Microsoft.Network azureFirewalls template reference

Template format

To create a Microsoft.Network/azureFirewalls resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Network/azureFirewalls",
  "apiVersion": "2019-07-01",
  "location": "string",
  "tags": {},
  "properties": {
    "applicationRuleCollections": [
      {
        "id": "string",
        "properties": {
          "priority": "integer",
          "action": {
            "type": "string"
          },
          "rules": [
            {
              "name": "string",
              "description": "string",
              "sourceAddresses": [
                "string"
              ],
              "protocols": [
                {
                  "protocolType": "string",
                  "port": "integer"
                }
              ],
              "targetFqdns": [
                "string"
              ],
              "fqdnTags": [
                "string"
              ]
            }
          ]
        },
        "name": "string"
      }
    ],
    "natRuleCollections": [
      {
        "id": "string",
        "properties": {
          "priority": "integer",
          "action": {
            "type": "string"
          },
          "rules": [
            {
              "name": "string",
              "description": "string",
              "sourceAddresses": [
                "string"
              ],
              "destinationAddresses": [
                "string"
              ],
              "destinationPorts": [
                "string"
              ],
              "protocols": [
                "string"
              ],
              "translatedAddress": "string",
              "translatedPort": "string"
            }
          ]
        },
        "name": "string"
      }
    ],
    "networkRuleCollections": [
      {
        "id": "string",
        "properties": {
          "priority": "integer",
          "action": {
            "type": "string"
          },
          "rules": [
            {
              "name": "string",
              "description": "string",
              "protocols": [
                "string"
              ],
              "sourceAddresses": [
                "string"
              ],
              "destinationAddresses": [
                "string"
              ],
              "destinationPorts": [
                "string"
              ]
            }
          ]
        },
        "name": "string"
      }
    ],
    "ipConfigurations": [
      {
        "id": "string",
        "properties": {
          "subnet": {
            "id": "string"
          },
          "publicIPAddress": {
            "id": "string"
          }
        },
        "name": "string"
      }
    ],
    "threatIntelMode": "string",
    "virtualHub": {
      "id": "string"
    },
    "firewallPolicy": {
      "id": "string"
    }
  },
  "zones": [
    "string"
  ]
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/azureFirewalls object

Name Type Required Value
name string Yes The name of the Azure Firewall.
type enum Yes Microsoft.Network/azureFirewalls
apiVersion enum Yes 2019-07-01
location string Yes Resource location.
tags object No Resource tags.
properties object Yes Properties of the azure firewall. - AzureFirewallPropertiesFormat object
zones array No A list of availability zones denoting where the resource needs to come from. - string

AzureFirewallPropertiesFormat object

Name Type Required Value
applicationRuleCollections array No Collection of application rule collections used by Azure Firewall. - AzureFirewallApplicationRuleCollection object
natRuleCollections array No Collection of NAT rule collections used by Azure Firewall. - AzureFirewallNatRuleCollection object
networkRuleCollections array No Collection of network rule collections used by Azure Firewall. - AzureFirewallNetworkRuleCollection object
ipConfigurations array No IP configuration of the Azure Firewall resource. - AzureFirewallIPConfiguration object
threatIntelMode enum No The operation mode for Threat Intelligence. - Alert, Deny, Off
virtualHub object No The virtualHub to which the firewall belongs. - SubResource object
firewallPolicy object No The firewallPolicy associated with this azure firewall. - SubResource object

AzureFirewallApplicationRuleCollection object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the azure firewall application rule collection. - AzureFirewallApplicationRuleCollectionPropertiesFormat object
name string No The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.

AzureFirewallNatRuleCollection object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the azure firewall NAT rule collection. - AzureFirewallNatRuleCollectionProperties object
name string No The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.

AzureFirewallNetworkRuleCollection object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the azure firewall network rule collection. - AzureFirewallNetworkRuleCollectionPropertiesFormat object
name string No The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.

AzureFirewallIPConfiguration object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the azure firewall IP configuration. - AzureFirewallIPConfigurationPropertiesFormat object
name string No Name of the resource that is unique within a resource group. This name can be used to access the resource.

SubResource object

Name Type Required Value
id string No Resource ID.

AzureFirewallApplicationRuleCollectionPropertiesFormat object

Name Type Required Value
priority integer No Priority of the application rule collection resource.
action object No The action type of a rule collection. - AzureFirewallRCAction object
rules array No Collection of rules used by a application rule collection. - AzureFirewallApplicationRule object

AzureFirewallNatRuleCollectionProperties object

Name Type Required Value
priority integer No Priority of the NAT rule collection resource.
action object No The action type of a NAT rule collection. - AzureFirewallNatRCAction object
rules array No Collection of rules used by a NAT rule collection. - AzureFirewallNatRule object

AzureFirewallNetworkRuleCollectionPropertiesFormat object

Name Type Required Value
priority integer No Priority of the network rule collection resource.
action object No The action type of a rule collection. - AzureFirewallRCAction object
rules array No Collection of rules used by a network rule collection. - AzureFirewallNetworkRule object

AzureFirewallIPConfigurationPropertiesFormat object

Name Type Required Value
subnet object No Reference of the subnet resource. This resource must be named 'AzureFirewallSubnet'. - SubResource object
publicIPAddress object No Reference of the PublicIP resource. This field is a mandatory input if subnet is not null. - SubResource object

AzureFirewallRCAction object

Name Type Required Value
type enum No The type of action. - Allow or Deny

AzureFirewallApplicationRule object

Name Type Required Value
name string No Name of the application rule.
description string No Description of the rule.
sourceAddresses array No List of source IP addresses for this rule. - string
protocols array No Array of ApplicationRuleProtocols. - AzureFirewallApplicationRuleProtocol object
targetFqdns array No List of FQDNs for this rule. - string
fqdnTags array No List of FQDN Tags for this rule. - string

AzureFirewallNatRCAction object

Name Type Required Value
type enum No The type of action. - Snat or Dnat

AzureFirewallNatRule object

Name Type Required Value
name string No Name of the NAT rule.
description string No Description of the rule.
sourceAddresses array No List of source IP addresses for this rule. - string
destinationAddresses array No List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. - string
destinationPorts array No List of destination ports. - string
protocols array No Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. - TCP, UDP, Any, ICMP
translatedAddress string No The translated address for this NAT rule.
translatedPort string No The translated port for this NAT rule.

AzureFirewallNetworkRule object

Name Type Required Value
name string No Name of the network rule.
description string No Description of the rule.
protocols array No Array of AzureFirewallNetworkRuleProtocols. - TCP, UDP, Any, ICMP
sourceAddresses array No List of source IP addresses for this rule. - string
destinationAddresses array No List of destination IP addresses. - string
destinationPorts array No List of destination ports. - string

AzureFirewallApplicationRuleProtocol object

Name Type Required Value
protocolType enum No Protocol type. - Http, Https, Mssql
port integer No Port number for the protocol, cannot be greater than 64000. This field is optional.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with Availability Zones

Deploy to Azure
This template creates an Azure Firewall with Availability Zones and any number of Public IPs in a virtual network and sets up 1 sample application rule and 1 sample network rule
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subnet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule and 1 sample network rule and azure firewall in availability zones 1, 2 and 3
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.