Delen via


Microsoft.Network azureFirewalls 2018-04-01

Bicep resource definition

The azureFirewalls resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/azureFirewalls resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/azureFirewalls@2018-04-01' = {
  location: 'string'
  name: 'string'
  properties: {
    applicationRuleCollections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          action: {
            type: 'string'
          }
          priority: int
          provisioningState: 'string'
          rules: [
            {
              description: 'string'
              name: 'string'
              protocols: [
                {
                  port: int
                  protocolType: 'string'
                }
              ]
              sourceAddresses: [
                'string'
              ]
              targetUrls: [
                'string'
              ]
            }
          ]
        }
      }
    ]
    ipConfigurations: [
      {
        etag: 'string'
        id: 'string'
        name: 'string'
        properties: {
          internalPublicIpAddress: {
            id: 'string'
          }
          privateIPAddress: 'string'
          provisioningState: 'string'
          publicIPAddress: {
            id: 'string'
          }
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    networkRuleCollections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          action: {
            type: 'string'
          }
          priority: int
          provisioningState: 'string'
          rules: [
            {
              description: 'string'
              destinationAddresses: [
                'string'
              ]
              destinationPorts: [
                'string'
              ]
              name: 'string'
              protocols: [
                'string'
              ]
              sourceAddresses: [
                'string'
              ]
            }
          ]
        }
      }
    ]
    provisioningState: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

AzureFirewallApplicationRule

Name Description Value
description Description of the rule. string
name Name of the application rule. string
protocols Array of ApplicationRuleProtocols. AzureFirewallApplicationRuleProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
targetUrls List of URLs for this rule. string[]

AzureFirewallApplicationRuleCollection

Name Description Value
id Resource ID. string
name Gets name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the application rule collection. AzureFirewallApplicationRuleCollectionPropertiesFormat

AzureFirewallApplicationRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection AzureFirewallRCAction
priority Priority of the application rule collection resource. int

Constraints:
Min value = 100
Max value = 65000
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
rules Collection of rules used by a application rule collection. AzureFirewallApplicationRule[]

AzureFirewallApplicationRuleProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. This field is optional. int

Constraints:
Min value = 0
Max value = 64000
protocolType Protocol type 'Http'
'Https'

AzureFirewallIPConfiguration

Name Description Value
etag A unique read-only string that changes whenever the resource is updated. string
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of IP configuration of an Azure Firewall. AzureFirewallIPConfigurationPropertiesFormat

AzureFirewallIPConfigurationPropertiesFormat

Name Description Value
internalPublicIpAddress Reference of the PublicIP resource. This field is a mandatory input. SubResource
privateIPAddress The Firewall Internal Load Balancer IP to be used as the next hop in User Defined Routes. string
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
publicIPAddress Reference of the PublicIP resource. This field is populated in the output. SubResource
subnet Reference of the subnet resource. This resource must be named 'AzureFirewallSubnet'. SubResource

AzureFirewallNetworkRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses. string[]
destinationPorts List of destination ports. string[]
name Name of the network rule. string
protocols Array of AzureFirewallNetworkRuleProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]

AzureFirewallNetworkRuleCollection

Name Description Value
id Resource ID. string
name Gets name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the network rule collection. AzureFirewallNetworkRuleCollectionPropertiesFormat

AzureFirewallNetworkRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection AzureFirewallRCAction
priority Priority of the network rule collection resource. int

Constraints:
Min value = 100
Max value = 65000
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
rules Collection of rules used by a network rule collection. AzureFirewallNetworkRule[]

AzureFirewallPropertiesFormat

Name Description Value
applicationRuleCollections Collection of application rule collections used by a Azure Firewall. AzureFirewallApplicationRuleCollection[]
ipConfigurations IP configuration of the Azure Firewall resource. AzureFirewallIPConfiguration[]
networkRuleCollections Collection of network rule collections used by a Azure Firewall. AzureFirewallNetworkRuleCollection[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'

AzureFirewallRCAction

Name Description Value
type The type of action. 'Allow'
'Deny'

Microsoft.Network/azureFirewalls

Name Description Value
location Resource location. string
name The resource name string (required)
properties Properties of the Azure Firewall. AzureFirewallPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Create a Firewall and FirewallPolicy with Rules and Ipgroups This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a sandbox setup of Azure Firewall with Linux VMs This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
Create an Azure Firewall with IpGroups This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with multiple IP public addresses This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Create sandbox of Azure Firewall, client VM, and server VM This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall.
Secured virtual hubs This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
SharePoint Subscription / 2019 / 2016 fully configured Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
Testing environment for Azure Firewall Premium This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

ARM template resource definition

The azureFirewalls resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/azureFirewalls resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/azureFirewalls",
  "apiVersion": "2018-04-01",
  "name": "string",
  "location": "string",
  "properties": {
    "applicationRuleCollections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "action": {
            "type": "string"
          },
          "priority": "int",
          "provisioningState": "string",
          "rules": [
            {
              "description": "string",
              "name": "string",
              "protocols": [
                {
                  "port": "int",
                  "protocolType": "string"
                }
              ],
              "sourceAddresses": [ "string" ],
              "targetUrls": [ "string" ]
            }
          ]
        }
      }
    ],
    "ipConfigurations": [
      {
        "etag": "string",
        "id": "string",
        "name": "string",
        "properties": {
          "internalPublicIpAddress": {
            "id": "string"
          },
          "privateIPAddress": "string",
          "provisioningState": "string",
          "publicIPAddress": {
            "id": "string"
          },
          "subnet": {
            "id": "string"
          }
        }
      }
    ],
    "networkRuleCollections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "action": {
            "type": "string"
          },
          "priority": "int",
          "provisioningState": "string",
          "rules": [
            {
              "description": "string",
              "destinationAddresses": [ "string" ],
              "destinationPorts": [ "string" ],
              "name": "string",
              "protocols": [ "string" ],
              "sourceAddresses": [ "string" ]
            }
          ]
        }
      }
    ],
    "provisioningState": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

AzureFirewallApplicationRule

Name Description Value
description Description of the rule. string
name Name of the application rule. string
protocols Array of ApplicationRuleProtocols. AzureFirewallApplicationRuleProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
targetUrls List of URLs for this rule. string[]

AzureFirewallApplicationRuleCollection

Name Description Value
id Resource ID. string
name Gets name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the application rule collection. AzureFirewallApplicationRuleCollectionPropertiesFormat

AzureFirewallApplicationRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection AzureFirewallRCAction
priority Priority of the application rule collection resource. int

Constraints:
Min value = 100
Max value = 65000
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
rules Collection of rules used by a application rule collection. AzureFirewallApplicationRule[]

AzureFirewallApplicationRuleProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. This field is optional. int

Constraints:
Min value = 0
Max value = 64000
protocolType Protocol type 'Http'
'Https'

AzureFirewallIPConfiguration

Name Description Value
etag A unique read-only string that changes whenever the resource is updated. string
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of IP configuration of an Azure Firewall. AzureFirewallIPConfigurationPropertiesFormat

AzureFirewallIPConfigurationPropertiesFormat

Name Description Value
internalPublicIpAddress Reference of the PublicIP resource. This field is a mandatory input. SubResource
privateIPAddress The Firewall Internal Load Balancer IP to be used as the next hop in User Defined Routes. string
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
publicIPAddress Reference of the PublicIP resource. This field is populated in the output. SubResource
subnet Reference of the subnet resource. This resource must be named 'AzureFirewallSubnet'. SubResource

AzureFirewallNetworkRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses. string[]
destinationPorts List of destination ports. string[]
name Name of the network rule. string
protocols Array of AzureFirewallNetworkRuleProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]

AzureFirewallNetworkRuleCollection

Name Description Value
id Resource ID. string
name Gets name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the network rule collection. AzureFirewallNetworkRuleCollectionPropertiesFormat

AzureFirewallNetworkRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection AzureFirewallRCAction
priority Priority of the network rule collection resource. int

Constraints:
Min value = 100
Max value = 65000
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
rules Collection of rules used by a network rule collection. AzureFirewallNetworkRule[]

AzureFirewallPropertiesFormat

Name Description Value
applicationRuleCollections Collection of application rule collections used by a Azure Firewall. AzureFirewallApplicationRuleCollection[]
ipConfigurations IP configuration of the Azure Firewall resource. AzureFirewallIPConfiguration[]
networkRuleCollections Collection of network rule collections used by a Azure Firewall. AzureFirewallNetworkRuleCollection[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'

AzureFirewallRCAction

Name Description Value
type The type of action. 'Allow'
'Deny'

Microsoft.Network/azureFirewalls

Name Description Value
apiVersion The api version '2018-04-01'
location Resource location. string
name The resource name string (required)
properties Properties of the Azure Firewall. AzureFirewallPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/azureFirewalls'

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create a Firewall and FirewallPolicy with Rules and Ipgroups

Deploy to Azure
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a Firewall, FirewallPolicy with Explicit Proxy

Deploy to Azure
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Create an Azure Firewall with Availability Zones

Deploy to Azure
This template creates an Azure Firewall with Availability Zones and any number of Public IPs in a virtual network and sets up 1 sample application rule and 1 sample network rule
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Create sandbox of Azure Firewall, client VM, and server VM

Deploy to Azure
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
SharePoint Subscription / 2019 / 2016 fully configured

Deploy to Azure
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

Terraform (AzAPI provider) resource definition

The azureFirewalls resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/azureFirewalls resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/azureFirewalls@2018-04-01"
  name = "string"
  location = "string"
  body = jsonencode({
    properties = {
      applicationRuleCollections = [
        {
          id = "string"
          name = "string"
          properties = {
            action = {
              type = "string"
            }
            priority = int
            provisioningState = "string"
            rules = [
              {
                description = "string"
                name = "string"
                protocols = [
                  {
                    port = int
                    protocolType = "string"
                  }
                ]
                sourceAddresses = [
                  "string"
                ]
                targetUrls = [
                  "string"
                ]
              }
            ]
          }
        }
      ]
      ipConfigurations = [
        {
          etag = "string"
          id = "string"
          name = "string"
          properties = {
            internalPublicIpAddress = {
              id = "string"
            }
            privateIPAddress = "string"
            provisioningState = "string"
            publicIPAddress = {
              id = "string"
            }
            subnet = {
              id = "string"
            }
          }
        }
      ]
      networkRuleCollections = [
        {
          id = "string"
          name = "string"
          properties = {
            action = {
              type = "string"
            }
            priority = int
            provisioningState = "string"
            rules = [
              {
                description = "string"
                destinationAddresses = [
                  "string"
                ]
                destinationPorts = [
                  "string"
                ]
                name = "string"
                protocols = [
                  "string"
                ]
                sourceAddresses = [
                  "string"
                ]
              }
            ]
          }
        }
      ]
      provisioningState = "string"
    }
  })
  tags = {
    {customized property} = "string"
  }
}

Property values

AzureFirewallApplicationRule

Name Description Value
description Description of the rule. string
name Name of the application rule. string
protocols Array of ApplicationRuleProtocols. AzureFirewallApplicationRuleProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
targetUrls List of URLs for this rule. string[]

AzureFirewallApplicationRuleCollection

Name Description Value
id Resource ID. string
name Gets name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the application rule collection. AzureFirewallApplicationRuleCollectionPropertiesFormat

AzureFirewallApplicationRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection AzureFirewallRCAction
priority Priority of the application rule collection resource. int

Constraints:
Min value = 100
Max value = 65000
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
rules Collection of rules used by a application rule collection. AzureFirewallApplicationRule[]

AzureFirewallApplicationRuleProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. This field is optional. int

Constraints:
Min value = 0
Max value = 64000
protocolType Protocol type 'Http'
'Https'

AzureFirewallIPConfiguration

Name Description Value
etag A unique read-only string that changes whenever the resource is updated. string
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of IP configuration of an Azure Firewall. AzureFirewallIPConfigurationPropertiesFormat

AzureFirewallIPConfigurationPropertiesFormat

Name Description Value
internalPublicIpAddress Reference of the PublicIP resource. This field is a mandatory input. SubResource
privateIPAddress The Firewall Internal Load Balancer IP to be used as the next hop in User Defined Routes. string
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
publicIPAddress Reference of the PublicIP resource. This field is populated in the output. SubResource
subnet Reference of the subnet resource. This resource must be named 'AzureFirewallSubnet'. SubResource

AzureFirewallNetworkRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses. string[]
destinationPorts List of destination ports. string[]
name Name of the network rule. string
protocols Array of AzureFirewallNetworkRuleProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]

AzureFirewallNetworkRuleCollection

Name Description Value
id Resource ID. string
name Gets name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the network rule collection. AzureFirewallNetworkRuleCollectionPropertiesFormat

AzureFirewallNetworkRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection AzureFirewallRCAction
priority Priority of the network rule collection resource. int

Constraints:
Min value = 100
Max value = 65000
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
rules Collection of rules used by a network rule collection. AzureFirewallNetworkRule[]

AzureFirewallPropertiesFormat

Name Description Value
applicationRuleCollections Collection of application rule collections used by a Azure Firewall. AzureFirewallApplicationRuleCollection[]
ipConfigurations IP configuration of the Azure Firewall resource. AzureFirewallIPConfiguration[]
networkRuleCollections Collection of network rule collections used by a Azure Firewall. AzureFirewallNetworkRuleCollection[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'

AzureFirewallRCAction

Name Description Value
type The type of action. 'Allow'
'Deny'

Microsoft.Network/azureFirewalls

Name Description Value
location Resource location. string
name The resource name string (required)
properties Properties of the Azure Firewall. AzureFirewallPropertiesFormat
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/azureFirewalls@2018-04-01"

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string