Microsoft.Network firewallPolicies

The firewallPolicies resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/firewallPolicies resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/firewallPolicies@2021-02-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    basePolicy: {
      id: 'string'
    }
    dnsSettings: {
      enableProxy: bool
      requireProxyForNetworkRules: bool
      servers: [ 'string' ]
    }
    insights: {
      isEnabled: bool
      logAnalyticsResources: {
        defaultWorkspaceId: {
          id: 'string'
        }
        workspaces: [
          {
            region: 'string'
            workspaceId: {
              id: 'string'
            }
          }
        ]
      }
      retentionDays: int
    }
    intrusionDetection: {
      configuration: {
        bypassTrafficSettings: [
          {
            description: 'string'
            destinationAddresses: [ 'string' ]
            destinationIpGroups: [ 'string' ]
            destinationPorts: [ 'string' ]
            name: 'string'
            protocol: 'string'
            sourceAddresses: [ 'string' ]
            sourceIpGroups: [ 'string' ]
          }
        ]
        signatureOverrides: [
          {
            id: 'string'
            mode: 'string'
          }
        ]
      }
      mode: 'string'
    }
    sku: {
      tier: 'string'
    }
    snat: {
      privateRanges: [ 'string' ]
    }
    threatIntelMode: 'string'
    threatIntelWhitelist: {
      fqdns: [ 'string' ]
      ipAddresses: [ 'string' ]
    }
    transportSecurity: {
      certificateAuthority: {
        keyVaultSecretId: 'string'
        name: 'string'
      }
    }
  }
}

Property values

firewallPolicies

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/firewallPolicies'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2021-02-01'
name The resource name string (required)
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
identity Identity for the resource. ManagedServiceIdentity
properties Firewall Policy definition. FirewallPolicyPropertiesFormat

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. object

FirewallPolicyPropertiesFormat

Name Description Value
basePolicy Reference to another subresource. SubResource
dnsSettings DNS Proxy Settings in Firewall Policy. DnsSettings
insights Firewall Policy Insights. FirewallPolicyInsights
intrusionDetection Configuration for intrusion detection mode and rules. FirewallPolicyIntrusionDetection
sku SKU of Firewall policy. FirewallPolicySku
snat The private IP addresses/IP ranges to which traffic will not be SNAT. FirewallPolicySnat
threatIntelMode The operation mode for Threat Intel. 'Alert'
'Deny'
'Off'
threatIntelWhitelist ThreatIntel Allowlist for Firewall Policy. FirewallPolicyThreatIntelWhitelist
transportSecurity Configuration needed to perform TLS termination & initiation. FirewallPolicyTransportSecurity

SubResource

Name Description Value
id Resource ID. string

DnsSettings

Name Description Value
enableProxy Enable DNS Proxy on Firewalls attached to the Firewall Policy. bool
requireProxyForNetworkRules FQDNs in Network Rules are supported when set to true. bool
servers List of Custom DNS Servers. string[]

FirewallPolicyInsights

Name Description Value
isEnabled A flag to indicate if the insights are enabled on the policy. bool
logAnalyticsResources Log Analytics Resources for Firewall Policy Insights. FirewallPolicyLogAnalyticsResources
retentionDays Number of days the insights should be enabled on the policy. int

FirewallPolicyLogAnalyticsResources

Name Description Value
defaultWorkspaceId Reference to another subresource. SubResource
workspaces List of workspaces for Firewall Policy Insights. FirewallPolicyLogAnalyticsWorkspace[]

FirewallPolicyLogAnalyticsWorkspace

Name Description Value
region Region to configure the Workspace. string
workspaceId Reference to another subresource. SubResource

FirewallPolicyIntrusionDetection

Name Description Value
configuration The operation for configuring intrusion detection. FirewallPolicyIntrusionDetectionConfiguration
mode Possible state values. 'Alert'
'Deny'
'Off'

FirewallPolicyIntrusionDetectionConfiguration

Name Description Value
bypassTrafficSettings List of rules for traffic to bypass. FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]
signatureOverrides List of specific signatures states. FirewallPolicyIntrusionDetectionSignatureSpecification[]

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Name Description Value
description Description of the bypass traffic rule. string
destinationAddresses List of destination IP addresses or ranges for this rule. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports or ranges. string[]
name Name of the bypass traffic rule. string
protocol Possible intrusion detection bypass traffic protocols. 'ANY'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses or ranges for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

FirewallPolicyIntrusionDetectionSignatureSpecification

Name Description Value
id Signature id. string
mode Possible state values. 'Alert'
'Deny'
'Off'

FirewallPolicySku

Name Description Value
tier Tier of Firewall Policy. 'Premium'
'Standard'

FirewallPolicySnat

Name Description Value
privateRanges List of private IP addresses/IP address ranges to not be SNAT. string[]

FirewallPolicyThreatIntelWhitelist

Name Description Value
fqdns List of FQDNs for the ThreatIntel Allowlist. string[]
ipAddresses List of IP addresses for the ThreatIntel Allowlist. string[]

FirewallPolicyTransportSecurity

Name Description Value
certificateAuthority Trusted Root certificates properties for tls. FirewallPolicyCertificateAuthority

FirewallPolicyCertificateAuthority

Name Description Value
keyVaultSecretId Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. string
name Name of the CA certificate. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create a Firewall and FirewallPolicy with Rules and Ipgroups

Deploy to Azure
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.