Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies

Bicep resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-03-01' = {
  location: 'string'
  name: 'string'
  properties: {
    customRules: [
      {
        action: 'string'
        groupByUserSession: [
          {
            groupByVariables: [
              {
                variableName: 'string'
              }
            ]
          }
        ]
        matchConditions: [
          {
            matchValues: [
              'string'
            ]
            matchVariables: [
              {
                selector: 'string'
                variableName: 'string'
              }
            ]
            negationConditon: bool
            operator: 'string'
            transforms: [
              'string'
            ]
          }
        ]
        name: 'string'
        priority: int
        rateLimitDuration: 'string'
        rateLimitThreshold: int
        ruleType: 'string'
        state: 'string'
      }
    ]
    managedRules: {
      exceptions: [
        {
          exceptionManagedRuleSets: [
            {
              ruleGroups: [
                {
                  ruleGroupName: 'string'
                  rules: [
                    {
                      ruleId: 'string'
                    }
                  ]
                }
              ]
              ruleSetType: 'string'
              ruleSetVersion: 'string'
            }
          ]
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
          valueMatchOperator: 'string'
          values: [
            'string'
          ]
        }
      ]
      exclusions: [
        {
          exclusionManagedRuleSets: [
            {
              ruleGroups: [
                {
                  ruleGroupName: 'string'
                  rules: [
                    {
                      ruleId: 'string'
                    }
                  ]
                }
              ]
              ruleSetType: 'string'
              ruleSetVersion: 'string'
            }
          ]
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
        }
      ]
      managedRuleSets: [
        {
          ruleGroupOverrides: [
            {
              ruleGroupName: 'string'
              rules: [
                {
                  action: 'string'
                  ruleId: 'string'
                  sensitivity: 'string'
                  state: 'string'
                }
              ]
            }
          ]
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      customBlockResponseBody: 'string'
      customBlockResponseStatusCode: int
      fileUploadEnforcement: bool
      fileUploadLimitInMb: int
      jsChallengeCookieExpirationInMins: int
      logScrubbing: {
        scrubbingRules: [
          {
            matchVariable: 'string'
            selector: 'string'
            selectorMatchOperator: 'string'
            state: 'string'
          }
        ]
        state: 'string'
      }
      maxRequestBodySizeInKb: int
      mode: 'string'
      requestBodyCheck: bool
      requestBodyEnforcement: bool
      requestBodyInspectLimitInKB: int
      state: 'string'
    }
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

ExceptionEntry

Name Description Value
exceptionManagedRuleSets The managed rule sets that are associated with the exception. ExclusionManagedRuleSet[]
matchVariable The variable on which we evaluate the exception condition 'RemoteAddr'
'RequestHeader'
'RequestURI' (required)
selector When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. string
selectorMatchOperator When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector 'Contains'
'EndsWith'
'Equals'
'StartsWith'
valueMatchOperator Operates on the allowed values for the matchVariable 'Contains'
'EndsWith'
'Equals'
'IPMatch'
'StartsWith' (required)
values Allowed values for the matchVariable string[]

ExclusionManagedRule

Name Description Value
ruleId Identifier for the managed rule. string (required)

ExclusionManagedRuleGroup

Name Description Value
ruleGroupName The managed rule group for exclusion. string (required)
rules List of rules that will be excluded. If none specified, all rules in the group will be excluded. ExclusionManagedRule[]

ExclusionManagedRuleSet

Name Description Value
ruleGroups Defines the rule groups to apply to the rule set. ExclusionManagedRuleGroup[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

GroupByUserSession

Name Description Value
groupByVariables List of group by clause variables. GroupByVariable[] (required)

GroupByVariable

Name Description Value
variableName User Session clause variable. 'ClientAddr'
'GeoLocation'
'None' (required)

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Describes the override action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
ruleId Identifier for the managed rule. string (required)
sensitivity Describes the override sensitivity to be applied when rule matches. 'High'
'Low'
'Medium'
'None'
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'
'Enabled'

ManagedRulesDefinition

Name Description Value
exceptions The exceptions that are applied on the policy. ExceptionEntry[]
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates

OwaspCrsExclusionEntry

Name Description Value
exclusionManagedRuleSets The managed rule sets that are associated with the exclusion. ExclusionManagedRuleSet[]
matchVariable The variable to be excluded. 'RequestArgKeys'
'RequestArgNames'
'RequestArgValues'
'RequestCookieKeys'
'RequestCookieNames'
'RequestCookieValues'
'RequestHeaderKeys'
'RequestHeaderNames'
'RequestHeaderValues' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string

Constraints:
Max length =
Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int

Constraints:
Min value = 0
fileUploadEnforcement Whether allow WAF to enforce file upload limits. bool
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int

Constraints:
Min value = 0
jsChallengeCookieExpirationInMins Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. int

Constraints:
Min value = 5
Max value = 1440
logScrubbing To scrub sensitive log fields PolicySettingsLogScrubbing
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int

Constraints:
Min value = 8
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
requestBodyEnforcement Whether allow WAF to enforce request body limits. bool
requestBodyInspectLimitInKB Max inspection limit in KB for request body inspection for WAF. int
state The state of the policy. 'Disabled'
'Enabled'

PolicySettingsLogScrubbing

Name Description Value
scrubbingRules The rules that are applied to the logs for scrubbing. WebApplicationFirewallScrubbingRules[]
state State of the log scrubbing config. Default value is Enabled. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'JSChallenge'
'Log' (required)
groupByUserSession List of user session identifier group by clauses. GroupByUserSession[]
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDuration Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. 'FiveMins'
'OneMin'
rateLimitThreshold Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 int
ruleType The rule type. 'Invalid'
'MatchRule'
'RateLimitRule' (required)
state Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Describes the managedRules structure. ManagedRulesDefinition (required)
policySettings The PolicySettings for policy. PolicySettings

WebApplicationFirewallScrubbingRules

Name Description Value
matchVariable The variable to be scrubbed from the logs. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames'
'RequestIPAddress'
'RequestJSONArgNames'
'RequestPostArgNames' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. string
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. 'Equals'
'EqualsAny' (required)
state Defines the state of log scrubbing rule. Default value is Enabled. 'Disabled'
'Enabled'

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway This template creates a Front Door Standard/Premium with a container group and Application Gateway.

ARM template resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2024-03-01",
  "name": "string",
  "location": "string",
  "properties": {
    "customRules": [
      {
        "action": "string",
        "groupByUserSession": [
          {
            "groupByVariables": [
              {
                "variableName": "string"
              }
            ]
          }
        ],
        "matchConditions": [
          {
            "matchValues": [ "string" ],
            "matchVariables": [
              {
                "selector": "string",
                "variableName": "string"
              }
            ],
            "negationConditon": "bool",
            "operator": "string",
            "transforms": [ "string" ]
          }
        ],
        "name": "string",
        "priority": "int",
        "rateLimitDuration": "string",
        "rateLimitThreshold": "int",
        "ruleType": "string",
        "state": "string"
      }
    ],
    "managedRules": {
      "exceptions": [
        {
          "exceptionManagedRuleSets": [
            {
              "ruleGroups": [
                {
                  "ruleGroupName": "string",
                  "rules": [
                    {
                      "ruleId": "string"
                    }
                  ]
                }
              ],
              "ruleSetType": "string",
              "ruleSetVersion": "string"
            }
          ],
          "matchVariable": "string",
          "selector": "string",
          "selectorMatchOperator": "string",
          "valueMatchOperator": "string",
          "values": [ "string" ]
        }
      ],
      "exclusions": [
        {
          "exclusionManagedRuleSets": [
            {
              "ruleGroups": [
                {
                  "ruleGroupName": "string",
                  "rules": [
                    {
                      "ruleId": "string"
                    }
                  ]
                }
              ],
              "ruleSetType": "string",
              "ruleSetVersion": "string"
            }
          ],
          "matchVariable": "string",
          "selector": "string",
          "selectorMatchOperator": "string"
        }
      ],
      "managedRuleSets": [
        {
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "string",
              "rules": [
                {
                  "action": "string",
                  "ruleId": "string",
                  "sensitivity": "string",
                  "state": "string"
                }
              ]
            }
          ],
          "ruleSetType": "string",
          "ruleSetVersion": "string"
        }
      ]
    },
    "policySettings": {
      "customBlockResponseBody": "string",
      "customBlockResponseStatusCode": "int",
      "fileUploadEnforcement": "bool",
      "fileUploadLimitInMb": "int",
      "jsChallengeCookieExpirationInMins": "int",
      "logScrubbing": {
        "scrubbingRules": [
          {
            "matchVariable": "string",
            "selector": "string",
            "selectorMatchOperator": "string",
            "state": "string"
          }
        ],
        "state": "string"
      },
      "maxRequestBodySizeInKb": "int",
      "mode": "string",
      "requestBodyCheck": "bool",
      "requestBodyEnforcement": "bool",
      "requestBodyInspectLimitInKB": "int",
      "state": "string"
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

ExceptionEntry

Name Description Value
exceptionManagedRuleSets The managed rule sets that are associated with the exception. ExclusionManagedRuleSet[]
matchVariable The variable on which we evaluate the exception condition 'RemoteAddr'
'RequestHeader'
'RequestURI' (required)
selector When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. string
selectorMatchOperator When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector 'Contains'
'EndsWith'
'Equals'
'StartsWith'
valueMatchOperator Operates on the allowed values for the matchVariable 'Contains'
'EndsWith'
'Equals'
'IPMatch'
'StartsWith' (required)
values Allowed values for the matchVariable string[]

ExclusionManagedRule

Name Description Value
ruleId Identifier for the managed rule. string (required)

ExclusionManagedRuleGroup

Name Description Value
ruleGroupName The managed rule group for exclusion. string (required)
rules List of rules that will be excluded. If none specified, all rules in the group will be excluded. ExclusionManagedRule[]

ExclusionManagedRuleSet

Name Description Value
ruleGroups Defines the rule groups to apply to the rule set. ExclusionManagedRuleGroup[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

GroupByUserSession

Name Description Value
groupByVariables List of group by clause variables. GroupByVariable[] (required)

GroupByVariable

Name Description Value
variableName User Session clause variable. 'ClientAddr'
'GeoLocation'
'None' (required)

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Describes the override action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
ruleId Identifier for the managed rule. string (required)
sensitivity Describes the override sensitivity to be applied when rule matches. 'High'
'Low'
'Medium'
'None'
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'
'Enabled'

ManagedRulesDefinition

Name Description Value
exceptions The exceptions that are applied on the policy. ExceptionEntry[]
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
apiVersion The api version '2024-03-01'
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies'

OwaspCrsExclusionEntry

Name Description Value
exclusionManagedRuleSets The managed rule sets that are associated with the exclusion. ExclusionManagedRuleSet[]
matchVariable The variable to be excluded. 'RequestArgKeys'
'RequestArgNames'
'RequestArgValues'
'RequestCookieKeys'
'RequestCookieNames'
'RequestCookieValues'
'RequestHeaderKeys'
'RequestHeaderNames'
'RequestHeaderValues' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string

Constraints:
Max length =
Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int

Constraints:
Min value = 0
fileUploadEnforcement Whether allow WAF to enforce file upload limits. bool
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int

Constraints:
Min value = 0
jsChallengeCookieExpirationInMins Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. int

Constraints:
Min value = 5
Max value = 1440
logScrubbing To scrub sensitive log fields PolicySettingsLogScrubbing
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int

Constraints:
Min value = 8
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
requestBodyEnforcement Whether allow WAF to enforce request body limits. bool
requestBodyInspectLimitInKB Max inspection limit in KB for request body inspection for WAF. int
state The state of the policy. 'Disabled'
'Enabled'

PolicySettingsLogScrubbing

Name Description Value
scrubbingRules The rules that are applied to the logs for scrubbing. WebApplicationFirewallScrubbingRules[]
state State of the log scrubbing config. Default value is Enabled. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'JSChallenge'
'Log' (required)
groupByUserSession List of user session identifier group by clauses. GroupByUserSession[]
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDuration Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. 'FiveMins'
'OneMin'
rateLimitThreshold Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 int
ruleType The rule type. 'Invalid'
'MatchRule'
'RateLimitRule' (required)
state Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Describes the managedRules structure. ManagedRulesDefinition (required)
policySettings The PolicySettings for policy. PolicySettings

WebApplicationFirewallScrubbingRules

Name Description Value
matchVariable The variable to be scrubbed from the logs. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames'
'RequestIPAddress'
'RequestJSONArgNames'
'RequestPostArgNames' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. string
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. 'Equals'
'EqualsAny' (required)
state Defines the state of log scrubbing rule. Default value is Enabled. 'Disabled'
'Enabled'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy

Deploy to Azure
This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway

Deploy to Azure
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin

Deploy to Azure
This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway

Deploy to Azure
This template creates a Front Door Standard/Premium with a container group and Application Gateway.

Terraform (AzAPI provider) resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-03-01"
  name = "string"
  location = "string"
  body = jsonencode({
    properties = {
      customRules = [
        {
          action = "string"
          groupByUserSession = [
            {
              groupByVariables = [
                {
                  variableName = "string"
                }
              ]
            }
          ]
          matchConditions = [
            {
              matchValues = [
                "string"
              ]
              matchVariables = [
                {
                  selector = "string"
                  variableName = "string"
                }
              ]
              negationConditon = bool
              operator = "string"
              transforms = [
                "string"
              ]
            }
          ]
          name = "string"
          priority = int
          rateLimitDuration = "string"
          rateLimitThreshold = int
          ruleType = "string"
          state = "string"
        }
      ]
      managedRules = {
        exceptions = [
          {
            exceptionManagedRuleSets = [
              {
                ruleGroups = [
                  {
                    ruleGroupName = "string"
                    rules = [
                      {
                        ruleId = "string"
                      }
                    ]
                  }
                ]
                ruleSetType = "string"
                ruleSetVersion = "string"
              }
            ]
            matchVariable = "string"
            selector = "string"
            selectorMatchOperator = "string"
            valueMatchOperator = "string"
            values = [
              "string"
            ]
          }
        ]
        exclusions = [
          {
            exclusionManagedRuleSets = [
              {
                ruleGroups = [
                  {
                    ruleGroupName = "string"
                    rules = [
                      {
                        ruleId = "string"
                      }
                    ]
                  }
                ]
                ruleSetType = "string"
                ruleSetVersion = "string"
              }
            ]
            matchVariable = "string"
            selector = "string"
            selectorMatchOperator = "string"
          }
        ]
        managedRuleSets = [
          {
            ruleGroupOverrides = [
              {
                ruleGroupName = "string"
                rules = [
                  {
                    action = "string"
                    ruleId = "string"
                    sensitivity = "string"
                    state = "string"
                  }
                ]
              }
            ]
            ruleSetType = "string"
            ruleSetVersion = "string"
          }
        ]
      }
      policySettings = {
        customBlockResponseBody = "string"
        customBlockResponseStatusCode = int
        fileUploadEnforcement = bool
        fileUploadLimitInMb = int
        jsChallengeCookieExpirationInMins = int
        logScrubbing = {
          scrubbingRules = [
            {
              matchVariable = "string"
              selector = "string"
              selectorMatchOperator = "string"
              state = "string"
            }
          ]
          state = "string"
        }
        maxRequestBodySizeInKb = int
        mode = "string"
        requestBodyCheck = bool
        requestBodyEnforcement = bool
        requestBodyInspectLimitInKB = int
        state = "string"
      }
    }
  })
  tags = {
    {customized property} = "string"
  }
}

Property values

ExceptionEntry

Name Description Value
exceptionManagedRuleSets The managed rule sets that are associated with the exception. ExclusionManagedRuleSet[]
matchVariable The variable on which we evaluate the exception condition 'RemoteAddr'
'RequestHeader'
'RequestURI' (required)
selector When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. string
selectorMatchOperator When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector 'Contains'
'EndsWith'
'Equals'
'StartsWith'
valueMatchOperator Operates on the allowed values for the matchVariable 'Contains'
'EndsWith'
'Equals'
'IPMatch'
'StartsWith' (required)
values Allowed values for the matchVariable string[]

ExclusionManagedRule

Name Description Value
ruleId Identifier for the managed rule. string (required)

ExclusionManagedRuleGroup

Name Description Value
ruleGroupName The managed rule group for exclusion. string (required)
rules List of rules that will be excluded. If none specified, all rules in the group will be excluded. ExclusionManagedRule[]

ExclusionManagedRuleSet

Name Description Value
ruleGroups Defines the rule groups to apply to the rule set. ExclusionManagedRuleGroup[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

GroupByUserSession

Name Description Value
groupByVariables List of group by clause variables. GroupByVariable[] (required)

GroupByVariable

Name Description Value
variableName User Session clause variable. 'ClientAddr'
'GeoLocation'
'None' (required)

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Describes the override action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
ruleId Identifier for the managed rule. string (required)
sensitivity Describes the override sensitivity to be applied when rule matches. 'High'
'Low'
'Medium'
'None'
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'
'Enabled'

ManagedRulesDefinition

Name Description Value
exceptions The exceptions that are applied on the policy. ExceptionEntry[]
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex' (required)
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-03-01"

OwaspCrsExclusionEntry

Name Description Value
exclusionManagedRuleSets The managed rule sets that are associated with the exclusion. ExclusionManagedRuleSet[]
matchVariable The variable to be excluded. 'RequestArgKeys'
'RequestArgNames'
'RequestArgValues'
'RequestCookieKeys'
'RequestCookieNames'
'RequestCookieValues'
'RequestHeaderKeys'
'RequestHeaderNames'
'RequestHeaderValues' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string

Constraints:
Max length =
Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int

Constraints:
Min value = 0
fileUploadEnforcement Whether allow WAF to enforce file upload limits. bool
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int

Constraints:
Min value = 0
jsChallengeCookieExpirationInMins Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. int

Constraints:
Min value = 5
Max value = 1440
logScrubbing To scrub sensitive log fields PolicySettingsLogScrubbing
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int

Constraints:
Min value = 8
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
requestBodyEnforcement Whether allow WAF to enforce request body limits. bool
requestBodyInspectLimitInKB Max inspection limit in KB for request body inspection for WAF. int
state The state of the policy. 'Disabled'
'Enabled'

PolicySettingsLogScrubbing

Name Description Value
scrubbingRules The rules that are applied to the logs for scrubbing. WebApplicationFirewallScrubbingRules[]
state State of the log scrubbing config. Default value is Enabled. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'JSChallenge'
'Log' (required)
groupByUserSession List of user session identifier group by clauses. GroupByUserSession[]
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string

Constraints:
Max length =
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDuration Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. 'FiveMins'
'OneMin'
rateLimitThreshold Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 int
ruleType The rule type. 'Invalid'
'MatchRule'
'RateLimitRule' (required)
state Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Describes the managedRules structure. ManagedRulesDefinition (required)
policySettings The PolicySettings for policy. PolicySettings

WebApplicationFirewallScrubbingRules

Name Description Value
matchVariable The variable to be scrubbed from the logs. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames'
'RequestIPAddress'
'RequestJSONArgNames'
'RequestPostArgNames' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. string
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. 'Equals'
'EqualsAny' (required)
state Defines the state of log scrubbing rule. Default value is Enabled. 'Disabled'
'Enabled'