Microsoft.Network firewallPolicies
- Latest
- 2024-05-01
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
Bicep resource definition
The firewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/firewallPolicies@2024-05-01' = {
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
location: 'string'
name: 'string'
properties: {
basePolicy: {
id: 'string'
}
dnsSettings: {
enableProxy: bool
requireProxyForNetworkRules: bool
servers: [
'string'
]
}
explicitProxy: {
enableExplicitProxy: bool
enablePacFile: bool
httpPort: int
httpsPort: int
pacFile: 'string'
pacFilePort: int
}
insights: {
isEnabled: bool
logAnalyticsResources: {
defaultWorkspaceId: {
id: 'string'
}
workspaces: [
{
region: 'string'
workspaceId: {
id: 'string'
}
}
]
}
retentionDays: int
}
intrusionDetection: {
configuration: {
bypassTrafficSettings: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocol: 'string'
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
}
]
privateRanges: [
'string'
]
signatureOverrides: [
{
id: 'string'
mode: 'string'
}
]
}
mode: 'string'
profile: 'string'
}
sku: {
tier: 'string'
}
snat: {
autoLearnPrivateRanges: 'string'
privateRanges: [
'string'
]
}
sql: {
allowSqlRedirect: bool
}
threatIntelMode: 'string'
threatIntelWhitelist: {
fqdns: [
'string'
]
ipAddresses: [
'string'
]
}
transportSecurity: {
certificateAuthority: {
keyVaultSecretId: 'string'
name: 'string'
}
}
}
tags: {
{customized property}: 'string'
}
}
Property values
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
Name | Description | Value |
---|
DnsSettings
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyCertificateAuthority
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
FirewallPolicyInsights
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
FirewallPolicySku
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
FirewallPolicySnat
Name | Description | Value |
---|---|---|
autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
FirewallPolicyTransportSecurity
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
ManagedServiceIdentity
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
Name | Description | Value |
---|
Microsoft.Network/firewallPolicies
Name | Description | Value |
---|---|---|
identity | The identity of the firewall policy. | ManagedServiceIdentity |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
Create a Firewall and FirewallPolicy with Rules and Ipgroups | This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Secured virtual hubs | This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
SharePoint Subscription / 2019 / 2016 fully configured | Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium | This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
ARM template resource definition
The firewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2024-05-01",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"location": "string",
"properties": {
"basePolicy": {
"id": "string"
},
"dnsSettings": {
"enableProxy": "bool",
"requireProxyForNetworkRules": "bool",
"servers": [ "string" ]
},
"explicitProxy": {
"enableExplicitProxy": "bool",
"enablePacFile": "bool",
"httpPort": "int",
"httpsPort": "int",
"pacFile": "string",
"pacFilePort": "int"
},
"insights": {
"isEnabled": "bool",
"logAnalyticsResources": {
"defaultWorkspaceId": {
"id": "string"
},
"workspaces": [
{
"region": "string",
"workspaceId": {
"id": "string"
}
}
]
},
"retentionDays": "int"
},
"intrusionDetection": {
"configuration": {
"bypassTrafficSettings": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocol": "string",
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
],
"privateRanges": [ "string" ],
"signatureOverrides": [
{
"id": "string",
"mode": "string"
}
]
},
"mode": "string",
"profile": "string"
},
"sku": {
"tier": "string"
},
"snat": {
"autoLearnPrivateRanges": "string",
"privateRanges": [ "string" ]
},
"sql": {
"allowSqlRedirect": "bool"
},
"threatIntelMode": "string",
"threatIntelWhitelist": {
"fqdns": [ "string" ],
"ipAddresses": [ "string" ]
},
"transportSecurity": {
"certificateAuthority": {
"keyVaultSecretId": "string",
"name": "string"
}
}
},
"tags": {
"{customized property}": "string"
}
}
Property values
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
Name | Description | Value |
---|
DnsSettings
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyCertificateAuthority
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
FirewallPolicyInsights
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
FirewallPolicySku
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
FirewallPolicySnat
Name | Description | Value |
---|---|---|
autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
FirewallPolicyTransportSecurity
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
ManagedServiceIdentity
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
Name | Description | Value |
---|
Microsoft.Network/firewallPolicies
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2024-05-01' |
identity | The identity of the firewall policy. | ManagedServiceIdentity |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.Network/firewallPolicies' |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Create a Firewall and FirewallPolicy with Rules and Ipgroups |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall, FirewallPolicy with Explicit Proxy |
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a sandbox setup with Firewall Policy |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
SharePoint Subscription / 2019 / 2016 fully configured |
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Terraform (AzAPI provider) resource definition
The firewallPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/firewallPolicies@2024-05-01"
name = "string"
identity = {
type = "string"
userAssignedIdentities = {
{customized property} = {
}
}
}
location = "string"
tags = {
{customized property} = "string"
}
body = jsonencode({
properties = {
basePolicy = {
id = "string"
}
dnsSettings = {
enableProxy = bool
requireProxyForNetworkRules = bool
servers = [
"string"
]
}
explicitProxy = {
enableExplicitProxy = bool
enablePacFile = bool
httpPort = int
httpsPort = int
pacFile = "string"
pacFilePort = int
}
insights = {
isEnabled = bool
logAnalyticsResources = {
defaultWorkspaceId = {
id = "string"
}
workspaces = [
{
region = "string"
workspaceId = {
id = "string"
}
}
]
}
retentionDays = int
}
intrusionDetection = {
configuration = {
bypassTrafficSettings = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationIpGroups = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocol = "string"
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
}
]
privateRanges = [
"string"
]
signatureOverrides = [
{
id = "string"
mode = "string"
}
]
}
mode = "string"
profile = "string"
}
sku = {
tier = "string"
}
snat = {
autoLearnPrivateRanges = "string"
privateRanges = [
"string"
]
}
sql = {
allowSqlRedirect = bool
}
threatIntelMode = "string"
threatIntelWhitelist = {
fqdns = [
"string"
]
ipAddresses = [
"string"
]
}
transportSecurity = {
certificateAuthority = {
keyVaultSecretId = "string"
name = "string"
}
}
}
})
}
Property values
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
Name | Description | Value |
---|
DnsSettings
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyCertificateAuthority
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
FirewallPolicyInsights
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
FirewallPolicySku
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
FirewallPolicySnat
Name | Description | Value |
---|---|---|
autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
FirewallPolicyTransportSecurity
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
ManagedServiceIdentity
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
Name | Description | Value |
---|
Microsoft.Network/firewallPolicies
Name | Description | Value |
---|---|---|
identity | The identity of the firewall policy. | ManagedServiceIdentity |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.Network/firewallPolicies@2024-05-01" |
ResourceTags
Name | Description | Value |
---|
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |