Microsoft.Network firewallPolicies 2021-05-01
- Latest
- 2024-05-01
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
Bicep resource definition
The firewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/firewallPolicies@2021-05-01' = {
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
location: 'string'
name: 'string'
properties: {
basePolicy: {
id: 'string'
}
dnsSettings: {
enableProxy: bool
requireProxyForNetworkRules: bool
servers: [
'string'
]
}
explicitProxySettings: {
enableExplicitProxy: bool
httpPort: int
httpsPort: int
pacFile: 'string'
pacFilePort: int
}
insights: {
isEnabled: bool
logAnalyticsResources: {
defaultWorkspaceId: {
id: 'string'
}
workspaces: [
{
region: 'string'
workspaceId: {
id: 'string'
}
}
]
}
retentionDays: int
}
intrusionDetection: {
configuration: {
bypassTrafficSettings: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocol: 'string'
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
}
]
signatureOverrides: [
{
id: 'string'
mode: 'string'
}
]
}
mode: 'string'
}
sku: {
tier: 'string'
}
snat: {
privateRanges: [
'string'
]
}
sql: {
allowSqlRedirect: bool
}
threatIntelMode: 'string'
threatIntelWhitelist: {
fqdns: [
'string'
]
ipAddresses: [
'string'
]
}
transportSecurity: {
certificateAuthority: {
keyVaultSecretId: 'string'
name: 'string'
}
}
}
tags: {
{customized property}: 'string'
}
}
Property values
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
Name | Description | Value |
---|
DnsSettings
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
ExplicitProxySettings
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyCertificateAuthority
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
FirewallPolicyInsights
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxySettings | Explicit Proxy Settings definition. | ExplicitProxySettings |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
FirewallPolicySku
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
FirewallPolicySnat
Name | Description | Value |
---|---|---|
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
FirewallPolicyTransportSecurity
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
ManagedServiceIdentity
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
Name | Description | Value |
---|
Microsoft.Network/firewallPolicies
Name | Description | Value |
---|---|---|
identity | The identity of the firewall policy. | ManagedServiceIdentity |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
Create a Firewall and FirewallPolicy with Rules and Ipgroups | This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Secured virtual hubs | This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
SharePoint Subscription / 2019 / 2016 fully configured | Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium | This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
ARM template resource definition
The firewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2021-05-01",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"location": "string",
"properties": {
"basePolicy": {
"id": "string"
},
"dnsSettings": {
"enableProxy": "bool",
"requireProxyForNetworkRules": "bool",
"servers": [ "string" ]
},
"explicitProxySettings": {
"enableExplicitProxy": "bool",
"httpPort": "int",
"httpsPort": "int",
"pacFile": "string",
"pacFilePort": "int"
},
"insights": {
"isEnabled": "bool",
"logAnalyticsResources": {
"defaultWorkspaceId": {
"id": "string"
},
"workspaces": [
{
"region": "string",
"workspaceId": {
"id": "string"
}
}
]
},
"retentionDays": "int"
},
"intrusionDetection": {
"configuration": {
"bypassTrafficSettings": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocol": "string",
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
],
"signatureOverrides": [
{
"id": "string",
"mode": "string"
}
]
},
"mode": "string"
},
"sku": {
"tier": "string"
},
"snat": {
"privateRanges": [ "string" ]
},
"sql": {
"allowSqlRedirect": "bool"
},
"threatIntelMode": "string",
"threatIntelWhitelist": {
"fqdns": [ "string" ],
"ipAddresses": [ "string" ]
},
"transportSecurity": {
"certificateAuthority": {
"keyVaultSecretId": "string",
"name": "string"
}
}
},
"tags": {
"{customized property}": "string"
}
}
Property values
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
Name | Description | Value |
---|
DnsSettings
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
ExplicitProxySettings
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyCertificateAuthority
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
FirewallPolicyInsights
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxySettings | Explicit Proxy Settings definition. | ExplicitProxySettings |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
FirewallPolicySku
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
FirewallPolicySnat
Name | Description | Value |
---|---|---|
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
FirewallPolicyTransportSecurity
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
ManagedServiceIdentity
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
Name | Description | Value |
---|
Microsoft.Network/firewallPolicies
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2021-05-01' |
identity | The identity of the firewall policy. | ManagedServiceIdentity |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.Network/firewallPolicies' |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Create a Firewall and FirewallPolicy with Rules and Ipgroups |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall, FirewallPolicy with Explicit Proxy |
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a sandbox setup with Firewall Policy |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
SharePoint Subscription / 2019 / 2016 fully configured |
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Terraform (AzAPI provider) resource definition
The firewallPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/firewallPolicies@2021-05-01"
name = "string"
identity = {
type = "string"
userAssignedIdentities = {
{customized property} = {
}
}
}
location = "string"
tags = {
{customized property} = "string"
}
body = jsonencode({
properties = {
basePolicy = {
id = "string"
}
dnsSettings = {
enableProxy = bool
requireProxyForNetworkRules = bool
servers = [
"string"
]
}
explicitProxySettings = {
enableExplicitProxy = bool
httpPort = int
httpsPort = int
pacFile = "string"
pacFilePort = int
}
insights = {
isEnabled = bool
logAnalyticsResources = {
defaultWorkspaceId = {
id = "string"
}
workspaces = [
{
region = "string"
workspaceId = {
id = "string"
}
}
]
}
retentionDays = int
}
intrusionDetection = {
configuration = {
bypassTrafficSettings = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationIpGroups = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocol = "string"
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
}
]
signatureOverrides = [
{
id = "string"
mode = "string"
}
]
}
mode = "string"
}
sku = {
tier = "string"
}
snat = {
privateRanges = [
"string"
]
}
sql = {
allowSqlRedirect = bool
}
threatIntelMode = "string"
threatIntelWhitelist = {
fqdns = [
"string"
]
ipAddresses = [
"string"
]
}
transportSecurity = {
certificateAuthority = {
keyVaultSecretId = "string"
name = "string"
}
}
}
})
}
Property values
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
Name | Description | Value |
---|
DnsSettings
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
ExplicitProxySettings
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyCertificateAuthority
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
FirewallPolicyInsights
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxySettings | Explicit Proxy Settings definition. | ExplicitProxySettings |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
FirewallPolicySku
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
FirewallPolicySnat
Name | Description | Value |
---|---|---|
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
FirewallPolicyTransportSecurity
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
ManagedServiceIdentity
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
Name | Description | Value |
---|
Microsoft.Network/firewallPolicies
Name | Description | Value |
---|---|---|
identity | The identity of the firewall policy. | ManagedServiceIdentity |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.Network/firewallPolicies@2021-05-01" |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |