Microsoft.Network azureFirewalls

Bicep resource definition

The azureFirewalls resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/azureFirewalls resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/azureFirewalls@2023-04-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    additionalProperties: {}
    applicationRuleCollections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          action: {
            type: 'string'
          }
          priority: int
          rules: [
            {
              description: 'string'
              fqdnTags: [
                'string'
              ]
              name: 'string'
              protocols: [
                {
                  port: int
                  protocolType: 'string'
                }
              ]
              sourceAddresses: [
                'string'
              ]
              sourceIpGroups: [
                'string'
              ]
              targetFqdns: [
                'string'
              ]
            }
          ]
        }
      }
    ]
    firewallPolicy: {
      id: 'string'
    }
    hubIPAddresses: {
      privateIPAddress: 'string'
      publicIPs: {
        addresses: [
          {
            address: 'string'
          }
        ]
        count: int
      }
    }
    ipConfigurations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          publicIPAddress: {
            id: 'string'
          }
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    managementIpConfiguration: {
      id: 'string'
      name: 'string'
      properties: {
        publicIPAddress: {
          id: 'string'
        }
        subnet: {
          id: 'string'
        }
      }
    }
    natRuleCollections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          action: {
            type: 'string'
          }
          priority: int
          rules: [
            {
              description: 'string'
              destinationAddresses: [
                'string'
              ]
              destinationPorts: [
                'string'
              ]
              name: 'string'
              protocols: [
                'string'
              ]
              sourceAddresses: [
                'string'
              ]
              sourceIpGroups: [
                'string'
              ]
              translatedAddress: 'string'
              translatedFqdn: 'string'
              translatedPort: 'string'
            }
          ]
        }
      }
    ]
    networkRuleCollections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          action: {
            type: 'string'
          }
          priority: int
          rules: [
            {
              description: 'string'
              destinationAddresses: [
                'string'
              ]
              destinationFqdns: [
                'string'
              ]
              destinationIpGroups: [
                'string'
              ]
              destinationPorts: [
                'string'
              ]
              name: 'string'
              protocols: [
                'string'
              ]
              sourceAddresses: [
                'string'
              ]
              sourceIpGroups: [
                'string'
              ]
            }
          ]
        }
      }
    ]
    sku: {
      name: 'string'
      tier: 'string'
    }
    threatIntelMode: 'string'
    virtualHub: {
      id: 'string'
    }
  }
  zones: [
    'string'
  ]
}

Property values

azureFirewalls

Name Description Value
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End with alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Properties of the azure firewall. AzureFirewallPropertiesFormat
zones A list of availability zones denoting where the resource needs to come from. string[]

AzureFirewallPropertiesFormat

Name Description Value
additionalProperties The additional properties used to further config this azure firewall. object
applicationRuleCollections Collection of application rule collections used by Azure Firewall. AzureFirewallApplicationRuleCollection[]
firewallPolicy The firewallPolicy associated with this azure firewall. SubResource
hubIPAddresses IP addresses associated with AzureFirewall. HubIPAddresses
ipConfigurations IP configuration of the Azure Firewall resource. AzureFirewallIPConfiguration[]
managementIpConfiguration IP configuration of the Azure Firewall used for management traffic. AzureFirewallIPConfiguration
natRuleCollections Collection of NAT rule collections used by Azure Firewall. AzureFirewallNatRuleCollection[]
networkRuleCollections Collection of network rule collections used by Azure Firewall. AzureFirewallNetworkRuleCollection[]
sku The Azure Firewall Resource SKU. AzureFirewallSku
threatIntelMode The operation mode for Threat Intelligence. 'Alert'
'Deny'
'Off'
virtualHub The virtualHub to which the firewall belongs. SubResource

AzureFirewallApplicationRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall application rule collection. AzureFirewallApplicationRuleCollectionPropertiesForm...

AzureFirewallApplicationRuleCollectionPropertiesForm...

Name Description Value
action The action type of a rule collection. AzureFirewallRCAction
priority Priority of the application rule collection resource. int
rules Collection of rules used by a application rule collection. AzureFirewallApplicationRule[]

AzureFirewallRCAction

Name Description Value
type The type of action. 'Allow'
'Deny'

AzureFirewallApplicationRule

Name Description Value
description Description of the rule. string
fqdnTags List of FQDN Tags for this rule. string[]
name Name of the application rule. string
protocols Array of ApplicationRuleProtocols. AzureFirewallApplicationRuleProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
targetFqdns List of FQDNs for this rule. string[]

AzureFirewallApplicationRuleProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. This field is optional. int
protocolType Protocol type. 'Http'
'Https'
'Mssql'

SubResource

Name Description Value
id Resource ID. string

HubIPAddresses

Name Description Value
privateIPAddress Private IP Address associated with azure firewall. string
publicIPs Public IP addresses associated with azure firewall. HubPublicIPAddresses

HubPublicIPAddresses

Name Description Value
addresses The list of Public IP addresses associated with azure firewall or IP addresses to be retained. AzureFirewallPublicIPAddress[]
count The number of Public IP addresses associated with azure firewall. int

AzureFirewallPublicIPAddress

Name Description Value
address Public IP Address value. string

AzureFirewallIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the azure firewall IP configuration. AzureFirewallIPConfigurationPropertiesFormat

AzureFirewallIPConfigurationPropertiesFormat

Name Description Value
publicIPAddress Reference to the PublicIP resource. This field is a mandatory input if subnet is not null. SubResource
subnet Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'. SubResource

AzureFirewallNatRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall NAT rule collection. AzureFirewallNatRuleCollectionProperties

AzureFirewallNatRuleCollectionProperties

Name Description Value
action The action type of a NAT rule collection. AzureFirewallNatRCAction
priority Priority of the NAT rule collection resource. int
rules Collection of rules used by a NAT rule collection. AzureFirewallNatRule[]

AzureFirewallNatRCAction

Name Description Value
type The type of action. 'Dnat'
'Snat'

AzureFirewallNatRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. string[]
destinationPorts List of destination ports. string[]
name Name of the NAT rule. string
protocols Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
translatedAddress The translated address for this NAT rule. string
translatedFqdn The translated FQDN for this NAT rule. string
translatedPort The translated port for this NAT rule. string

AzureFirewallNetworkRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall network rule collection. AzureFirewallNetworkRuleCollectionPropertiesFormat

AzureFirewallNetworkRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection. AzureFirewallRCAction
priority Priority of the network rule collection resource. int
rules Collection of rules used by a network rule collection. AzureFirewallNetworkRule[]

AzureFirewallNetworkRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses. string[]
destinationFqdns List of destination FQDNs. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports. string[]
name Name of the network rule. string
protocols Array of AzureFirewallNetworkRuleProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

AzureFirewallSku

Name Description Value
name Name of an Azure Firewall SKU. 'AZFW_Hub'
'AZFW_VNet'
tier Tier of an Azure Firewall. 'Basic'
'Premium'
'Standard'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create sandbox of Azure Firewall, client VM, and server VM

Deploy to Azure
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall.
Create a Firewall and FirewallPolicy with Rules and Ipgroups

Deploy to Azure
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a Firewall, FirewallPolicy with Explicit Proxy

Deploy to Azure
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with Availability Zones

Deploy to Azure
This template creates an Azure Firewall with Availability Zones and any number of Public IPs in a virtual network and sets up 1 sample application rule and 1 sample network rule
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
Azure Virtual WAN Routing Intent and Policies

Deploy to Azure
This template provisions an Azure Virtual WAN with two hubs with Routing Intent and Policies feature enabled.

ARM template resource definition

The azureFirewalls resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/azureFirewalls resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/azureFirewalls",
  "apiVersion": "2023-04-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "properties": {
    "additionalProperties": {},
    "applicationRuleCollections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "action": {
            "type": "string"
          },
          "priority": "int",
          "rules": [
            {
              "description": "string",
              "fqdnTags": [ "string" ],
              "name": "string",
              "protocols": [
                {
                  "port": "int",
                  "protocolType": "string"
                }
              ],
              "sourceAddresses": [ "string" ],
              "sourceIpGroups": [ "string" ],
              "targetFqdns": [ "string" ]
            }
          ]
        }
      }
    ],
    "firewallPolicy": {
      "id": "string"
    },
    "hubIPAddresses": {
      "privateIPAddress": "string",
      "publicIPs": {
        "addresses": [
          {
            "address": "string"
          }
        ],
        "count": "int"
      }
    },
    "ipConfigurations": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "publicIPAddress": {
            "id": "string"
          },
          "subnet": {
            "id": "string"
          }
        }
      }
    ],
    "managementIpConfiguration": {
      "id": "string",
      "name": "string",
      "properties": {
        "publicIPAddress": {
          "id": "string"
        },
        "subnet": {
          "id": "string"
        }
      }
    },
    "natRuleCollections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "action": {
            "type": "string"
          },
          "priority": "int",
          "rules": [
            {
              "description": "string",
              "destinationAddresses": [ "string" ],
              "destinationPorts": [ "string" ],
              "name": "string",
              "protocols": [ "string" ],
              "sourceAddresses": [ "string" ],
              "sourceIpGroups": [ "string" ],
              "translatedAddress": "string",
              "translatedFqdn": "string",
              "translatedPort": "string"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "action": {
            "type": "string"
          },
          "priority": "int",
          "rules": [
            {
              "description": "string",
              "destinationAddresses": [ "string" ],
              "destinationFqdns": [ "string" ],
              "destinationIpGroups": [ "string" ],
              "destinationPorts": [ "string" ],
              "name": "string",
              "protocols": [ "string" ],
              "sourceAddresses": [ "string" ],
              "sourceIpGroups": [ "string" ]
            }
          ]
        }
      }
    ],
    "sku": {
      "name": "string",
      "tier": "string"
    },
    "threatIntelMode": "string",
    "virtualHub": {
      "id": "string"
    }
  },
  "zones": [ "string" ]
}

Property values

azureFirewalls

Name Description Value
type The resource type 'Microsoft.Network/azureFirewalls'
apiVersion The resource api version '2023-04-01'
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End with alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Properties of the azure firewall. AzureFirewallPropertiesFormat
zones A list of availability zones denoting where the resource needs to come from. string[]

AzureFirewallPropertiesFormat

Name Description Value
additionalProperties The additional properties used to further config this azure firewall. object
applicationRuleCollections Collection of application rule collections used by Azure Firewall. AzureFirewallApplicationRuleCollection[]
firewallPolicy The firewallPolicy associated with this azure firewall. SubResource
hubIPAddresses IP addresses associated with AzureFirewall. HubIPAddresses
ipConfigurations IP configuration of the Azure Firewall resource. AzureFirewallIPConfiguration[]
managementIpConfiguration IP configuration of the Azure Firewall used for management traffic. AzureFirewallIPConfiguration
natRuleCollections Collection of NAT rule collections used by Azure Firewall. AzureFirewallNatRuleCollection[]
networkRuleCollections Collection of network rule collections used by Azure Firewall. AzureFirewallNetworkRuleCollection[]
sku The Azure Firewall Resource SKU. AzureFirewallSku
threatIntelMode The operation mode for Threat Intelligence. 'Alert'
'Deny'
'Off'
virtualHub The virtualHub to which the firewall belongs. SubResource

AzureFirewallApplicationRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall application rule collection. AzureFirewallApplicationRuleCollectionPropertiesForm...

AzureFirewallApplicationRuleCollectionPropertiesForm...

Name Description Value
action The action type of a rule collection. AzureFirewallRCAction
priority Priority of the application rule collection resource. int
rules Collection of rules used by a application rule collection. AzureFirewallApplicationRule[]

AzureFirewallRCAction

Name Description Value
type The type of action. 'Allow'
'Deny'

AzureFirewallApplicationRule

Name Description Value
description Description of the rule. string
fqdnTags List of FQDN Tags for this rule. string[]
name Name of the application rule. string
protocols Array of ApplicationRuleProtocols. AzureFirewallApplicationRuleProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
targetFqdns List of FQDNs for this rule. string[]

AzureFirewallApplicationRuleProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. This field is optional. int
protocolType Protocol type. 'Http'
'Https'
'Mssql'

SubResource

Name Description Value
id Resource ID. string

HubIPAddresses

Name Description Value
privateIPAddress Private IP Address associated with azure firewall. string
publicIPs Public IP addresses associated with azure firewall. HubPublicIPAddresses

HubPublicIPAddresses

Name Description Value
addresses The list of Public IP addresses associated with azure firewall or IP addresses to be retained. AzureFirewallPublicIPAddress[]
count The number of Public IP addresses associated with azure firewall. int

AzureFirewallPublicIPAddress

Name Description Value
address Public IP Address value. string

AzureFirewallIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the azure firewall IP configuration. AzureFirewallIPConfigurationPropertiesFormat

AzureFirewallIPConfigurationPropertiesFormat

Name Description Value
publicIPAddress Reference to the PublicIP resource. This field is a mandatory input if subnet is not null. SubResource
subnet Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'. SubResource

AzureFirewallNatRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall NAT rule collection. AzureFirewallNatRuleCollectionProperties

AzureFirewallNatRuleCollectionProperties

Name Description Value
action The action type of a NAT rule collection. AzureFirewallNatRCAction
priority Priority of the NAT rule collection resource. int
rules Collection of rules used by a NAT rule collection. AzureFirewallNatRule[]

AzureFirewallNatRCAction

Name Description Value
type The type of action. 'Dnat'
'Snat'

AzureFirewallNatRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. string[]
destinationPorts List of destination ports. string[]
name Name of the NAT rule. string
protocols Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
translatedAddress The translated address for this NAT rule. string
translatedFqdn The translated FQDN for this NAT rule. string
translatedPort The translated port for this NAT rule. string

AzureFirewallNetworkRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall network rule collection. AzureFirewallNetworkRuleCollectionPropertiesFormat

AzureFirewallNetworkRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection. AzureFirewallRCAction
priority Priority of the network rule collection resource. int
rules Collection of rules used by a network rule collection. AzureFirewallNetworkRule[]

AzureFirewallNetworkRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses. string[]
destinationFqdns List of destination FQDNs. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports. string[]
name Name of the network rule. string
protocols Array of AzureFirewallNetworkRuleProtocols. String array containing any of:
'Any'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

AzureFirewallSku

Name Description Value
name Name of an Azure Firewall SKU. 'AZFW_Hub'
'AZFW_VNet'
tier Tier of an Azure Firewall. 'Basic'
'Premium'
'Standard'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create sandbox of Azure Firewall, client VM, and server VM

Deploy to Azure
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall.
Create a Firewall and FirewallPolicy with Rules and Ipgroups

Deploy to Azure
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a Firewall, FirewallPolicy with Explicit Proxy

Deploy to Azure
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with Availability Zones

Deploy to Azure
This template creates an Azure Firewall with Availability Zones and any number of Public IPs in a virtual network and sets up 1 sample application rule and 1 sample network rule
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
Azure Virtual WAN Routing Intent and Policies

Deploy to Azure
This template provisions an Azure Virtual WAN with two hubs with Routing Intent and Policies feature enabled.

Terraform (AzAPI provider) resource definition

The azureFirewalls resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/azureFirewalls resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/azureFirewalls@2023-04-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      additionalProperties = {}
      applicationRuleCollections = [
        {
          id = "string"
          name = "string"
          properties = {
            action = {
              type = "string"
            }
            priority = int
            rules = [
              {
                description = "string"
                fqdnTags = [
                  "string"
                ]
                name = "string"
                protocols = [
                  {
                    port = int
                    protocolType = "string"
                  }
                ]
                sourceAddresses = [
                  "string"
                ]
                sourceIpGroups = [
                  "string"
                ]
                targetFqdns = [
                  "string"
                ]
              }
            ]
          }
        }
      ]
      firewallPolicy = {
        id = "string"
      }
      hubIPAddresses = {
        privateIPAddress = "string"
        publicIPs = {
          addresses = [
            {
              address = "string"
            }
          ]
          count = int
        }
      }
      ipConfigurations = [
        {
          id = "string"
          name = "string"
          properties = {
            publicIPAddress = {
              id = "string"
            }
            subnet = {
              id = "string"
            }
          }
        }
      ]
      managementIpConfiguration = {
        id = "string"
        name = "string"
        properties = {
          publicIPAddress = {
            id = "string"
          }
          subnet = {
            id = "string"
          }
        }
      }
      natRuleCollections = [
        {
          id = "string"
          name = "string"
          properties = {
            action = {
              type = "string"
            }
            priority = int
            rules = [
              {
                description = "string"
                destinationAddresses = [
                  "string"
                ]
                destinationPorts = [
                  "string"
                ]
                name = "string"
                protocols = [
                  "string"
                ]
                sourceAddresses = [
                  "string"
                ]
                sourceIpGroups = [
                  "string"
                ]
                translatedAddress = "string"
                translatedFqdn = "string"
                translatedPort = "string"
              }
            ]
          }
        }
      ]
      networkRuleCollections = [
        {
          id = "string"
          name = "string"
          properties = {
            action = {
              type = "string"
            }
            priority = int
            rules = [
              {
                description = "string"
                destinationAddresses = [
                  "string"
                ]
                destinationFqdns = [
                  "string"
                ]
                destinationIpGroups = [
                  "string"
                ]
                destinationPorts = [
                  "string"
                ]
                name = "string"
                protocols = [
                  "string"
                ]
                sourceAddresses = [
                  "string"
                ]
                sourceIpGroups = [
                  "string"
                ]
              }
            ]
          }
        }
      ]
      sku = {
        name = "string"
        tier = "string"
      }
      threatIntelMode = "string"
      virtualHub = {
        id = "string"
      }
    }
    zones = [
      "string"
    ]
  })
}

Property values

azureFirewalls

Name Description Value
type The resource type "Microsoft.Network/azureFirewalls@2023-04-01"
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End with alphanumeric or underscore.
location Resource location. string
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Resource tags. Dictionary of tag names and values.
properties Properties of the azure firewall. AzureFirewallPropertiesFormat
zones A list of availability zones denoting where the resource needs to come from. string[]

AzureFirewallPropertiesFormat

Name Description Value
additionalProperties The additional properties used to further config this azure firewall. object
applicationRuleCollections Collection of application rule collections used by Azure Firewall. AzureFirewallApplicationRuleCollection[]
firewallPolicy The firewallPolicy associated with this azure firewall. SubResource
hubIPAddresses IP addresses associated with AzureFirewall. HubIPAddresses
ipConfigurations IP configuration of the Azure Firewall resource. AzureFirewallIPConfiguration[]
managementIpConfiguration IP configuration of the Azure Firewall used for management traffic. AzureFirewallIPConfiguration
natRuleCollections Collection of NAT rule collections used by Azure Firewall. AzureFirewallNatRuleCollection[]
networkRuleCollections Collection of network rule collections used by Azure Firewall. AzureFirewallNetworkRuleCollection[]
sku The Azure Firewall Resource SKU. AzureFirewallSku
threatIntelMode The operation mode for Threat Intelligence. "Alert"
"Deny"
"Off"
virtualHub The virtualHub to which the firewall belongs. SubResource

AzureFirewallApplicationRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall application rule collection. AzureFirewallApplicationRuleCollectionPropertiesForm...

AzureFirewallApplicationRuleCollectionPropertiesForm...

Name Description Value
action The action type of a rule collection. AzureFirewallRCAction
priority Priority of the application rule collection resource. int
rules Collection of rules used by a application rule collection. AzureFirewallApplicationRule[]

AzureFirewallRCAction

Name Description Value
type The type of action. "Allow"
"Deny"

AzureFirewallApplicationRule

Name Description Value
description Description of the rule. string
fqdnTags List of FQDN Tags for this rule. string[]
name Name of the application rule. string
protocols Array of ApplicationRuleProtocols. AzureFirewallApplicationRuleProtocol[]
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
targetFqdns List of FQDNs for this rule. string[]

AzureFirewallApplicationRuleProtocol

Name Description Value
port Port number for the protocol, cannot be greater than 64000. This field is optional. int
protocolType Protocol type. "Http"
"Https"
"Mssql"

SubResource

Name Description Value
id Resource ID. string

HubIPAddresses

Name Description Value
privateIPAddress Private IP Address associated with azure firewall. string
publicIPs Public IP addresses associated with azure firewall. HubPublicIPAddresses

HubPublicIPAddresses

Name Description Value
addresses The list of Public IP addresses associated with azure firewall or IP addresses to be retained. AzureFirewallPublicIPAddress[]
count The number of Public IP addresses associated with azure firewall. int

AzureFirewallPublicIPAddress

Name Description Value
address Public IP Address value. string

AzureFirewallIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the azure firewall IP configuration. AzureFirewallIPConfigurationPropertiesFormat

AzureFirewallIPConfigurationPropertiesFormat

Name Description Value
publicIPAddress Reference to the PublicIP resource. This field is a mandatory input if subnet is not null. SubResource
subnet Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'. SubResource

AzureFirewallNatRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall NAT rule collection. AzureFirewallNatRuleCollectionProperties

AzureFirewallNatRuleCollectionProperties

Name Description Value
action The action type of a NAT rule collection. AzureFirewallNatRCAction
priority Priority of the NAT rule collection resource. int
rules Collection of rules used by a NAT rule collection. AzureFirewallNatRule[]

AzureFirewallNatRCAction

Name Description Value
type The type of action. "Dnat"
"Snat"

AzureFirewallNatRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags. string[]
destinationPorts List of destination ports. string[]
name Name of the NAT rule. string
protocols Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule. String array containing any of:
"Any"
"ICMP"
"TCP"
"UDP"
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]
translatedAddress The translated address for this NAT rule. string
translatedFqdn The translated FQDN for this NAT rule. string
translatedPort The translated port for this NAT rule. string

AzureFirewallNetworkRuleCollection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within the Azure firewall. This name can be used to access the resource. string
properties Properties of the azure firewall network rule collection. AzureFirewallNetworkRuleCollectionPropertiesFormat

AzureFirewallNetworkRuleCollectionPropertiesFormat

Name Description Value
action The action type of a rule collection. AzureFirewallRCAction
priority Priority of the network rule collection resource. int
rules Collection of rules used by a network rule collection. AzureFirewallNetworkRule[]

AzureFirewallNetworkRule

Name Description Value
description Description of the rule. string
destinationAddresses List of destination IP addresses. string[]
destinationFqdns List of destination FQDNs. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports. string[]
name Name of the network rule. string
protocols Array of AzureFirewallNetworkRuleProtocols. String array containing any of:
"Any"
"ICMP"
"TCP"
"UDP"
sourceAddresses List of source IP addresses for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

AzureFirewallSku

Name Description Value
name Name of an Azure Firewall SKU. "AZFW_Hub"
"AZFW_VNet"
tier Tier of an Azure Firewall. "Basic"
"Premium"
"Standard"