Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies

Template format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2020-06-01",
  "location": "string",
  "tags": {},
  "properties": {
    "policySettings": {
      "state": "string",
      "mode": "string",
      "requestBodyCheck": "boolean",
      "maxRequestBodySizeInKb": "integer",
      "fileUploadLimitInMb": "integer"
    },
    "customRules": [
      {
        "name": "string",
        "priority": "integer",
        "ruleType": "string",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "string",
                "selector": "string"
              }
            ],
            "operator": "string",
            "negationConditon": "boolean",
            "matchValues": [
              "string"
            ],
            "transforms": [
              "string"
            ]
          }
        ],
        "action": "string"
      }
    ],
    "managedRules": {
      "exclusions": [
        {
          "matchVariable": "string",
          "selectorMatchOperator": "string",
          "selector": "string"
        }
      ],
      "managedRuleSets": [
        {
          "ruleSetType": "string",
          "ruleSetVersion": "string",
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "string",
              "rules": [
                {
                  "ruleId": "string",
                  "state": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    }
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies object

Name Type Required Value
name string Yes The name of the policy.
Max length: 128
type enum Yes Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
apiVersion enum Yes 2020-06-01
location string Yes Resource location.
tags object No Resource tags.
properties object Yes Properties of the web application firewall policy. - WebApplicationFirewallPolicyPropertiesFormat object

WebApplicationFirewallPolicyPropertiesFormat object

Name Type Required Value
policySettings object No The PolicySettings for policy. - PolicySettings object
customRules array No The custom rules inside the policy. - WebApplicationFirewallCustomRule object
managedRules object Yes Describes the managedRules structure. - ManagedRulesDefinition object

PolicySettings object

Name Type Required Value
state enum No The state of the policy. - Disabled or Enabled
mode enum No The mode of the policy. - Prevention or Detection
requestBodyCheck boolean No Whether to allow WAF to check request Body.
maxRequestBodySizeInKb integer No Maximum request body size in Kb for WAF.
fileUploadLimitInMb integer No Maximum file upload size in Mb for WAF.

WebApplicationFirewallCustomRule object

Name Type Required Value
name string No The name of the resource that is unique within a policy. This name can be used to access the resource.
priority integer Yes Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleType enum Yes The rule type. - MatchRule or Invalid
matchConditions array Yes List of match conditions. - MatchCondition object
action enum Yes Type of Actions. - Allow, Block, Log

ManagedRulesDefinition object

Name Type Required Value
exclusions array No The Exclusions that are applied on the policy. - OwaspCrsExclusionEntry object
managedRuleSets array Yes The managed rule sets that are associated with the policy. - ManagedRuleSet object

MatchCondition object

Name Type Required Value
matchVariables array Yes List of match variables. - MatchVariable object
operator enum Yes The operator to be matched. - IPMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith, Regex, GeoMatch
negationConditon boolean No Whether this is negate condition or not.
matchValues array Yes Match value. - string
transforms array No List of transforms. - Lowercase, Trim, UrlDecode, UrlEncode, RemoveNulls, HtmlEntityDecode

OwaspCrsExclusionEntry object

Name Type Required Value
matchVariable enum Yes The variable to be excluded. - RequestHeaderNames, RequestCookieNames, RequestArgNames
selectorMatchOperator enum Yes When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. - Equals, Contains, StartsWith, EndsWith, EqualsAny
selector string Yes When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.

ManagedRuleSet object

Name Type Required Value
ruleSetType string Yes Defines the rule set type to use.
ruleSetVersion string Yes Defines the version of the rule set to use.
ruleGroupOverrides array No Defines the rule group overrides to apply to the rule set. - ManagedRuleGroupOverride object

MatchVariable object

Name Type Required Value
variableName enum Yes Match Variable. - RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody, RequestCookies
selector string No The selector of match variable.

ManagedRuleGroupOverride object

Name Type Required Value
ruleGroupName string Yes The managed rule group to override.
rules array No List of rules that will be disabled. If none specified, all rules in the group will be disabled. - ManagedRuleOverride object

ManagedRuleOverride object

Name Type Required Value
ruleId string Yes Identifier for the managed rule.
state enum No The state of the managed rule. Defaults to Disabled if not specified. - Disabled

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure WAF v2 on Azure Application Gateway

Deploy to Azure
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool