Microsoft.Network firewallPolicies/ruleCollectionGroups 2020-07-01

The firewallPolicies/ruleCollectionGroups resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/firewallPolicies/ruleCollectionGroups resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2020-07-01' = {
  name: 'string'
  parent: parentSymbolicName
  properties: {
    priority: int
    ruleCollections: [
      {
        name: 'string'
        priority: int
        ruleCollectionType: 'string'
        // For remaining properties, see FirewallPolicyRuleCollection objects
      }
    ]
  }
}

FirewallPolicyRuleCollection objects

Set the ruleCollectionType property to specify the type of object.

For FirewallPolicyFilterRuleCollection, use:

  ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
  action: {
    type: 'string'
  }
  rules: [
    {
      description: 'string'
      name: 'string'
      ruleType: 'string'
      // For remaining properties, see FirewallPolicyRule objects
    }
  ]

For FirewallPolicyNatRuleCollection, use:

  ruleCollectionType: 'FirewallPolicyNatRuleCollection'
  action: {
    type: 'DNAT'
  }
  rules: [
    {
      description: 'string'
      name: 'string'
      ruleType: 'string'
      // For remaining properties, see FirewallPolicyRule objects
    }
  ]

FirewallPolicyRule objects

Set the ruleType property to specify the type of object.

For ApplicationRule, use:

  ruleType: 'ApplicationRule'
  destinationAddresses: [ 'string' ]
  fqdnTags: [ 'string' ]
  protocols: [
    {
      port: int
      protocolType: 'string'
    }
  ]
  sourceAddresses: [ 'string' ]
  sourceIpGroups: [ 'string' ]
  targetFqdns: [ 'string' ]
  targetUrls: [ 'string' ]
  terminateTLS: bool
  webCategories: [ 'string' ]

For NatRule, use:

  ruleType: 'NatRule'
  destinationAddresses: [ 'string' ]
  destinationPorts: [ 'string' ]
  ipProtocols: [ 'string' ]
  sourceAddresses: [ 'string' ]
  sourceIpGroups: [ 'string' ]
  translatedAddress: 'string'
  translatedFqdn: 'string'
  translatedPort: 'string'

For NetworkRule, use:

  ruleType: 'NetworkRule'
  destinationAddresses: [ 'string' ]
  destinationFqdns: [ 'string' ]
  destinationIpGroups: [ 'string' ]
  destinationPorts: [ 'string' ]
  ipProtocols: [ 'string' ]
  sourceAddresses: [ 'string' ]
  sourceIpGroups: [ 'string' ]

Property values

firewallPolicies/ruleCollectionGroups

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/firewallPolicies/ruleCollectionGroups'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-07-01'
name The resource name

See how to set names and types for child resources in Bicep or JSON ARM templates.
string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
parentSymbolicName
properties Properties of the rule collection group. FirewallPolicyRuleCollectionGroupProperties

FirewallPolicyRuleCollectionGroupProperties

Name Description Value
priority Priority of the Firewall Policy Rule Collection Group resource. int
ruleCollections Group of Firewall Policy rule collections. FirewallPolicyRuleCollection[]

FirewallPolicyRuleCollection

Name Description Value
name The name of the rule collection. string
priority Priority of the Firewall Policy Rule Collection resource. int
ruleCollectionType Set the object type FirewallPolicyFilterRuleCollection
FirewallPolicyNatRuleCollection

FirewallPolicyFilterRuleCollection

Name Description Value
ruleCollectionType The type of the rule collection. 'FirewallPolicyFilterRuleCollection'
action Properties of the FirewallPolicyFilterRuleCollectionAction. FirewallPolicyFilterRuleCollectionAction
rules List of rules included in a rule collection. FirewallPolicyRule[]

FirewallPolicyFilterRuleCollectionAction

Name Description Value
type The action type of a rule. 'Allow'
'Deny'

FirewallPolicyRule

Name Description Value
description Description of the rule. string
name Name of the rule. string
ruleType Set the object type ApplicationRule
NatRule
NetworkRule

ApplicationRule

Name Description Value
ruleType Rule Type. 'ApplicationRule'
destinationAddresses List of destination IP addresses or Service Tags. string[]
fqdnTags List of FQDN Tags for this rule. string[]
protocols Array of Application Protocols. FirewallPolicyRuleApplicationProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
targetFqdns List of FQDNs for this rule. string[]
targetUrls List of Urls for this rule condition. string[]
terminateTLS Terminate TLS connections for this rule. bool
webCategories List of destination azure web categories. string[]

FirewallPolicyRuleApplicationProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. int
protocolType The application protocol type of a Rule. 'Http'
'Https'

NatRule

Name Description Value
ruleType Rule Type. 'NatRule'
destinationAddresses List of destination IP addresses or Service Tags. string[]
destinationPorts List of destination ports. string[]
ipProtocols Array of FirewallPolicyRuleNetworkProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
translatedAddress The translated address for this NAT rule. string
translatedFqdn The translated FQDN for this NAT rule. string
translatedPort The translated port for this NAT rule. string

NetworkRule

Name Description Value
ruleType Rule Type. 'NetworkRule'
destinationAddresses List of destination IP addresses or Service Tags. string[]
destinationFqdns List of destination FQDNs. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports. string[]
ipProtocols Array of FirewallPolicyRuleNetworkProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

FirewallPolicyNatRuleCollection

Name Description Value
ruleCollectionType The type of the rule collection. 'FirewallPolicyNatRuleCollection'
action Properties of the FirewallPolicyNatRuleCollectionAction. FirewallPolicyNatRuleCollectionAction
rules List of rules included in a rule collection. FirewallPolicyRule[]

FirewallPolicyNatRuleCollectionAction

Name Description Value
type The action type of a rule. 'DNAT'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create a Firewall and FirewallPolicy with Rules and Ipgroups

Deploy to Azure
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.