Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies 2019-06-01

Bicep resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2019-06-01' = {
  etag: 'string'
  location: 'string'
  name: 'string'
  properties: {
    customRules: [
      {
        action: 'string'
        matchConditions: [
          {
            matchValues: [
              'string'
            ]
            matchVariables: [
              {
                selector: 'string'
                variableName: 'string'
              }
            ]
            negationConditon: bool
            operator: 'string'
            transforms: [
              'string'
            ]
          }
        ]
        name: 'string'
        priority: int
        ruleType: 'string'
      }
    ]
    policySettings: {
      enabledState: 'string'
      mode: 'string'
    }
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Describes if this is negate condition or not. bool
operator Describes operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector Describes field of the matchVariable collection. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
etag Gets a unique read-only string that changes whenever the resource is updated. string
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates

PolicySettings

Name Description Value
enabledState Describes if the policy is in enabled state or disabled state. 'Disabled'
'Enabled'
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log' (required)
matchConditions List of match conditions. MatchCondition[] (required)
name Gets name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType Describes type of rule. 'Invalid'
'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules Describes custom rules inside the policy. WebApplicationFirewallCustomRule[]
policySettings Describes policySettings for policy. PolicySettings

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway This template creates a Front Door Standard/Premium with a container group and Application Gateway.

ARM template resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2019-06-01",
  "name": "string",
  "etag": "string",
  "location": "string",
  "properties": {
    "customRules": [
      {
        "action": "string",
        "matchConditions": [
          {
            "matchValues": [ "string" ],
            "matchVariables": [
              {
                "selector": "string",
                "variableName": "string"
              }
            ],
            "negationConditon": "bool",
            "operator": "string",
            "transforms": [ "string" ]
          }
        ],
        "name": "string",
        "priority": "int",
        "ruleType": "string"
      }
    ],
    "policySettings": {
      "enabledState": "string",
      "mode": "string"
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Describes if this is negate condition or not. bool
operator Describes operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector Describes field of the matchVariable collection. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
apiVersion The api version '2019-06-01'
etag Gets a unique read-only string that changes whenever the resource is updated. string
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies'

PolicySettings

Name Description Value
enabledState Describes if the policy is in enabled state or disabled state. 'Disabled'
'Enabled'
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log' (required)
matchConditions List of match conditions. MatchCondition[] (required)
name Gets name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType Describes type of rule. 'Invalid'
'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules Describes custom rules inside the policy. WebApplicationFirewallCustomRule[]
policySettings Describes policySettings for policy. PolicySettings

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy

Deploy to Azure
This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway

Deploy to Azure
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin

Deploy to Azure
This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway

Deploy to Azure
This template creates a Front Door Standard/Premium with a container group and Application Gateway.

Terraform (AzAPI provider) resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2019-06-01"
  name = "string"
  etag = "string"
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      customRules = [
        {
          action = "string"
          matchConditions = [
            {
              matchValues = [
                "string"
              ]
              matchVariables = [
                {
                  selector = "string"
                  variableName = "string"
                }
              ]
              negationConditon = bool
              operator = "string"
              transforms = [
                "string"
              ]
            }
          ]
          name = "string"
          priority = int
          ruleType = "string"
        }
      ]
      policySettings = {
        enabledState = "string"
        mode = "string"
      }
    }
  })
}

Property values

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Describes if this is negate condition or not. bool
operator Describes operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector Describes field of the matchVariable collection. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
etag Gets a unique read-only string that changes whenever the resource is updated. string
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2019-06-01"

PolicySettings

Name Description Value
enabledState Describes if the policy is in enabled state or disabled state. 'Disabled'
'Enabled'
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log' (required)
matchConditions List of match conditions. MatchCondition[] (required)
name Gets name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType Describes type of rule. 'Invalid'
'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules Describes custom rules inside the policy. WebApplicationFirewallCustomRule[]
policySettings Describes policySettings for policy. PolicySettings