API version 2024-10-01 with extendedLocation in the request/response schemas.
However, the legacy SDK-based custom commands for rule and collection management were not updated. These commands use a vendored SDK (v2021_08_01) whose AzureFirewall model does not include extended_location in its _attribute_map. When these commands perform a GET → modify → PUT cycle, the extendedLocation property is dropped during deserialization, causing the subsequent PUT to fail because the API interprets it as an attempt to create a new resource in the parent location rather than updating the existing one in the edge zone.
Related command
az network firewall network-rule collection delete
az network firewall network-rule create
az network firewall network-rule delete
az network firewall nat-rule collection delete
az network firewall nat-rule create
az network firewall nat-rule delete
az network firewall application-rule collection delete
az network firewall application-rule create
az network firewall application-rule delete
az network firewall ip-config create
az network firewall ip-config delete
Errors
(InvalidExtendedLocation) The resource 'azfw-gagarab' already exists in extended location 'EdgeZone': 'microsoftrrezm1' of location 'eastus2euap'. A resource with the same name cannot be created in location 'eastus2euap'. Please select a new resource name.
Code: InvalidExtendedLocation
Message: The resource 'azfw-gagarab' already exists in extended location 'EdgeZone': 'microsoftrrezm1' of location 'eastus2euap'. Please select a new resource name.
Issue script & Debug output
1. Create prerequisites in edge zone
az network public-ip create -g myRG -n fw-pubip --allocation-method Static --sku Standard --edge-zone microsoftrrezm1
az network vnet create -g myRG -n fw-vnet --address-prefix 10.0.0.0/16 --subnet-name AzureFirewallSubnet --subnet-prefix 10.0.1.0/26 --edge-zone microsoftrrezm1
2. Create firewall in edge zone (works - uses AAZ path with API 2024-10-01)
az network firewall create -g myRG -n myFirewall --vnet-name fw-vnet --public-ip fw-pubip --edge-zone microsoftrrezm1
3. Add a network rule (fails - uses legacy SDK path with API 2021-08-01)
az network firewall network-rule create -g myRG -f myFirewall --collection-name TestCollection -n TestRule --protocols TCP --source-addresses '' --destination-addresses '' --destination-ports 80
4. Or attempt to delete a collection (fails with same error)
az network firewall network-rule collection delete -g myRG -f myFirewall --collection-name TestCollection
Root cause:
The legacy SDK commands use vendored_sdks/v2021_08_01 via _client_factory.py (hardcoded to api_version='2021-08-01').
The AzureFirewall model in that SDK does NOT have extended_location in _attribute_map.
During GET → modify → PUT, extendedLocation is dropped, causing the InvalidExtendedLocation error.
Expected behavior
Rule and collection CRUD operations should work correctly on firewalls deployed in extended locations (edge zones). The extendedLocation property should be preserved during the GET → modify → PUT cycle used by these commands.
Environment Summary
The issue affects azure-firewall extension version 1.3.0+.
Additional context
Root cause analysis:
The azure-firewall extension has two separate code paths:
-
AAZ-generated commands (create, update, show, list, delete, wait) - use API 2024-10-01, handle extendedLocation correctly. Updated by PR Fail to create role assignment az ad cp create-for-rbac with malformed scope: The api-version '2018-01-01-preview' is invalid. #8892.
-
Legacy SDK-based custom commands (rule/collection CRUD, ip-config) - use vendored SDK v2021_08_01 via _client_factory.py (hardcoded api_version='2021-08-01'). The AzureFirewall class in this SDK (line ~5244 of _models_py3.py) does NOT have extended_location in _attribute_map, even though other resources in the same SDK (VirtualNetworkGateway, PublicIPAddress, VirtualNetwork) do include it.
Affected code paths:
- _util.py: delete_network_resource_property_entry() - used by collection delete commands
- custom.py: _upsert_af_rule() - used by rule create commands
- custom.py: build_af_rule_delete() - used by rule delete commands
Suggested fix: Add extended_location to the AzureFirewall model in vendored_sdks/v2021_08_01, or migrate these commands to the AAZ framework.
Use this subscription to test 6030fb9a-6ed7-4414-b379-afd558a954e6