Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies 2021-02-01

Bicep resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-02-01' = {
  location: 'string'
  name: 'string'
  properties: {
    customRules: [
      {
        action: 'string'
        matchConditions: [
          {
            matchValues: [
              'string'
            ]
            matchVariables: [
              {
                selector: 'string'
                variableName: 'string'
              }
            ]
            negationConditon: bool
            operator: 'string'
            transforms: [
              'string'
            ]
          }
        ]
        name: 'string'
        priority: int
        ruleType: 'string'
      }
    ]
    managedRules: {
      exclusions: [
        {
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
        }
      ]
      managedRuleSets: [
        {
          ruleGroupOverrides: [
            {
              ruleGroupName: 'string'
              rules: [
                {
                  ruleId: 'string'
                  state: 'string'
                }
              ]
            }
          ]
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      fileUploadLimitInMb: int
      maxRequestBodySizeInKb: int
      mode: 'string'
      requestBodyCheck: bool
      state: 'string'
    }
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
ruleId Identifier for the managed rule. string (required)
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'

ManagedRulesDefinition

Name Description Value
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates

OwaspCrsExclusionEntry

Name Description Value
matchVariable The variable to be excluded. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

PolicySettings

Name Description Value
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int

Constraints:
Min value = 0
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int

Constraints:
Min value = 8
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
state The state of the policy. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log' (required)
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType The rule type. 'Invalid'
'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Describes the managedRules structure. ManagedRulesDefinition (required)
policySettings The PolicySettings for policy. PolicySettings

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway This template creates a Front Door Standard/Premium with a container group and Application Gateway.

ARM template resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2021-02-01",
  "name": "string",
  "location": "string",
  "properties": {
    "customRules": [
      {
        "action": "string",
        "matchConditions": [
          {
            "matchValues": [ "string" ],
            "matchVariables": [
              {
                "selector": "string",
                "variableName": "string"
              }
            ],
            "negationConditon": "bool",
            "operator": "string",
            "transforms": [ "string" ]
          }
        ],
        "name": "string",
        "priority": "int",
        "ruleType": "string"
      }
    ],
    "managedRules": {
      "exclusions": [
        {
          "matchVariable": "string",
          "selector": "string",
          "selectorMatchOperator": "string"
        }
      ],
      "managedRuleSets": [
        {
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "string",
              "rules": [
                {
                  "ruleId": "string",
                  "state": "string"
                }
              ]
            }
          ],
          "ruleSetType": "string",
          "ruleSetVersion": "string"
        }
      ]
    },
    "policySettings": {
      "fileUploadLimitInMb": "int",
      "maxRequestBodySizeInKb": "int",
      "mode": "string",
      "requestBodyCheck": "bool",
      "state": "string"
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
ruleId Identifier for the managed rule. string (required)
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'

ManagedRulesDefinition

Name Description Value
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
apiVersion The api version '2021-02-01'
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies'

OwaspCrsExclusionEntry

Name Description Value
matchVariable The variable to be excluded. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

PolicySettings

Name Description Value
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int

Constraints:
Min value = 0
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int

Constraints:
Min value = 8
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
state The state of the policy. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log' (required)
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType The rule type. 'Invalid'
'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Describes the managedRules structure. ManagedRulesDefinition (required)
policySettings The PolicySettings for policy. PolicySettings

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy

Deploy to Azure
This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway

Deploy to Azure
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin

Deploy to Azure
This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway

Deploy to Azure
This template creates a Front Door Standard/Premium with a container group and Application Gateway.

Terraform (AzAPI provider) resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-02-01"
  name = "string"
  location = "string"
  body = jsonencode({
    properties = {
      customRules = [
        {
          action = "string"
          matchConditions = [
            {
              matchValues = [
                "string"
              ]
              matchVariables = [
                {
                  selector = "string"
                  variableName = "string"
                }
              ]
              negationConditon = bool
              operator = "string"
              transforms = [
                "string"
              ]
            }
          ]
          name = "string"
          priority = int
          ruleType = "string"
        }
      ]
      managedRules = {
        exclusions = [
          {
            matchVariable = "string"
            selector = "string"
            selectorMatchOperator = "string"
          }
        ]
        managedRuleSets = [
          {
            ruleGroupOverrides = [
              {
                ruleGroupName = "string"
                rules = [
                  {
                    ruleId = "string"
                    state = "string"
                  }
                ]
              }
            ]
            ruleSetType = "string"
            ruleSetVersion = "string"
          }
        ]
      }
      policySettings = {
        fileUploadLimitInMb = int
        maxRequestBodySizeInKb = int
        mode = "string"
        requestBodyCheck = bool
        state = "string"
      }
    }
  })
  tags = {
    {customized property} = "string"
  }
}

Property values

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
ruleId Identifier for the managed rule. string (required)
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'

ManagedRulesDefinition

Name Description Value
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-02-01"

OwaspCrsExclusionEntry

Name Description Value
matchVariable The variable to be excluded. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

PolicySettings

Name Description Value
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int

Constraints:
Min value = 0
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int

Constraints:
Min value = 8
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
state The state of the policy. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log' (required)
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType The rule type. 'Invalid'
'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Describes the managedRules structure. ManagedRulesDefinition (required)
policySettings The PolicySettings for policy. PolicySettings