Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies template reference

Template format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to the resources section of your template.

  "name": "string",
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2019-04-01",
  "location": "string",
  "tags": {},
  "properties": {
    "policySettings": {
      "enabledState": "string",
      "mode": "string"
    "customRules": [
        "name": "string",
        "priority": "integer",
        "ruleType": "string",
        "matchConditions": [
            "matchVariables": [
                "variableName": "string",
                "selector": "string"
            "operator": "string",
            "negationConditon": "boolean",
            "matchValues": [
            "transforms": [
        "action": "string"

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies object

Name Type Required Value
name string Yes The name of the policy.
Max length: 128
type enum Yes Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
apiVersion enum Yes 2019-04-01
location string Yes Resource location.
tags object No Resource tags.
properties object Yes Properties of the web application firewall policy. - WebApplicationFirewallPolicyPropertiesFormat object

WebApplicationFirewallPolicyPropertiesFormat object

Name Type Required Value
policySettings object No Describes policySettings for policy. - PolicySettings object
customRules array No Describes custom rules inside the policy. - WebApplicationFirewallCustomRule object

PolicySettings object

Name Type Required Value
enabledState enum No Describes if the policy is in enabled state or disabled state. - Disabled or Enabled
mode enum No Describes if it is in detection mode or prevention mode at policy level. - Prevention or Detection

WebApplicationFirewallCustomRule object

Name Type Required Value
name string No Gets name of the resource that is unique within a policy. This name can be used to access the resource.
priority integer Yes Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleType enum Yes Describes type of rule. - MatchRule or Invalid
matchConditions array Yes List of match conditions. - MatchCondition object
action enum Yes Type of Actions. - Allow, Block, Log

MatchCondition object

Name Type Required Value
matchVariables array Yes List of match variables. - MatchVariable object
operator enum Yes Describes operator to be matched. - IPMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith, Regex
negationConditon boolean No Describes if this is negate condition or not.
matchValues array Yes Match value. - string
transforms array No List of transforms. - Lowercase, Trim, UrlDecode, UrlEncode, RemoveNulls, HtmlEntityDecode

MatchVariable object

Name Type Required Value
variableName enum Yes Match Variable. - RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody, RequestCookies
selector string No Describes field of the matchVariable collection.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure WAF v2 on Azure Application Gateway

Deploy to Azure
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool