Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies 2020-08-01

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2020-08-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    customRules: [
      {
        action: 'string'
        matchConditions: [
          {
            matchValues: [ 'string' ]
            matchVariables: [
              {
                selector: 'string'
                variableName: 'string'
              }
            ]
            negationConditon: bool
            operator: 'string'
            transforms: [ 'string' ]
          }
        ]
        name: 'string'
        priority: int
        ruleType: 'string'
      }
    ]
    managedRules: {
      exclusions: [
        {
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
        }
      ]
      managedRuleSets: [
        {
          ruleGroupOverrides: [
            {
              ruleGroupName: 'string'
              rules: [
                {
                  ruleId: 'string'
                  state: 'Disabled'
                }
              ]
            }
          ]
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      fileUploadLimitInMb: int
      maxRequestBodySizeInKb: int
      mode: 'string'
      requestBodyCheck: bool
      state: 'string'
    }
  }
}

Property values

ApplicationGatewayWebApplicationFirewallPolicies

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-08-01'
name The resource name string (required)
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Defines web application firewall policy properties. WebApplicationFirewallPolicyPropertiesFormat

WebApplicationFirewallPolicyPropertiesFormat

Name Description Value
customRules The custom rules inside the policy. WebApplicationFirewallCustomRule[]
managedRules Allow to exclude some variable satisfy the condition for the WAF check. ManagedRulesDefinition (required)
policySettings Defines contents of a web application firewall global configuration. PolicySettings

WebApplicationFirewallCustomRule

Name Description Value
action Type of Actions. 'Allow'
'Block'
'Log'
matchConditions List of match conditions. MatchCondition[] (required)
name The name of the resource that is unique within a policy. This name can be used to access the resource. string
priority Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
ruleType The rule type. 'Invalid'
'MatchRule'

MatchCondition

Name Description Value
matchValues Match value. string[] (required)
matchVariables List of match variables. MatchVariable[] (required)
negationConditon Whether this is negate condition or not. bool
operator The operator to be matched. 'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'Regex'
transforms List of transforms. String array containing any of:
'HtmlEntityDecode'
'Lowercase'
'RemoveNulls'
'Trim'
'UrlDecode'
'UrlEncode'

MatchVariable

Name Description Value
selector The selector of match variable. string
variableName Match Variable. 'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestCookies'
'RequestHeaders'
'RequestMethod'
'RequestUri'

ManagedRulesDefinition

Name Description Value
exclusions The Exclusions that are applied on the policy. OwaspCrsExclusionEntry[]
managedRuleSets The managed rule sets that are associated with the policy. ManagedRuleSet[] (required)

OwaspCrsExclusionEntry

Name Description Value
matchVariable The variable to be excluded. 'RequestArgNames'
'RequestCookieNames'
'RequestHeaderNames'
selector When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith'

ManagedRuleSet

Name Description Value
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

ManagedRuleGroupOverride

Name Description Value
ruleGroupName The managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
ruleId Identifier for the managed rule. string (required)
state The state of the managed rule. Defaults to Disabled if not specified. 'Disabled'

PolicySettings

Name Description Value
fileUploadLimitInMb Maximum file upload size in Mb for WAF. int
maxRequestBodySizeInKb Maximum request body size in Kb for WAF. int
mode The mode of the policy. 'Detection'
'Prevention'
requestBodyCheck Whether to allow WAF to check request Body. bool
state The state of the policy. 'Disabled'
'Enabled'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure WAF v2 on Azure Application Gateway

Deploy to Azure
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Front Door Standard/Premium with Application Gateway origin

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) with a container group and Application Gateway.