New-/Get-/Remove-DbaFirewallRule: New rule for database mirroring or Availability Groups (#9846)

andreasjordan · web-flow · commit f3b7fffebede · 2025-09-19T11:48:44.000+02:00
diff --git a/public/Get-DbaFirewallRule.ps1 b/public/Get-DbaFirewallRule.ps1
@@ -29,6 +29,7 @@ function Get-DbaFirewallRule {
         * Engine - Returns firewall rules for the SQL Server Database Engine service
         * Browser - Returns firewall rules for the SQL Server Browser service (UDP 1434)
         * DAC - Returns firewall rules for the Dedicated Admin Connection
+        * DatabaseMirroring - Returns firewall rules for database mirroring or Availability Groups
         * AllInstance - Returns all SQL Server-related firewall rules on the target computer
 
         When omitted, returns Engine and DAC rules for the specified instance, plus Browser rules if the instance uses a non-standard port.
@@ -79,7 +80,7 @@ function Get-DbaFirewallRule {
         [parameter(Mandatory, ValueFromPipeline)]
         [DbaInstanceParameter[]]$SqlInstance,
         [PSCredential]$Credential,
-        [ValidateSet('Engine', 'Browser', 'DAC', 'AllInstance')]
+        [ValidateSet('Engine', 'Browser', 'DAC', 'DatabaseMirroring', 'AllInstance')]
         [string[]]$Type,
         [switch]$EnableException
     )
@@ -183,6 +184,10 @@ function Get-DbaFirewallRule {
                     $typeName = 'DAC'
                     $instanceName = 'MSSQLSERVER'
                     $sqlInstanceName = $instance.ComputerName
+                } elseif ($rule.Name -eq 'SQL Server default instance (DatabaseMirroring)') {
+                    $typeName = 'DatabaseMirroring'
+                    $instanceName = 'MSSQLSERVER'
+                    $sqlInstanceName = $instance.ComputerName
                 } elseif ($rule.Name -eq 'SQL Server default instance') {
                     $typeName = 'Engine'
                     $instanceName = 'MSSQLSERVER'
@@ -191,6 +196,10 @@ function Get-DbaFirewallRule {
                     $typeName = 'DAC'
                     $instanceName = $rule.Name -replace '^SQL Server instance (.+) \(DAC\)$', '$1'
                     $sqlInstanceName = $instance.ComputerName + '\' + $instanceName
+                } elseif ($rule.Name -match 'SQL Server instance .+ \(DatabaseMirroring\)') {
+                    $typeName = 'DatabaseMirroring'
+                    $instanceName = $rule.Name -replace '^SQL Server instance (.+) \(DatabaseMirroring\)$', '$1'
+                    $sqlInstanceName = $instance.ComputerName + '\' + $instanceName
                 } elseif ($rule.Name -match 'SQL Server instance .+') {
                     $typeName = 'Engine'
                     $instanceName = $rule.Name -replace '^SQL Server instance (.+)$', '$1'
@@ -241,6 +250,10 @@ function Get-DbaFirewallRule {
                     Write-Message -Level Verbose -Message 'Returning rule for DAC'
                     $outputRules += $rules | Where-Object { $_.Type -eq 'DAC' -and $_.InstanceName -eq $instance.InstanceName }
                 }
+                if ('DatabaseMirroring' -in $Type) {
+                    Write-Message -Level Verbose -Message 'Returning rule for DatabaseMirroring'
+                    $outputRules += $rules | Where-Object { $_.Type -eq 'DatabaseMirroring' -and $_.InstanceName -eq $instance.InstanceName }
+                }
             }
             $outputRules | Select-DefaultView -Property ComputerName, InstanceName, SqlInstance, DisplayName, Type, Protocol, LocalPort, Program
         }
diff --git a/public/New-DbaFirewallRule.ps1 b/public/New-DbaFirewallRule.ps1
@@ -54,6 +54,16 @@ function New-DbaFirewallRule {
         The firewall rule for the DAC will only be created if the DAC is configured for listening remotely.
         Use `Set-DbaSpConfigure -SqlInstance SRV1 -Name RemoteDacConnectionsEnabled -Value 1` to enable remote DAC before running this command.
 
+        The firewall rule for database mirroring or Availability Groups will have the following configuration (parameters for New-NetFirewallRule):
+
+            DisplayName = 'SQL Server default instance (DatabaseMirroring)' or 'SQL Server instance <InstanceName> (DatabaseMirroring)'
+            Name        = 'SQL Server default instance (DatabaseMirroring)' or 'SQL Server instance <InstanceName> (DatabaseMirroring)'
+            Group       = 'SQL Server'
+            Enabled     = 'True'
+            Direction   = 'Inbound'
+            Protocol    = 'TCP'
+            LocalPort   = '5022' (can be overwritten by using the parameter Configuration)
+
     .PARAMETER SqlInstance
         The target SQL Server instance or instances.
 
@@ -63,7 +73,7 @@ function New-DbaFirewallRule {
     .PARAMETER Type
         Specifies which firewall rule types to create for SQL Server network access.
         Use this when you need to create specific rules instead of the automatic detection behavior.
-        Valid values are Engine (SQL Server instance), Browser (SQL Server Browser service), and DAC (Dedicated Admin Connection). When omitted, the function automatically creates Engine rules plus Browser rules for non-default ports and DAC rules when remote DAC is enabled.
+        Valid values are Engine (SQL Server instance), Browser (SQL Server Browser service), DAC (Dedicated Admin Connection) and DatabaseMirroring (database mirroring or Availability Groups). When omitted, the function automatically creates Engine rules plus Browser rules for non-default ports and DAC rules when remote DAC is enabled.
 
     .PARAMETER Configuration
         Provides custom settings to override the default firewall rule configuration when calling New-NetFirewallRule.
@@ -113,13 +123,23 @@ function New-DbaFirewallRule {
 
         Creates or recreates the firewall rule for the instance TEST on SRV1. Does not prompt for confirmation.
 
+    .EXAMPLE
+        PS C:\> New-DbaFirewallRule -SqlInstance SQL01 -Type DatabaseMirroring
+
+        Creates the firewall rule for database mirroring or Availability Groups on the default instance on SQL01 using the default port 5022.
+
+    .EXAMPLE
+        PS C:\> New-DbaFirewallRule -SqlInstance SQL02 -Type DatabaseMirroring -Configuration @{ LocalPort = '5023' }
+
+        Creates the firewall rule for database mirroring or Availability Groups on the default instance on SQL02 using the custom port 5023.
+
     #>
     [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "High")]
     param (
         [parameter(Mandatory, ValueFromPipeline)]
         [DbaInstanceParameter[]]$SqlInstance,
         [PSCredential]$Credential,
-        [ValidateSet('Engine', 'Browser', 'DAC')]
+        [ValidateSet('Engine', 'Browser', 'DAC', 'DatabaseMirroring')]
         [string[]]$Type,
         [hashtable]$Configuration,
         [switch]$Force,
@@ -328,6 +348,35 @@ function New-DbaFirewallRule {
                 }
             }
 
+            # Create rule for database mirroring or Availability Groups
+            if ('DatabaseMirroring' -in $PSBoundParameters.Type) {
+                # Apply the defaults
+                $rule = @{
+                    Type         = 'DatabaseMirroring'
+                    InstanceName = $instance.InstanceName
+                    Config       = @{
+                        Group     = 'SQL Server'
+                        Enabled   = 'True'
+                        Direction = 'Inbound'
+                        Protocol  = 'TCP'
+                        LocalPort = '5022'
+                    }
+                }
+
+                # Test for default or named instance
+                if ($instance.InstanceName -eq 'MSSQLSERVER') {
+                    $rule.Config.DisplayName = 'SQL Server default instance (DatabaseMirroring)'
+                    $rule.Config.Name = 'SQL Server default instance (DatabaseMirroring)'
+                    $rule.SqlInstance = $instance.ComputerName
+                } else {
+                    $rule.Config.DisplayName = "SQL Server instance $($instance.InstanceName) (DatabaseMirroring)"
+                    $rule.Config.Name = "SQL Server instance $($instance.InstanceName) (DatabaseMirroring)"
+                    $rule.SqlInstance = $instance.ComputerName + '\' + $instance.InstanceName
+                }
+
+                $rules += $rule
+            }
+
             foreach ($rule in $rules) {
                 # Apply the given configuration
                 if ($Configuration) {
diff --git a/public/Remove-DbaFirewallRule.ps1 b/public/Remove-DbaFirewallRule.ps1
@@ -21,7 +21,7 @@ function Remove-DbaFirewallRule {
     .PARAMETER Type
         Specifies which types of SQL Server firewall rules to remove from the target computer.
         Use this to control exactly which network access rules are cleaned up when decommissioning or reconfiguring SQL Server instances.
-        Engine removes rules for SQL Server database connections, Browser removes UDP port 1434 rules for SQL Server Browser service, DAC removes Dedicated Admin Connection rules, and AllInstance removes all SQL Server-related rules. Defaults to Engine and DAC since Browser rules are often shared between multiple instances.
+        Engine removes rules for SQL Server database connections, Browser removes UDP port 1434 rules for SQL Server Browser service, DAC removes Dedicated Admin Connection rules, DatabaseMirroring removes database mirroring or Availability Groups rules, and AllInstance removes all SQL Server-related rules. Defaults to Engine and DAC since Browser rules are often shared between multiple instances.
 
     .PARAMETER InputObject
         Accepts firewall rule objects from Get-DbaFirewallRule for pipeline-based removal operations.
@@ -77,7 +77,7 @@ function Remove-DbaFirewallRule {
         [Parameter(ParameterSetName = 'NonPipeline')]
         [PSCredential]$Credential,
         [Parameter(ParameterSetName = 'NonPipeline')]
-        [ValidateSet('Engine', 'Browser', 'DAC', 'AllInstance')]
+        [ValidateSet('Engine', 'Browser', 'DAC', 'DatabaseMirroring', 'AllInstance')]
         [string[]]$Type = @('Engine', 'DAC'),
         [parameter(ValueFromPipeline, ParameterSetName = 'Pipeline', Mandatory = $true)]
         [object[]]$InputObject,
