managementIpConfiguration.subnet.id is not present in the API call when deploying Azure Firewall using Azure CLI #32624
Description
Describe the bug
I cannot deploy Azure Firewall with Management NIC using Azure CLI command as the property managementIpConfiguration.subnet.id is not set.
Related command
az network firewall create
Errors
cli.azure.cli.core.azclierror: (AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp) AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
Code: AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp
Message: AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
az_command_data_logger: (AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp) AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
Code: AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp
Message: AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
Issue script & Debug output
PS C:\Users\sriramiyer> $rg = "testgrp"
PS C:\Users\sriramiyer> $region = "eastus"
PS C:\Users\sriramiyer> az group create --name "$rg" --location "$region"
{
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp",
"location": "eastus",
"managedBy": null,
"name": "testgrp",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}
PS C:\Users\sriramiyer> az network vnet create --name "testfwvnet" --resource-group "$rg" --location "$region" --address-prefix "192.168.2.0/24"
{
"newVNet": {
"addressSpace": {
"addressPrefixes": [
"192.168.2.0/24"
]
},
"enableDdosProtection": false,
"etag": "W/\"1853f86e-e2fd-4024-b065-200e898e96ba\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet",
"location": "eastus",
"name": "testfwvnet",
"privateEndpointVNetPolicies": "Disabled",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"resourceGuid": "1e9f5e99-1d20-452d-acbf-d7b2ccb1ea49",
"subnets": [],
"type": "Microsoft.Network/virtualNetworks",
"virtualNetworkPeerings": []
}
}
PS C:\Users\sriramiyer> az network vnet subnet create --name "AzureFirewallSubnet" --vnet-name "testfwvnet" --resource-group "$rg" --address-prefixes "192.168.2.0/26"
{
"addressPrefix": "192.168.2.0/26",
"delegations": [],
"etag": "W/\"7ba7435f-2012-47c6-b302-beca8e5cf5a1\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet/subnets/AzureFirewallSubnet",
"name": "AzureFirewallSubnet",
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"type": "Microsoft.Network/virtualNetworks/subnets"
}
PS C:\Users\sriramiyer> az network vnet subnet create --name "AzureFirewallManagementSubnet" --vnet-name "testfwvnet" --resource-group "$rg" --address-prefixes "192.168.2.64/26"
{
"addressPrefix": "192.168.2.64/26",
"delegations": [],
"etag": "W/\"33709c62-21a0-4cd6-9029-02bb8aa53ac6\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet/subnets/AzureFirewallManagementSubnet",
"name": "AzureFirewallManagementSubnet",
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"type": "Microsoft.Network/virtualNetworks/subnets"
}
PS C:\Users\sriramiyer> az network public-ip create --name "testfwdataip" --resource-group "$rg" --location "$region" --allocation-method "Static" --sku "Standard" --zone 1 2 3
{
"publicIp": {
"ddosSettings": {
"protectionMode": "VirtualNetworkInherited"
},
"etag": "W/\"1864d106-21bd-416d-be27-d79fb9534822\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/publicIPAddresses/testfwdataip",
"idleTimeoutInMinutes": 4,
"ipAddress": "x.x.x.x",
"ipTags": [],
"location": "eastus",
"name": "testfwdataip",
"provisioningState": "Succeeded",
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"resourceGroup": "testgrp",
"resourceGuid": "09b0abe0-5f0b-42bf-86a0-85ccfc9c8e74",
"sku": {
"name": "Standard",
"tier": "Regional"
},
"type": "Microsoft.Network/publicIPAddresses",
"zones": [
"1",
"2",
"3"
]
}
}
PS C:\Users\sriramiyer> az network public-ip create --name "testfwmgmtip" --resource-group "$rg" --location "$region" --allocation-method "Static" --sku "Standard" --zone 1 2 3
{
"publicIp": {
"ddosSettings": {
"protectionMode": "VirtualNetworkInherited"
},
"etag": "W/\"2b3c51ff-83d3-4b46-9bf5-87a1ffb0a4d1\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/publicIPAddresses/testfwmgmtip",
"idleTimeoutInMinutes": 4,
"ipAddress": "y.y.y.y",
"ipTags": [],
"location": "eastus",
"name": "testfwmgmtip",
"provisioningState": "Succeeded",
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"resourceGroup": "testgrp",
"resourceGuid": "0059fe88-b815-4ee5-bffe-cbe4aeac33eb",
"sku": {
"name": "Standard",
"tier": "Regional"
},
"type": "Microsoft.Network/publicIPAddresses",
"zones": [
"1",
"2",
"3"
]
}
}
PS C:\Users\sriramiyer> az network firewall policy create --name "testfwpolicy" --resource-group "$rg" --location "$region" --sku "Standard"
C:\Users\sriramiyer\.azure\cliextensions\azure-firewall\azext_firewall\vendored_sdks\__init__.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
__import__('pkg_resources').declare_namespace(__name__)
{
"childPolicies": [],
"etag": "285acc7d-b959-433d-ad41-61924a309071",
"firewalls": [],
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/firewallPolicies/testfwpolicy",
"location": "eastus",
"name": "testfwpolicy",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"ruleCollectionGroups": [],
"sku": {
"tier": "Standard"
},
"threatIntelMode": "Alert",
"type": "Microsoft.Network/FirewallPolicies"
}
PS C:\Users\sriramiyer> az network vnet show --name "testfwvnet" --resource-group "$rg"
{
"addressSpace": {
"addressPrefixes": [
"192.168.2.0/24"
]
},
"enableDdosProtection": false,
"etag": "W/\"33709c62-21a0-4cd6-9029-02bb8aa53ac6\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet",
"location": "eastus",
"name": "testfwvnet",
"privateEndpointVNetPolicies": "Disabled",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"resourceGuid": "1e9f5e99-1d20-452d-acbf-d7b2ccb1ea49",
"subnets": [
{
"addressPrefix": "192.168.2.0/26",
"delegations": [],
"etag": "W/\"33709c62-21a0-4cd6-9029-02bb8aa53ac6\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet/subnets/AzureFirewallSubnet",
"name": "AzureFirewallSubnet",
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"addressPrefix": "192.168.2.64/26",
"delegations": [],
"etag": "W/\"33709c62-21a0-4cd6-9029-02bb8aa53ac6\"",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet/subnets/AzureFirewallManagementSubnet",
"name": "AzureFirewallManagementSubnet",
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled",
"provisioningState": "Succeeded",
"resourceGroup": "testgrp",
"type": "Microsoft.Network/virtualNetworks/subnets"
}
],
"type": "Microsoft.Network/virtualNetworks",
"virtualNetworkPeerings": []
}
PS C:\Users\sriramiyer> az network firewall create --name "testfw" --resource-group "$rg" --location "$region" --sku "AZFW_VNet" --tier "Standard" --vnet-name "testfwvnet" --firewall-policy "testfwpolicy" --conf-name "ipconfig1" --public-ip "testfwdataip" --m-conf-name "mgmtipconfig" --m-public-ip "testfwmgmtip" --debug
cli.knack.cli: Command arguments: ['network', 'firewall', 'create', '--name', 'testfw', '--resource-group', 'testgrp', '--location', 'eastus', '--sku', 'AZFW_VNet', '--tier', 'Standard', '--vnet-name', 'testfwvnet', '--firewall-policy', 'testfwpolicy', '--conf-name', 'ipconfig1', '--public-ip', 'testfwdataip', '--m-conf-name', 'mgmtipconfig', '--m-public-ip', 'testfwmgmtip', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000016F45F545E0>, <function OutputProducer.on_global_arguments at 0x0000016F464E5940>, <function CLIQuery.on_global_arguments at 0x0000016F4653F880>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_alb', 'azext_firewall', 'azext_bastion', 'azext_expressroutecrossconnection', 'azext_front_door', 'azext_ip_group', 'azext_network_manager', 'azext_vnettap', 'azext_vwan']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: network 1.305 120 480
cli.azure.cli.core: privatedns 0.062 14 60
cli.azure.cli.core: Total (2) 1.366 134 540
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: alb 0.063 4 5 C:\Users\sriramiyer\.azure\cliextensions\alb
cli.azure.cli.core: azure-firewall 0.103 21 67 C:\Users\sriramiyer\.azure\cliextensions\azure-firewall
cli.azure.cli.core: bastion 0.039 2 4 C:\Users\sriramiyer\.azure\cliextensions\bastion
cli.azure.cli.core: express-route-cross-connection 0.073 3 6 C:\Users\sriramiyer\.azure\cliextensions\express-route-cross-connection
cli.azure.cli.core: front-door 0.159 19 73 C:\Users\sriramiyer\.azure\cliextensions\front-door
cli.azure.cli.core: ip-group 0.038 2 1 C:\Users\sriramiyer\.azure\cliextensions\ip-group
cli.azure.cli.core: virtual-network-manager 0.201 14 13 C:\Users\sriramiyer\.azure\cliextensions\virtual-network-manager
cli.azure.cli.core: virtual-network-tap 0.213 5 2 C:\Users\sriramiyer\.azure\cliextensions\virtual-network-tap
cli.azure.cli.core: virtual-wan 0.243 21 77 C:\Users\sriramiyer\.azure\cliextensions\virtual-wan
cli.azure.cli.core: Total (9) 1.131 91 248
cli.azure.cli.core: Loaded 213 groups, 788 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network firewall create
cli.azure.cli.core: Command table: network firewall create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000016F4846D1C0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\sriramiyer\.azure\commands\2026-01-10.11-57-30.network_firewall_create.21580.log'.
az_command_data_logger: command args: network firewall create --name {} --resource-group {} --location {} --sku {} --tier {} --vnet-name {} --firewall-policy {} --conf-name {} --public-ip {} --m-conf-name {} --m-public-ip {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x0000016F484B2700>]
C:\Users\sriramiyer\.azure\cliextensions\azure-firewall\azext_firewall\vendored_sdks\__init__.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
__import__('pkg_resources').declare_namespace(__name__)
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x0000016F484FCA40>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x0000016F484FCC20>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x0000016F484FCCC0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000016F464E59E0>, <function CLIQuery.handle_query_parameter at 0x0000016F4653F920>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x0000016F484FCAE0>]
az_command_data_logger: extension name: azure-firewall
az_command_data_logger: extension version: 2.0.0
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\sriramiyer\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\sriramiyer\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
msal.authority: openid_config("https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 9a013f73-bd82-467b-954f-46850969725f
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/azureFirewalls/testfw?api-version=2024-10-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '917'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '6f224a27-eded-11f0-ae31-6ca1004e09e4'
cli.azure.cli.core.sdk.policies: 'CommandName': 'network firewall create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --resource-group --location --sku --tier --vnet-name --firewall-policy --conf-name --public-ip --m-conf-name --m-public-ip --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.81.0 (MSI) azsdk-python-core/1.35.0 Python/3.13.9 (Windows-11-10.0.26200-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "eastus", "properties": {"additionalProperties": {}, "firewallPolicy": {"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/firewallPolicies/testfwpolicy"}, "ipConfigurations": [{"name": "ipconfig1", "properties": {"publicIPAddress": {"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/publicIPAddresses/testfwdataip"}, "subnet": {"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/virtualNetworks/testfwvnet/subnets/AzureFirewallSubnet"}}}], "managementIpConfiguration": {"name": "mgmtipconfig", "properties": {"publicIPAddress": {"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/publicIPAddresses/testfwmgmtip"}}}, "sku": {"name": "AZFW_VNet", "tier": "Standard"}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testgrp/providers/Microsoft.Network/azureFirewalls/testfw?api-version=2024-10-01 HTTP/1.1" 400 199
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '199'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '8c12beaf-787c-4b04-8ef8-e50cdac429b3'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '62842106-cdb0-48b8-86a7-626f413eb4a3'
cli.azure.cli.core.sdk.policies: 'x-ms-arm-service-request-id': '1cf0da5c-b4fc-4857-b24b-7ce3e5ad20f5'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,objectId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/southcentralus/5e6b234b-cdd5-4e2e-ab91-c09fad531df3'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '199'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-writes': '2999'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHCENTRALUS:20260110T062734Z:62842106-cdb0-48b8-86a7-626f413eb4a3'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 05A41E7422FC44449CFE8DEC384C4729 Ref B: SN4AA2022301031 Ref C: 2026-01-10T06:27:31Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Sat, 10 Jan 2026 06:27:33 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp","message":"AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.","details":[]}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 714, in _run_job
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 1085, in __call__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 1072, in __call__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 108, in result
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 119, in wrapper_use_tracer
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 130, in wait
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 83, in _start
File "C:\Users\sriramiyer\.azure\cliextensions\azure-firewall\azext_firewall\aaz\latest\network\firewall\_create.py", line 265, in _execute_operations
yield self.AzureFirewallsCreateOrUpdate(ctx=self.ctx)()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "C:\Users\sriramiyer\.azure\cliextensions\azure-firewall\azext_firewall\aaz\latest\network\firewall\_create.py", line 305, in __call__
return self.on_error(session.http_response)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_operation.py", line 327, in on_error
azure.core.exceptions.HttpResponseError: (AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp) AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
Code: AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp
Message: AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
cli.azure.cli.core.azclierror: (AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp) AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
Code: AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp
Message: AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
az_command_data_logger: (AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp) AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
Code: AzureFirewallManagementIpConfigRequiresSubnetAndPublicIp
Message: AzureFirewall testfw management IP configuration requires both a subnet and a public IP address.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000016F4846D440>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 8.307 seconds (init: 0.720, invoke: 7.587)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4409 in cache file under C:\Users\sriramiyer\.azure\telemetry\20260110115735385
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\sriramiyer\.azure C:\Users\sriramiyer\.azure\telemetry\20260110115735385"
telemetry.process: Return from creating process 24456
telemetry.main: Finish creating telemetry upload process.
PS C:\Users\sriramiyer>
Expected behavior
The Azure Firewall should be deployed successfully as the AzureFirewallManagementSubnet is present in the VNet.
Environment Summary
PS C:\Users\sriramiyer> az --version
azure-cli 2.81.0
core 2.81.0
telemetry 1.1.0
Extensions:
alb 2.0.1
application-insights 2.0.0b1
azure-devops 1.0.2
azure-firewall 2.0.0
bastion 1.4.2
cli-translator 0.3.0
containerapp 1.3.0b1
dns-resolver 1.2.0
express-route-cross-connection 1.0.0
front-door 1.4.0
functionapp 0.1.1
internet-analyzer 1.0.0b2
ip-group 1.0.1
network-analytics 1.0.0b1
peering 1.0.0
resource-graph 2.1.1
ssh 2.0.6
staticwebapp 1.0.0
subscription 1.0.0b2
terraform 1.0.0b1
traffic-collector 1.0.0
virtual-network-manager 3.0.1
virtual-network-tap 1.0.0b2
virtual-wan 1.0.1
webapp 0.4.0
Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\sriramiyer\.azure'
Extensions directory 'C:\Users\sriramiyer\.azure\cliextensions'
Python (Windows) 3.13.9 (tags/v3.13.9:8183fa5, Oct 14 2025, 14:09:13) [MSC v.1944 64 bit (AMD64)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
PS C:\Users\sriramiyer>
Additional context
No response