Microsoft.Network FrontDoorWebApplicationFirewallPolicies 2020-11-01

The FrontDoorWebApplicationFirewallPolicies resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2020-11-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'string'
  }
  etag: 'string'
  properties: {
    customRules: {
      rules: [
        {
          action: 'string'
          enabledState: 'string'
          matchConditions: [
            {
              matchValue: [ 'string' ]
              matchVariable: 'string'
              negateCondition: bool
              operator: 'string'
              selector: 'string'
              transforms: [ 'string' ]
            }
          ]
          name: 'string'
          priority: int
          rateLimitDurationInMinutes: int
          rateLimitThreshold: int
          ruleType: 'string'
        }
      ]
    }
    managedRules: {
      managedRuleSets: [
        {
          exclusions: [
            {
              matchVariable: 'string'
              selector: 'string'
              selectorMatchOperator: 'string'
            }
          ]
          ruleGroupOverrides: [
            {
              exclusions: [
                {
                  matchVariable: 'string'
                  selector: 'string'
                  selectorMatchOperator: 'string'
                }
              ]
              ruleGroupName: 'string'
              rules: [
                {
                  action: 'string'
                  enabledState: 'string'
                  exclusions: [
                    {
                      matchVariable: 'string'
                      selector: 'string'
                      selectorMatchOperator: 'string'
                    }
                  ]
                  ruleId: 'string'
                }
              ]
            }
          ]
          ruleSetAction: 'string'
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      customBlockResponseBody: 'string'
      customBlockResponseStatusCode: int
      enabledState: 'string'
      mode: 'string'
      redirectUrl: 'string'
      requestBodyCheck: 'string'
    }
  }
}

Property values

FrontDoorWebApplicationFirewallPolicies

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-11-01'
name The resource name string (required)
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku The pricing tier of the web application firewall policy. Sku
etag Gets a unique read-only string that changes whenever the resource is updated. string
properties Defines web application firewall policy properties. WebApplicationFirewallPolicyProperties

WebApplicationFirewallPolicyProperties

Name Description Value
customRules Defines contents of custom rules CustomRuleList
managedRules Defines the list of managed rule sets for the policy. ManagedRuleSetList
policySettings Defines top-level WebApplicationFirewallPolicy configuration settings. PolicySettings

CustomRuleList

Name Description Value
rules List of rules CustomRule[]

CustomRule

Name Description Value
action Defines the action to take on rule match. 'Allow'
'Block'
'Log'
'Redirect'
enabledState Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
matchConditions List of match conditions. MatchCondition[] (required)
name Describes the name of the rule. string
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDurationInMinutes Time window for resetting the rate limit count. Default is 1 minute. int
rateLimitThreshold Number of allowed requests per client within the time window. int
ruleType Describes type of rule. 'MatchRule'
'RateLimitRule'

MatchCondition

Name Description Value
matchValue List of possible match values. string[] (required)
matchVariable Request variable to compare with. 'Cookies'
'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestHeader'
'RequestMethod'
'RequestUri'
'SocketAddr'
negateCondition Describes if the result of this condition should be negated. bool
operator Comparison type to use for matching with the variable value. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'RegEx'
selector Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. string
transforms List of transforms. String array containing any of:
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

ManagedRuleSetList

Name Description Value
managedRuleSets List of rule sets. ManagedRuleSet[]

ManagedRuleSet

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the set. ManagedRuleExclusion[]
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetAction Defines the action to take when a managed rule set score threshold is met. 'Block'
'Log'
'Redirect'
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

ManagedRuleExclusion

Name Description Value
matchVariable The variable type to be excluded. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames'
selector Selector value for which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith'

ManagedRuleGroupOverride

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the group. ManagedRuleExclusion[]
ruleGroupName Describes the managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Defines the action to take on rule match. 'Allow'
'Block'
'Log'
'Redirect'
enabledState Describes if the managed rule is in enabled or disabled state. 'Disabled'
'Enabled'
exclusions Describes the exclusions that are applied to this specific rule. ManagedRuleExclusion[]
ruleId Identifier for the managed rule. string (required)

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int
enabledState Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'
redirectUrl If action type is redirect, this field represents redirect URL for the client. string
requestBodyCheck Describes if policy managed rules will inspect the request body content. 'Disabled'
'Enabled'

Sku

Name Description Value
name Name of the pricing tier. 'Classic_AzureFrontDoor'
'Premium_AzureFrontDoor'
'Standard_AzureFrontDoor'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Create WAF Geo Filtering rule for Azure Front Door endpoint

Deploy to Azure
This template creates a WAF geo filtering rule for Azure Front Door that allows/blocks traffic from certain countries.
Configure WAF managed defaultRuleSet for Azure Front Door

Deploy to Azure
This template configures WAF managed defaultRuleSet for Azure Front Door
Front Door Premium with WAF and Microsoft-managed rule sets

Deploy to Azure
This template creates a Front Door Premium (Preview) including a web application firewall with the Microsoft-managed default and bot protection rule sets.
Configure WAF rate liming rule for Azure Front Door endpoint

Deploy to Azure
This template configures a WAF rule for Azure Front Door to rate limit incoming traffic for a given frontend host.
Front Door Standard/Premium with geo-filtering

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) including a web application firewall with a geo-filtering rule.
Front Door Standard/Premium with rate limit

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) including a web application firewall with a rate limit rule.
Front Door Standard/Premium with WAF and custom rule

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) including a web application firewall with a custom rule.
Configure WAF client IP restriction for Azure Front Door

Deploy to Azure
This template configures WAF client IP restriction for Azure Front Door endpoint
Configure WAF rules with http parameters for Front Door

Deploy to Azure
This template configures WAF custom rules based on specific http parameters for Azure Front Door endpoint.