Microsoft.Network FrontDoorWebApplicationFirewallPolicies 2018-08-01
Bicep resource definition
The FrontDoorWebApplicationFirewallPolicies resource type can be deployed to:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2018-08-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
etag: 'string'
properties: {
customRules: {
rules: [
{
action: 'string'
matchConditions: [
{
matchValue: [
'string'
]
matchVariable: 'string'
negateCondition: bool
operator: 'string'
selector: 'string'
}
]
name: 'string'
priority: int
rateLimitDurationInMinutes: int
rateLimitThreshold: int
ruleType: 'string'
transforms: [
'string'
]
}
]
}
managedRules: {
ruleSets: [
{
priority: int
version: int
ruleSetType: 'string'
// For remaining properties, see ManagedRuleSet objects
}
]
}
policySettings: {
enabledState: 'string'
mode: 'string'
}
}
}
ManagedRuleSet objects
Set the ruleSetType property to specify the type of object.
For AzureManagedRuleSet, use:
ruleSetType: 'AzureManagedRuleSet'
ruleGroupOverrides: [
{
action: 'string'
ruleGroupOverride: 'string'
}
]
Property values
FrontDoorWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 1-128 Valid characters: Alphanumerics. Start with letter. |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy | CustomRules |
| managedRules | Describes managed rules inside the policy | ManagedRuleSets |
| policySettings | Describes policySettings for policy | PolicySettings |
CustomRules
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRule[] |
CustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| matchConditions | List of match conditions | MatchConditionAutoGenerated[] (required) |
| name | Gets name of the resource that is unique within a policy. This name can be used to access the resource. | string |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value | int (required) |
| rateLimitDurationInMinutes | Defines rate limit duration. Default - 1 minute | int |
| rateLimitThreshold | Defines rate limit threshold | int |
| ruleType | Describes type of rule | 'MatchRule' 'RateLimitRule' (required) |
| transforms | List of transforms | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
MatchConditionAutoGenerated
| Name | Description | Value |
|---|---|---|
| matchValue | Match value | string[] (required) |
| matchVariable | Match Variable | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestUri' (required) |
| negateCondition | Describes if this is negate condition or not | bool |
| operator | Describes operator to be matched | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' (required) |
| selector | Name of selector in RequestHeader or RequestBody to be matched | string |
ManagedRuleSets
| Name | Description | Value |
|---|---|---|
| ruleSets | List of rules | ManagedRuleSet[] |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| priority | Describes priority of the rule | int |
| version | defines version of the rule set | int |
| ruleSetType | Set the object type | AzureManagedRuleSet (required) |
AzureManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleSetType | RuleSetType - AzureManagedRuleSet or OWASP RuleSets. | 'AzureManagedRuleSet' (required) |
| ruleGroupOverrides | List of azure managed provider override configuration (optional) | AzureManagedOverrideRuleGroup[] |
AzureManagedOverrideRuleGroup
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| ruleGroupOverride | Describes override rule group | 'SqlInjection' 'XSS' (required) |
PolicySettings
| Name | Description | Value |
|---|---|---|
| enabledState | describes if the policy is in enabled state or disabled state | 'Disabled' 'Enabled' |
| mode | Describes if it is in detection mode or prevention mode at policy level | 'Detection' 'Prevention' |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
FrontDoor CDN with WAF, Domains and Logs to EventHub |
This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub. |
| Front Door Premium with blob origin and Private Link |
This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. |
| Front Door Premium with WAF and Microsoft-managed rule sets |
This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets. |
| Front Door Standard/Premium with geo-filtering |
This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule. |
| Front Door Standard/Premium with rate limit |
This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule. |
| Front Door Standard/Premium with WAF and custom rule |
This template creates a Front Door Standard/Premium including a web application firewall with a custom rule. |
| Create Azure Front Door in front of Azure API Management |
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management. |
| Create WAF Geo Filtering rule for Azure Front Door endpoint |
This template creates a WAF geo filtering rule for Azure Front Door that allows/blocks traffic from certain countries. |
| Configure WAF managed defaultRuleSet for Azure Front Door |
This template configures WAF managed defaultRuleSet for Azure Front Door |
| Configure WAF rate liming rule for Azure Front Door endpoint |
This template configures a WAF rule for Azure Front Door to rate limit incoming traffic for a given frontend host. |
| Configure WAF client IP restriction for Azure Front Door |
This template configures WAF client IP restriction for Azure Front Door endpoint |
| Configure WAF rules with http parameters for Front Door |
This template configures WAF custom rules based on specific http parameters for Azure Front Door endpoint. |
| Function App secured by Azure Frontdoor |
This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. |
ARM template resource definition
The FrontDoorWebApplicationFirewallPolicies resource type can be deployed to:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
"apiVersion": "2018-08-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"etag": "string",
"properties": {
"customRules": {
"rules": [
{
"action": "string",
"matchConditions": [
{
"matchValue": [ "string" ],
"matchVariable": "string",
"negateCondition": "bool",
"operator": "string",
"selector": "string"
}
],
"name": "string",
"priority": "int",
"rateLimitDurationInMinutes": "int",
"rateLimitThreshold": "int",
"ruleType": "string",
"transforms": [ "string" ]
}
]
},
"managedRules": {
"ruleSets": [
{
"priority": "int",
"version": "int",
"ruleSetType": "string"
// For remaining properties, see ManagedRuleSet objects
}
]
},
"policySettings": {
"enabledState": "string",
"mode": "string"
}
}
}
ManagedRuleSet objects
Set the ruleSetType property to specify the type of object.
For AzureManagedRuleSet, use:
"ruleSetType": "AzureManagedRuleSet",
"ruleGroupOverrides": [
{
"action": "string",
"ruleGroupOverride": "string"
}
]
Property values
FrontDoorWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies' |
| apiVersion | The resource api version | '2018-08-01' |
| name | The resource name | string (required) Character limit: 1-128 Valid characters: Alphanumerics. Start with letter. |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy | CustomRules |
| managedRules | Describes managed rules inside the policy | ManagedRuleSets |
| policySettings | Describes policySettings for policy | PolicySettings |
CustomRules
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRule[] |
CustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| matchConditions | List of match conditions | MatchConditionAutoGenerated[] (required) |
| name | Gets name of the resource that is unique within a policy. This name can be used to access the resource. | string |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value | int (required) |
| rateLimitDurationInMinutes | Defines rate limit duration. Default - 1 minute | int |
| rateLimitThreshold | Defines rate limit threshold | int |
| ruleType | Describes type of rule | 'MatchRule' 'RateLimitRule' (required) |
| transforms | List of transforms | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
MatchConditionAutoGenerated
| Name | Description | Value |
|---|---|---|
| matchValue | Match value | string[] (required) |
| matchVariable | Match Variable | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestUri' (required) |
| negateCondition | Describes if this is negate condition or not | bool |
| operator | Describes operator to be matched | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' (required) |
| selector | Name of selector in RequestHeader or RequestBody to be matched | string |
ManagedRuleSets
| Name | Description | Value |
|---|---|---|
| ruleSets | List of rules | ManagedRuleSet[] |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| priority | Describes priority of the rule | int |
| version | defines version of the rule set | int |
| ruleSetType | Set the object type | AzureManagedRuleSet (required) |
AzureManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleSetType | RuleSetType - AzureManagedRuleSet or OWASP RuleSets. | 'AzureManagedRuleSet' (required) |
| ruleGroupOverrides | List of azure managed provider override configuration (optional) | AzureManagedOverrideRuleGroup[] |
AzureManagedOverrideRuleGroup
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | 'Allow' 'Block' 'Log' (required) |
| ruleGroupOverride | Describes override rule group | 'SqlInjection' 'XSS' (required) |
PolicySettings
| Name | Description | Value |
|---|---|---|
| enabledState | describes if the policy is in enabled state or disabled state | 'Disabled' 'Enabled' |
| mode | Describes if it is in detection mode or prevention mode at policy level | 'Detection' 'Prevention' |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| FrontDoor CDN with WAF, Domains and Logs to EventHub |
This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub. |
| Front Door Premium with blob origin and Private Link |
This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. |
| Front Door Premium with WAF and Microsoft-managed rule sets |
This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets. |
| Front Door Standard/Premium with geo-filtering |
This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule. |
| Front Door Standard/Premium with rate limit |
This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule. |
| Front Door Standard/Premium with WAF and custom rule |
This template creates a Front Door Standard/Premium including a web application firewall with a custom rule. |
| Create Azure Front Door in front of Azure API Management |
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management. |
| Create WAF Geo Filtering rule for Azure Front Door endpoint |
This template creates a WAF geo filtering rule for Azure Front Door that allows/blocks traffic from certain countries. |
| Configure WAF managed defaultRuleSet for Azure Front Door |
This template configures WAF managed defaultRuleSet for Azure Front Door |
| Configure WAF rate liming rule for Azure Front Door endpoint |
This template configures a WAF rule for Azure Front Door to rate limit incoming traffic for a given frontend host. |
| Configure WAF client IP restriction for Azure Front Door |
This template configures WAF client IP restriction for Azure Front Door endpoint |
| Configure WAF rules with http parameters for Front Door |
This template configures WAF custom rules based on specific http parameters for Azure Front Door endpoint. |
| Function App secured by Azure Frontdoor |
This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. |
Terraform (AzAPI provider) resource definition
The FrontDoorWebApplicationFirewallPolicies resource type can be deployed to:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2018-08-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
customRules = {
rules = [
{
action = "string"
matchConditions = [
{
matchValue = [
"string"
]
matchVariable = "string"
negateCondition = bool
operator = "string"
selector = "string"
}
]
name = "string"
priority = int
rateLimitDurationInMinutes = int
rateLimitThreshold = int
ruleType = "string"
transforms = [
"string"
]
}
]
}
managedRules = {
ruleSets = [
{
priority = int
version = int
ruleSetType = "string"
// For remaining properties, see ManagedRuleSet objects
}
]
}
policySettings = {
enabledState = "string"
mode = "string"
}
}
etag = "string"
})
}
ManagedRuleSet objects
Set the ruleSetType property to specify the type of object.
For AzureManagedRuleSet, use:
ruleSetType = "AzureManagedRuleSet"
ruleGroupOverrides = [
{
action = "string"
ruleGroupOverride = "string"
}
]
Property values
FrontDoorWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2018-08-01" |
| name | The resource name | string (required) Character limit: 1-128 Valid characters: Alphanumerics. Start with letter. |
| location | Resource location. | string |
| parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. |
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy | CustomRules |
| managedRules | Describes managed rules inside the policy | ManagedRuleSets |
| policySettings | Describes policySettings for policy | PolicySettings |
CustomRules
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRule[] |
CustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | "Allow" "Block" "Log" (required) |
| matchConditions | List of match conditions | MatchConditionAutoGenerated[] (required) |
| name | Gets name of the resource that is unique within a policy. This name can be used to access the resource. | string |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value | int (required) |
| rateLimitDurationInMinutes | Defines rate limit duration. Default - 1 minute | int |
| rateLimitThreshold | Defines rate limit threshold | int |
| ruleType | Describes type of rule | "MatchRule" "RateLimitRule" (required) |
| transforms | List of transforms | String array containing any of: "HtmlEntityDecode" "Lowercase" "RemoveNulls" "Trim" "Uppercase" "UrlDecode" "UrlEncode" |
MatchConditionAutoGenerated
| Name | Description | Value |
|---|---|---|
| matchValue | Match value | string[] (required) |
| matchVariable | Match Variable | "PostArgs" "QueryString" "RemoteAddr" "RequestBody" "RequestHeader" "RequestMethod" "RequestUri" (required) |
| negateCondition | Describes if this is negate condition or not | bool |
| operator | Describes operator to be matched | "Any" "BeginsWith" "Contains" "EndsWith" "Equal" "GeoMatch" "GreaterThan" "GreaterThanOrEqual" "IPMatch" "LessThan" "LessThanOrEqual" (required) |
| selector | Name of selector in RequestHeader or RequestBody to be matched | string |
ManagedRuleSets
| Name | Description | Value |
|---|---|---|
| ruleSets | List of rules | ManagedRuleSet[] |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| priority | Describes priority of the rule | int |
| version | defines version of the rule set | int |
| ruleSetType | Set the object type | AzureManagedRuleSet (required) |
AzureManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleSetType | RuleSetType - AzureManagedRuleSet or OWASP RuleSets. | "AzureManagedRuleSet" (required) |
| ruleGroupOverrides | List of azure managed provider override configuration (optional) | AzureManagedOverrideRuleGroup[] |
AzureManagedOverrideRuleGroup
| Name | Description | Value |
|---|---|---|
| action | Type of Actions | "Allow" "Block" "Log" (required) |
| ruleGroupOverride | Describes override rule group | "SqlInjection" "XSS" (required) |
PolicySettings
| Name | Description | Value |
|---|---|---|
| enabledState | describes if the policy is in enabled state or disabled state | "Disabled" "Enabled" |
| mode | Describes if it is in detection mode or prevention mode at policy level | "Detection" "Prevention" |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for