Microsoft.Network azureFirewalls 2023-09-01
- Latest
- 2024-05-01
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-12-01
- 2018-11-01
- 2018-10-01
- 2018-08-01
- 2018-07-01
- 2018-06-01
- 2018-04-01
Bicep resource definition
The azureFirewalls resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/azureFirewalls resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/azureFirewalls@2023-09-01' = {
location: 'string'
name: 'string'
properties: {
additionalProperties: {
{customized property}: 'string'
}
applicationRuleCollections: [
{
id: 'string'
name: 'string'
properties: {
action: {
type: 'string'
}
priority: int
rules: [
{
description: 'string'
fqdnTags: [
'string'
]
name: 'string'
protocols: [
{
port: int
protocolType: 'string'
}
]
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
targetFqdns: [
'string'
]
}
]
}
}
]
firewallPolicy: {
id: 'string'
}
hubIPAddresses: {
privateIPAddress: 'string'
publicIPs: {
addresses: [
{
address: 'string'
}
]
count: int
}
}
ipConfigurations: [
{
id: 'string'
name: 'string'
properties: {
publicIPAddress: {
id: 'string'
}
subnet: {
id: 'string'
}
}
}
]
managementIpConfiguration: {
id: 'string'
name: 'string'
properties: {
publicIPAddress: {
id: 'string'
}
subnet: {
id: 'string'
}
}
}
natRuleCollections: [
{
id: 'string'
name: 'string'
properties: {
action: {
type: 'string'
}
priority: int
rules: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocols: [
'string'
]
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
translatedAddress: 'string'
translatedFqdn: 'string'
translatedPort: 'string'
}
]
}
}
]
networkRuleCollections: [
{
id: 'string'
name: 'string'
properties: {
action: {
type: 'string'
}
priority: int
rules: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationFqdns: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocols: [
'string'
]
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
}
]
}
}
]
sku: {
name: 'string'
tier: 'string'
}
threatIntelMode: 'string'
virtualHub: {
id: 'string'
}
}
tags: {
{customized property}: 'string'
}
zones: [
'string'
]
}
Property values
AzureFirewallAdditionalProperties
Name | Description | Value |
---|
AzureFirewallApplicationRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
fqdnTags | List of FQDN Tags for this rule. | string[] |
name | Name of the application rule. | string |
protocols | Array of ApplicationRuleProtocols. | AzureFirewallApplicationRuleProtocol[] |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
targetFqdns | List of FQDNs for this rule. | string[] |
AzureFirewallApplicationRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall application rule collection. | AzureFirewallApplicationRuleCollectionPropertiesFormat |
AzureFirewallApplicationRuleCollectionPropertiesFormat
Name | Description | Value |
---|---|---|
action | The action type of a rule collection. | AzureFirewallRCAction |
priority | Priority of the application rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a application rule collection. | AzureFirewallApplicationRule[] |
AzureFirewallApplicationRuleProtocol
Name | Description | Value |
---|---|---|
port | Port number for the protocol, cannot be greater than 64000. This field is optional. | int Constraints: Min value = 0 Max value = 64000 |
protocolType | Protocol type. | 'Http' 'Https' 'Mssql' |
AzureFirewallIPConfiguration
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Properties of the azure firewall IP configuration. | AzureFirewallIPConfigurationPropertiesFormat |
AzureFirewallIPConfigurationPropertiesFormat
Name | Description | Value |
---|---|---|
publicIPAddress | Reference to the PublicIP resource. This field is a mandatory input if subnet is not null. | SubResource |
subnet | Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'. | SubResource |
AzureFirewallNatRCAction
Name | Description | Value |
---|---|---|
type | The type of action. | 'Dnat' 'Snat' |
AzureFirewallNatRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
destinationAddresses | List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. | string[] |
destinationPorts | List of destination ports. | string[] |
name | Name of the NAT rule. | string |
protocols | Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
translatedAddress | The translated address for this NAT rule. | string |
translatedFqdn | The translated FQDN for this NAT rule. | string |
translatedPort | The translated port for this NAT rule. | string |
AzureFirewallNatRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall NAT rule collection. | AzureFirewallNatRuleCollectionProperties |
AzureFirewallNatRuleCollectionProperties
Name | Description | Value |
---|---|---|
action | The action type of a NAT rule collection. | AzureFirewallNatRCAction |
priority | Priority of the NAT rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a NAT rule collection. | AzureFirewallNatRule[] |
AzureFirewallNetworkRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
destinationAddresses | List of destination IP addresses. | string[] |
destinationFqdns | List of destination FQDNs. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports. | string[] |
name | Name of the network rule. | string |
protocols | Array of AzureFirewallNetworkRuleProtocols. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
AzureFirewallNetworkRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall network rule collection. | AzureFirewallNetworkRuleCollectionPropertiesFormat |
AzureFirewallNetworkRuleCollectionPropertiesFormat
Name | Description | Value |
---|---|---|
action | The action type of a rule collection. | AzureFirewallRCAction |
priority | Priority of the network rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a network rule collection. | AzureFirewallNetworkRule[] |
AzureFirewallPropertiesFormat
Name | Description | Value |
---|---|---|
additionalProperties | The additional properties used to further config this azure firewall. | AzureFirewallAdditionalProperties |
applicationRuleCollections | Collection of application rule collections used by Azure Firewall. | AzureFirewallApplicationRuleCollection[] |
firewallPolicy | The firewallPolicy associated with this azure firewall. | SubResource |
hubIPAddresses | IP addresses associated with AzureFirewall. | HubIPAddresses |
ipConfigurations | IP configuration of the Azure Firewall resource. | AzureFirewallIPConfiguration[] |
managementIpConfiguration | IP configuration of the Azure Firewall used for management traffic. | AzureFirewallIPConfiguration |
natRuleCollections | Collection of NAT rule collections used by Azure Firewall. | AzureFirewallNatRuleCollection[] |
networkRuleCollections | Collection of network rule collections used by Azure Firewall. | AzureFirewallNetworkRuleCollection[] |
sku | The Azure Firewall Resource SKU. | AzureFirewallSku |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
virtualHub | The virtualHub to which the firewall belongs. | SubResource |
AzureFirewallPublicIPAddress
Name | Description | Value |
---|---|---|
address | Public IP Address value. | string |
AzureFirewallRCAction
Name | Description | Value |
---|---|---|
type | The type of action. | 'Allow' 'Deny' |
AzureFirewallSku
Name | Description | Value |
---|---|---|
name | Name of an Azure Firewall SKU. | 'AZFW_Hub' 'AZFW_VNet' |
tier | Tier of an Azure Firewall. | 'Basic' 'Premium' 'Standard' |
HubIPAddresses
Name | Description | Value |
---|---|---|
privateIPAddress | Private IP Address associated with azure firewall. | string |
publicIPs | Public IP addresses associated with azure firewall. | HubPublicIPAddresses |
HubPublicIPAddresses
Name | Description | Value |
---|---|---|
addresses | The list of Public IP addresses associated with azure firewall or IP addresses to be retained. | AzureFirewallPublicIPAddress[] |
count | The number of Public IP addresses associated with azure firewall. | int |
Microsoft.Network/azureFirewalls
Name | Description | Value |
---|---|---|
location | Resource location. | string |
name | The resource name | string Constraints: Min length = 1 Max length = 1 (required) |
properties | Properties of the azure firewall. | AzureFirewallPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
Create a Firewall and FirewallPolicy with Rules and Ipgroups | This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Create a sandbox setup of Azure Firewall with Linux VMs | This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges |
Create a sandbox setup of Azure Firewall with Zones | This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3. |
Create an Azure Firewall with IpGroups | This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup |
Create an Azure Firewall with multiple IP public addresses | This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test. |
Create sandbox of Azure Firewall, client VM, and server VM | This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall. |
Secured virtual hubs | This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
SharePoint Subscription / 2019 / 2016 fully configured | Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium | This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
ARM template resource definition
The azureFirewalls resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/azureFirewalls resource, add the following JSON to your template.
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2023-09-01",
"name": "string",
"location": "string",
"properties": {
"additionalProperties": {
"{customized property}": "string"
},
"applicationRuleCollections": [
{
"id": "string",
"name": "string",
"properties": {
"action": {
"type": "string"
},
"priority": "int",
"rules": [
{
"description": "string",
"fqdnTags": [ "string" ],
"name": "string",
"protocols": [
{
"port": "int",
"protocolType": "string"
}
],
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ],
"targetFqdns": [ "string" ]
}
]
}
}
],
"firewallPolicy": {
"id": "string"
},
"hubIPAddresses": {
"privateIPAddress": "string",
"publicIPs": {
"addresses": [
{
"address": "string"
}
],
"count": "int"
}
},
"ipConfigurations": [
{
"id": "string",
"name": "string",
"properties": {
"publicIPAddress": {
"id": "string"
},
"subnet": {
"id": "string"
}
}
}
],
"managementIpConfiguration": {
"id": "string",
"name": "string",
"properties": {
"publicIPAddress": {
"id": "string"
},
"subnet": {
"id": "string"
}
}
},
"natRuleCollections": [
{
"id": "string",
"name": "string",
"properties": {
"action": {
"type": "string"
},
"priority": "int",
"rules": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocols": [ "string" ],
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ],
"translatedAddress": "string",
"translatedFqdn": "string",
"translatedPort": "string"
}
]
}
}
],
"networkRuleCollections": [
{
"id": "string",
"name": "string",
"properties": {
"action": {
"type": "string"
},
"priority": "int",
"rules": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationFqdns": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocols": [ "string" ],
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
]
}
}
],
"sku": {
"name": "string",
"tier": "string"
},
"threatIntelMode": "string",
"virtualHub": {
"id": "string"
}
},
"tags": {
"{customized property}": "string"
},
"zones": [ "string" ]
}
Property values
AzureFirewallAdditionalProperties
Name | Description | Value |
---|
AzureFirewallApplicationRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
fqdnTags | List of FQDN Tags for this rule. | string[] |
name | Name of the application rule. | string |
protocols | Array of ApplicationRuleProtocols. | AzureFirewallApplicationRuleProtocol[] |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
targetFqdns | List of FQDNs for this rule. | string[] |
AzureFirewallApplicationRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall application rule collection. | AzureFirewallApplicationRuleCollectionPropertiesFormat |
AzureFirewallApplicationRuleCollectionPropertiesFormat
Name | Description | Value |
---|---|---|
action | The action type of a rule collection. | AzureFirewallRCAction |
priority | Priority of the application rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a application rule collection. | AzureFirewallApplicationRule[] |
AzureFirewallApplicationRuleProtocol
Name | Description | Value |
---|---|---|
port | Port number for the protocol, cannot be greater than 64000. This field is optional. | int Constraints: Min value = 0 Max value = 64000 |
protocolType | Protocol type. | 'Http' 'Https' 'Mssql' |
AzureFirewallIPConfiguration
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Properties of the azure firewall IP configuration. | AzureFirewallIPConfigurationPropertiesFormat |
AzureFirewallIPConfigurationPropertiesFormat
Name | Description | Value |
---|---|---|
publicIPAddress | Reference to the PublicIP resource. This field is a mandatory input if subnet is not null. | SubResource |
subnet | Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'. | SubResource |
AzureFirewallNatRCAction
Name | Description | Value |
---|---|---|
type | The type of action. | 'Dnat' 'Snat' |
AzureFirewallNatRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
destinationAddresses | List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. | string[] |
destinationPorts | List of destination ports. | string[] |
name | Name of the NAT rule. | string |
protocols | Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
translatedAddress | The translated address for this NAT rule. | string |
translatedFqdn | The translated FQDN for this NAT rule. | string |
translatedPort | The translated port for this NAT rule. | string |
AzureFirewallNatRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall NAT rule collection. | AzureFirewallNatRuleCollectionProperties |
AzureFirewallNatRuleCollectionProperties
Name | Description | Value |
---|---|---|
action | The action type of a NAT rule collection. | AzureFirewallNatRCAction |
priority | Priority of the NAT rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a NAT rule collection. | AzureFirewallNatRule[] |
AzureFirewallNetworkRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
destinationAddresses | List of destination IP addresses. | string[] |
destinationFqdns | List of destination FQDNs. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports. | string[] |
name | Name of the network rule. | string |
protocols | Array of AzureFirewallNetworkRuleProtocols. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
AzureFirewallNetworkRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall network rule collection. | AzureFirewallNetworkRuleCollectionPropertiesFormat |
AzureFirewallNetworkRuleCollectionPropertiesFormat
Name | Description | Value |
---|---|---|
action | The action type of a rule collection. | AzureFirewallRCAction |
priority | Priority of the network rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a network rule collection. | AzureFirewallNetworkRule[] |
AzureFirewallPropertiesFormat
Name | Description | Value |
---|---|---|
additionalProperties | The additional properties used to further config this azure firewall. | AzureFirewallAdditionalProperties |
applicationRuleCollections | Collection of application rule collections used by Azure Firewall. | AzureFirewallApplicationRuleCollection[] |
firewallPolicy | The firewallPolicy associated with this azure firewall. | SubResource |
hubIPAddresses | IP addresses associated with AzureFirewall. | HubIPAddresses |
ipConfigurations | IP configuration of the Azure Firewall resource. | AzureFirewallIPConfiguration[] |
managementIpConfiguration | IP configuration of the Azure Firewall used for management traffic. | AzureFirewallIPConfiguration |
natRuleCollections | Collection of NAT rule collections used by Azure Firewall. | AzureFirewallNatRuleCollection[] |
networkRuleCollections | Collection of network rule collections used by Azure Firewall. | AzureFirewallNetworkRuleCollection[] |
sku | The Azure Firewall Resource SKU. | AzureFirewallSku |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
virtualHub | The virtualHub to which the firewall belongs. | SubResource |
AzureFirewallPublicIPAddress
Name | Description | Value |
---|---|---|
address | Public IP Address value. | string |
AzureFirewallRCAction
Name | Description | Value |
---|---|---|
type | The type of action. | 'Allow' 'Deny' |
AzureFirewallSku
Name | Description | Value |
---|---|---|
name | Name of an Azure Firewall SKU. | 'AZFW_Hub' 'AZFW_VNet' |
tier | Tier of an Azure Firewall. | 'Basic' 'Premium' 'Standard' |
HubIPAddresses
Name | Description | Value |
---|---|---|
privateIPAddress | Private IP Address associated with azure firewall. | string |
publicIPs | Public IP addresses associated with azure firewall. | HubPublicIPAddresses |
HubPublicIPAddresses
Name | Description | Value |
---|---|---|
addresses | The list of Public IP addresses associated with azure firewall or IP addresses to be retained. | AzureFirewallPublicIPAddress[] |
count | The number of Public IP addresses associated with azure firewall. | int |
Microsoft.Network/azureFirewalls
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2023-09-01' |
location | Resource location. | string |
name | The resource name | string Constraints: Min length = 1 Max length = 1 (required) |
properties | Properties of the azure firewall. | AzureFirewallPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.Network/azureFirewalls' |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Create a Firewall and FirewallPolicy with Rules and Ipgroups |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall, FirewallPolicy with Explicit Proxy |
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a sandbox setup of Azure Firewall with Linux VMs |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges |
Create a sandbox setup of Azure Firewall with Zones |
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3. |
Create a sandbox setup with Firewall Policy |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Create an Azure Firewall sandbox with forced tunneling |
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET |
Create an Azure Firewall with Availability Zones |
This template creates an Azure Firewall with Availability Zones and any number of Public IPs in a virtual network and sets up 1 sample application rule and 1 sample network rule |
Create an Azure Firewall with IpGroups |
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup |
Create an Azure Firewall with multiple IP public addresses |
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test. |
Create sandbox of Azure Firewall, client VM, and server VM |
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall. |
Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
SharePoint Subscription / 2019 / 2016 fully configured |
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Terraform (AzAPI provider) resource definition
The azureFirewalls resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/azureFirewalls resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/azureFirewalls@2023-09-01"
name = "string"
location = "string"
tags = {
{customized property} = "string"
}
zones = [
"string"
]
body = jsonencode({
properties = {
additionalProperties = {
{customized property} = "string"
}
applicationRuleCollections = [
{
id = "string"
name = "string"
properties = {
action = {
type = "string"
}
priority = int
rules = [
{
description = "string"
fqdnTags = [
"string"
]
name = "string"
protocols = [
{
port = int
protocolType = "string"
}
]
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
targetFqdns = [
"string"
]
}
]
}
}
]
firewallPolicy = {
id = "string"
}
hubIPAddresses = {
privateIPAddress = "string"
publicIPs = {
addresses = [
{
address = "string"
}
]
count = int
}
}
ipConfigurations = [
{
id = "string"
name = "string"
properties = {
publicIPAddress = {
id = "string"
}
subnet = {
id = "string"
}
}
}
]
managementIpConfiguration = {
id = "string"
name = "string"
properties = {
publicIPAddress = {
id = "string"
}
subnet = {
id = "string"
}
}
}
natRuleCollections = [
{
id = "string"
name = "string"
properties = {
action = {
type = "string"
}
priority = int
rules = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocols = [
"string"
]
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
translatedAddress = "string"
translatedFqdn = "string"
translatedPort = "string"
}
]
}
}
]
networkRuleCollections = [
{
id = "string"
name = "string"
properties = {
action = {
type = "string"
}
priority = int
rules = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationFqdns = [
"string"
]
destinationIpGroups = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocols = [
"string"
]
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
}
]
}
}
]
sku = {
name = "string"
tier = "string"
}
threatIntelMode = "string"
virtualHub = {
id = "string"
}
}
})
}
Property values
AzureFirewallAdditionalProperties
Name | Description | Value |
---|
AzureFirewallApplicationRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
fqdnTags | List of FQDN Tags for this rule. | string[] |
name | Name of the application rule. | string |
protocols | Array of ApplicationRuleProtocols. | AzureFirewallApplicationRuleProtocol[] |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
targetFqdns | List of FQDNs for this rule. | string[] |
AzureFirewallApplicationRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall application rule collection. | AzureFirewallApplicationRuleCollectionPropertiesFormat |
AzureFirewallApplicationRuleCollectionPropertiesFormat
Name | Description | Value |
---|---|---|
action | The action type of a rule collection. | AzureFirewallRCAction |
priority | Priority of the application rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a application rule collection. | AzureFirewallApplicationRule[] |
AzureFirewallApplicationRuleProtocol
Name | Description | Value |
---|---|---|
port | Port number for the protocol, cannot be greater than 64000. This field is optional. | int Constraints: Min value = 0 Max value = 64000 |
protocolType | Protocol type. | 'Http' 'Https' 'Mssql' |
AzureFirewallIPConfiguration
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Properties of the azure firewall IP configuration. | AzureFirewallIPConfigurationPropertiesFormat |
AzureFirewallIPConfigurationPropertiesFormat
Name | Description | Value |
---|---|---|
publicIPAddress | Reference to the PublicIP resource. This field is a mandatory input if subnet is not null. | SubResource |
subnet | Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'. | SubResource |
AzureFirewallNatRCAction
Name | Description | Value |
---|---|---|
type | The type of action. | 'Dnat' 'Snat' |
AzureFirewallNatRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
destinationAddresses | List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. | string[] |
destinationPorts | List of destination ports. | string[] |
name | Name of the NAT rule. | string |
protocols | Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
translatedAddress | The translated address for this NAT rule. | string |
translatedFqdn | The translated FQDN for this NAT rule. | string |
translatedPort | The translated port for this NAT rule. | string |
AzureFirewallNatRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall NAT rule collection. | AzureFirewallNatRuleCollectionProperties |
AzureFirewallNatRuleCollectionProperties
Name | Description | Value |
---|---|---|
action | The action type of a NAT rule collection. | AzureFirewallNatRCAction |
priority | Priority of the NAT rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a NAT rule collection. | AzureFirewallNatRule[] |
AzureFirewallNetworkRule
Name | Description | Value |
---|---|---|
description | Description of the rule. | string |
destinationAddresses | List of destination IP addresses. | string[] |
destinationFqdns | List of destination FQDNs. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports. | string[] |
name | Name of the network rule. | string |
protocols | Array of AzureFirewallNetworkRuleProtocols. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
AzureFirewallNetworkRuleCollection
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. | string |
properties | Properties of the azure firewall network rule collection. | AzureFirewallNetworkRuleCollectionPropertiesFormat |
AzureFirewallNetworkRuleCollectionPropertiesFormat
Name | Description | Value |
---|---|---|
action | The action type of a rule collection. | AzureFirewallRCAction |
priority | Priority of the network rule collection resource. | int Constraints: Min value = 100 Max value = 65000 |
rules | Collection of rules used by a network rule collection. | AzureFirewallNetworkRule[] |
AzureFirewallPropertiesFormat
Name | Description | Value |
---|---|---|
additionalProperties | The additional properties used to further config this azure firewall. | AzureFirewallAdditionalProperties |
applicationRuleCollections | Collection of application rule collections used by Azure Firewall. | AzureFirewallApplicationRuleCollection[] |
firewallPolicy | The firewallPolicy associated with this azure firewall. | SubResource |
hubIPAddresses | IP addresses associated with AzureFirewall. | HubIPAddresses |
ipConfigurations | IP configuration of the Azure Firewall resource. | AzureFirewallIPConfiguration[] |
managementIpConfiguration | IP configuration of the Azure Firewall used for management traffic. | AzureFirewallIPConfiguration |
natRuleCollections | Collection of NAT rule collections used by Azure Firewall. | AzureFirewallNatRuleCollection[] |
networkRuleCollections | Collection of network rule collections used by Azure Firewall. | AzureFirewallNetworkRuleCollection[] |
sku | The Azure Firewall Resource SKU. | AzureFirewallSku |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
virtualHub | The virtualHub to which the firewall belongs. | SubResource |
AzureFirewallPublicIPAddress
Name | Description | Value |
---|---|---|
address | Public IP Address value. | string |
AzureFirewallRCAction
Name | Description | Value |
---|---|---|
type | The type of action. | 'Allow' 'Deny' |
AzureFirewallSku
Name | Description | Value |
---|---|---|
name | Name of an Azure Firewall SKU. | 'AZFW_Hub' 'AZFW_VNet' |
tier | Tier of an Azure Firewall. | 'Basic' 'Premium' 'Standard' |
HubIPAddresses
Name | Description | Value |
---|---|---|
privateIPAddress | Private IP Address associated with azure firewall. | string |
publicIPs | Public IP addresses associated with azure firewall. | HubPublicIPAddresses |
HubPublicIPAddresses
Name | Description | Value |
---|---|---|
addresses | The list of Public IP addresses associated with azure firewall or IP addresses to be retained. | AzureFirewallPublicIPAddress[] |
count | The number of Public IP addresses associated with azure firewall. | int |
Microsoft.Network/azureFirewalls
Name | Description | Value |
---|---|---|
location | Resource location. | string |
name | The resource name | string Constraints: Min length = 1 Max length = 1 (required) |
properties | Properties of the azure firewall. | AzureFirewallPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.Network/azureFirewalls@2023-09-01" |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |