Microsoft.Network FrontDoorWebApplicationFirewallPolicies 2018-08-01
Bicep resource definition
The FrontDoorWebApplicationFirewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2018-08-01' = {
etag: 'string'
location: 'string'
name: 'string'
properties: {
customRules: {
rules: [
{
action: 'string'
matchConditions: [
{
matchValue: [
'string'
]
matchVariable: 'string'
negateCondition: bool
operator: 'string'
selector: 'string'
}
]
name: 'string'
priority: int
rateLimitDurationInMinutes: int
rateLimitThreshold: int
ruleType: 'string'
transforms: [
'string'
]
}
]
}
managedRules: {
ruleSets: [
{
priority: int
version: int
ruleSetType: 'string'
// For remaining properties, see ManagedRuleSet objects
}
]
}
policySettings: {
enabledState: 'string'
mode: 'string'
}
}
tags: {
{customized property}: 'string'
}
}
ManagedRuleSet objects
Set the ruleSetType property to specify the type of object.
For AzureManagedRuleSet, use:
{
ruleGroupOverrides: [
{
action: 'string'
ruleGroupOverride: 'string'
}
]
ruleSetType: 'AzureManagedRuleSet'
}
Property values
AzureManagedOverrideRuleGroup
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| ruleGroupOverride | Describes override rule group | 'SqlInjection' 'XSS' (required) |
AzureManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleGroupOverrides | List of azure managed provider override configuration (optional) | AzureManagedOverrideRuleGroup[] |
| ruleSetType | RuleSetType - AzureManagedRuleSet or OWASP RuleSets. | 'AzureManagedRuleSet' (required) |
CustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| matchConditions | List of match conditions | MatchConditionAutoGenerated[] (required) |
| name | Gets name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value | int (required) |
| rateLimitDurationInMinutes | Defines rate limit duration. Default - 1 minute | int |
| rateLimitThreshold | Defines rate limit threshold | int |
| ruleType | Describes type of rule | 'MatchRule' 'RateLimitRule' (required) |
| transforms | List of transforms | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
CustomRules
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRule[] |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| priority | Describes priority of the rule | int |
| ruleSetType | Set to 'AzureManagedRuleSet' for type AzureManagedRuleSet. | 'AzureManagedRuleSet' (required) |
| version | defines version of the rule set | int |
ManagedRuleSets
| Name | Description | Value |
|---|---|---|
| ruleSets | List of rules | ManagedRuleSet[] |
MatchConditionAutoGenerated
| Name | Description | Value |
|---|---|---|
| matchValue | Match value | string[] (required) |
| matchVariable | Match Variable | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestUri' (required) |
| negateCondition | Describes if this is negate condition or not | bool |
| operator | Describes operator to be matched | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' (required) |
| selector | Name of selector in RequestHeader or RequestBody to be matched | string |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| location | Resource location. | string |
| name | The resource name | string Constraints: Max length = (required) |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
PolicySettings
| Name | Description | Value |
|---|---|---|
| enabledState | describes if the policy is in enabled state or disabled state | 'Disabled' 'Enabled' |
| mode | Describes if it is in detection mode or prevention mode at policy level | 'Detection' 'Prevention' |
ResourceTags
| Name | Description | Value |
|---|
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy | CustomRules |
| managedRules | Describes managed rules inside the policy | ManagedRuleSets |
| policySettings | Describes policySettings for policy | PolicySettings |
Quickstart samples
The following quickstart samples deploy this resource type.
| Bicep File | Description |
|---|---|
| Configure WAF managed defaultRuleSet for Azure Front Door | This template configures WAF managed defaultRuleSet for Azure Front Door |
| Front Door Premium with blob origin and Private Link | This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. |
| Front Door Premium with WAF and Microsoft-managed rule sets | This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets. |
| Front Door Standard/Premium with geo-filtering | This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule. |
| Front Door Standard/Premium with rate limit | This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule. |
| Front Door Standard/Premium with WAF and custom rule | This template creates a Front Door Standard/Premium including a web application firewall with a custom rule. |
| Front Door with blob origins for blobs upload | This template creates a Front Door with origins, routes and ruleSets, and an Azure Storage accounts with blob containers. Front Door sends traffic to the storage accounts when uploading files. |
| FrontDoor CDN with WAF, Domains and Logs to EventHub | This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub. |
| Function App secured by Azure Frontdoor | This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. |
ARM template resource definition
The FrontDoorWebApplicationFirewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
"apiVersion": "2018-08-01",
"name": "string",
"etag": "string",
"location": "string",
"properties": {
"customRules": {
"rules": [
{
"action": "string",
"matchConditions": [
{
"matchValue": [ "string" ],
"matchVariable": "string",
"negateCondition": "bool",
"operator": "string",
"selector": "string"
}
],
"name": "string",
"priority": "int",
"rateLimitDurationInMinutes": "int",
"rateLimitThreshold": "int",
"ruleType": "string",
"transforms": [ "string" ]
}
]
},
"managedRules": {
"ruleSets": [ {
"priority": "int",
"version": "int",
"ruleSetType": "string"
// For remaining properties, see ManagedRuleSet objects
} ]
},
"policySettings": {
"enabledState": "string",
"mode": "string"
}
},
"tags": {
"{customized property}": "string"
}
}
ManagedRuleSet objects
Set the ruleSetType property to specify the type of object.
For AzureManagedRuleSet, use:
{
"ruleGroupOverrides": [
{
"action": "string",
"ruleGroupOverride": "string"
}
],
"ruleSetType": "AzureManagedRuleSet"
}
Property values
AzureManagedOverrideRuleGroup
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| ruleGroupOverride | Describes override rule group | 'SqlInjection' 'XSS' (required) |
AzureManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleGroupOverrides | List of azure managed provider override configuration (optional) | AzureManagedOverrideRuleGroup[] |
| ruleSetType | RuleSetType - AzureManagedRuleSet or OWASP RuleSets. | 'AzureManagedRuleSet' (required) |
CustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| matchConditions | List of match conditions | MatchConditionAutoGenerated[] (required) |
| name | Gets name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value | int (required) |
| rateLimitDurationInMinutes | Defines rate limit duration. Default - 1 minute | int |
| rateLimitThreshold | Defines rate limit threshold | int |
| ruleType | Describes type of rule | 'MatchRule' 'RateLimitRule' (required) |
| transforms | List of transforms | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
CustomRules
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRule[] |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| priority | Describes priority of the rule | int |
| ruleSetType | Set to 'AzureManagedRuleSet' for type AzureManagedRuleSet. | 'AzureManagedRuleSet' (required) |
| version | defines version of the rule set | int |
ManagedRuleSets
| Name | Description | Value |
|---|---|---|
| ruleSets | List of rules | ManagedRuleSet[] |
MatchConditionAutoGenerated
| Name | Description | Value |
|---|---|---|
| matchValue | Match value | string[] (required) |
| matchVariable | Match Variable | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestUri' (required) |
| negateCondition | Describes if this is negate condition or not | bool |
| operator | Describes operator to be matched | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' (required) |
| selector | Name of selector in RequestHeader or RequestBody to be matched | string |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2018-08-01' |
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| location | Resource location. | string |
| name | The resource name | string Constraints: Max length = (required) |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies' |
PolicySettings
| Name | Description | Value |
|---|---|---|
| enabledState | describes if the policy is in enabled state or disabled state | 'Disabled' 'Enabled' |
| mode | Describes if it is in detection mode or prevention mode at policy level | 'Detection' 'Prevention' |
ResourceTags
| Name | Description | Value |
|---|
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy | CustomRules |
| managedRules | Describes managed rules inside the policy | ManagedRuleSets |
| policySettings | Describes policySettings for policy | PolicySettings |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Configure WAF client IP restriction for Azure Front Door |
This template configures WAF client IP restriction for Azure Front Door endpoint |
| Configure WAF managed defaultRuleSet for Azure Front Door |
This template configures WAF managed defaultRuleSet for Azure Front Door |
| Configure WAF rate liming rule for Azure Front Door endpoint |
This template configures a WAF rule for Azure Front Door to rate limit incoming traffic for a given frontend host. |
| Configure WAF rules with http parameters for Front Door |
This template configures WAF custom rules based on specific http parameters for Azure Front Door endpoint. |
| Create Azure Front Door in front of Azure API Management |
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management. |
| Create WAF Geo Filtering rule for Azure Front Door endpoint |
This template creates a WAF geo filtering rule for Azure Front Door that allows/blocks traffic from certain countries. |
| Front Door Premium with blob origin and Private Link |
This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. |
| Front Door Premium with WAF and Microsoft-managed rule sets |
This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets. |
| Front Door Standard/Premium with geo-filtering |
This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule. |
| Front Door Standard/Premium with rate limit |
This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule. |
| Front Door Standard/Premium with WAF and custom rule |
This template creates a Front Door Standard/Premium including a web application firewall with a custom rule. |
| Front Door with blob origins for blobs upload |
This template creates a Front Door with origins, routes and ruleSets, and an Azure Storage accounts with blob containers. Front Door sends traffic to the storage accounts when uploading files. |
| FrontDoor CDN with WAF, Domains and Logs to EventHub |
This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub. |
| Function App secured by Azure Frontdoor |
This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. |
Terraform (AzAPI provider) resource definition
The FrontDoorWebApplicationFirewallPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2018-08-01"
name = "string"
etag = "string"
location = "string"
tags = {
{customized property} = "string"
}
body = jsonencode({
properties = {
customRules = {
rules = [
{
action = "string"
matchConditions = [
{
matchValue = [
"string"
]
matchVariable = "string"
negateCondition = bool
operator = "string"
selector = "string"
}
]
name = "string"
priority = int
rateLimitDurationInMinutes = int
rateLimitThreshold = int
ruleType = "string"
transforms = [
"string"
]
}
]
}
managedRules = {
ruleSets = [
{
priority = int
version = int
ruleSetType = "string"
// For remaining properties, see ManagedRuleSet objects
}
]
}
policySettings = {
enabledState = "string"
mode = "string"
}
}
})
}
ManagedRuleSet objects
Set the ruleSetType property to specify the type of object.
For AzureManagedRuleSet, use:
{
ruleGroupOverrides = [
{
action = "string"
ruleGroupOverride = "string"
}
]
ruleSetType = "AzureManagedRuleSet"
}
Property values
AzureManagedOverrideRuleGroup
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| ruleGroupOverride | Describes override rule group | 'SqlInjection' 'XSS' (required) |
AzureManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleGroupOverrides | List of azure managed provider override configuration (optional) | AzureManagedOverrideRuleGroup[] |
| ruleSetType | RuleSetType - AzureManagedRuleSet or OWASP RuleSets. | 'AzureManagedRuleSet' (required) |
CustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| matchConditions | List of match conditions | MatchConditionAutoGenerated[] (required) |
| name | Gets name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value | int (required) |
| rateLimitDurationInMinutes | Defines rate limit duration. Default - 1 minute | int |
| rateLimitThreshold | Defines rate limit threshold | int |
| ruleType | Describes type of rule | 'MatchRule' 'RateLimitRule' (required) |
| transforms | List of transforms | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
CustomRules
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRule[] |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| priority | Describes priority of the rule | int |
| ruleSetType | Set to 'AzureManagedRuleSet' for type AzureManagedRuleSet. | 'AzureManagedRuleSet' (required) |
| version | defines version of the rule set | int |
ManagedRuleSets
| Name | Description | Value |
|---|---|---|
| ruleSets | List of rules | ManagedRuleSet[] |
MatchConditionAutoGenerated
| Name | Description | Value |
|---|---|---|
| matchValue | Match value | string[] (required) |
| matchVariable | Match Variable | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestUri' (required) |
| negateCondition | Describes if this is negate condition or not | bool |
| operator | Describes operator to be matched | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' (required) |
| selector | Name of selector in RequestHeader or RequestBody to be matched | string |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| location | Resource location. | string |
| name | The resource name | string Constraints: Max length = (required) |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2018-08-01" |
PolicySettings
| Name | Description | Value |
|---|---|---|
| enabledState | describes if the policy is in enabled state or disabled state | 'Disabled' 'Enabled' |
| mode | Describes if it is in detection mode or prevention mode at policy level | 'Detection' 'Prevention' |
ResourceTags
| Name | Description | Value |
|---|
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy | CustomRules |
| managedRules | Describes managed rules inside the policy | ManagedRuleSets |
| policySettings | Describes policySettings for policy | PolicySettings |