Azure Firewalls - Create Or Update

Creates or updates the specified Azure Firewall.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{azureFirewallName}?api-version=2020-05-01

URI Parameters

Name In Required Type Description
azureFirewallName
path True
  • string

The name of the Azure Firewall.

resourceGroupName
path True
  • string

The name of the resource group.

subscriptionId
path True
  • string

The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

api-version
query True
  • string

Client API version.

Request Body

Name Type Description
id
  • string

Resource ID.

location
  • string

Resource location.

properties.additionalProperties
  • object

The additional properties used to further config this azure firewall.

properties.applicationRuleCollections

Collection of application rule collections used by Azure Firewall.

properties.firewallPolicy

The firewallPolicy associated with this azure firewall.

properties.hubIPAddresses

IP addresses associated with AzureFirewall.

properties.ipConfigurations

IP configuration of the Azure Firewall resource.

properties.managementIpConfiguration

IP configuration of the Azure Firewall used for management traffic.

properties.natRuleCollections

Collection of NAT rule collections used by Azure Firewall.

properties.networkRuleCollections

Collection of network rule collections used by Azure Firewall.

properties.sku

The Azure Firewall Resource SKU.

properties.threatIntelMode

The operation mode for Threat Intelligence.

properties.virtualHub

The virtualHub to which the firewall belongs.

tags
  • object

Resource tags.

zones
  • string[]

A list of availability zones denoting where the resource needs to come from.

Responses

Name Type Description
200 OK

Update successful. The operation returns the resulting AzureFirewall resource.

201 Created

Create successful. The operation returns the resulting AzureFirewall resource.

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create Azure Firewall
Create Azure Firewall in virtual Hub
Create Azure Firewall With Additional Properties
Create Azure Firewall With IpGroups
Create Azure Firewall With management subnet
Create Azure Firewall With Zones

Create Azure Firewall

Sample Request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2020-05-01
{
  "tags": {
    "key1": "value1"
  },
  "location": "West US",
  "zones": [],
  "properties": {
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "properties": {
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ]
  }
}

Sample Response

{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedPort": "880",
              "translatedFqdn": "internalhttpserver"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "protocols": [
                "TCP"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ]
            }
          ]
        }
      }
    ],
    "ipGroups": [],
    "additionalProperties": {}
  }
}
{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {}
  }
}

Create Azure Firewall in virtual Hub

Sample Request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2020-05-01
{
  "tags": {
    "key1": "value1"
  },
  "location": "West US",
  "zones": [],
  "properties": {
    "sku": {
      "name": "AZFW_Hub",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "virtualHub": {
      "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
    },
    "firewallPolicy": {
      "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
    },
    "hubIPAddresses": {
      "publicIPs": {
        "addresses": [],
        "count": 1
      }
    }
  }
}

Sample Response

{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_Hub",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "virtualHub": {
      "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
    },
    "firewallPolicy": {
      "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
    },
    "hubIPAddresses": {
      "publicIPs": {
        "addresses": [
          {
            "address": "13.73.240.12"
          }
        ],
        "count": 1
      },
      "privateIPAddress": "10.0.0.0"
    },
    "additionalProperties": {}
  }
}
{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_Hub",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "virtualHub": {
      "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualHubs/hub1"
    },
    "firewallPolicy": {
      "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/policy1"
    },
    "hubIPAddresses": {
      "publicIPs": {
        "addresses": [
          {
            "address": "13.73.240.12"
          }
        ],
        "count": 1
      },
      "privateIPAddress": "10.0.0.0"
    },
    "ipGroups": [],
    "additionalProperties": {}
  }
}

Create Azure Firewall With Additional Properties

Sample Request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2020-05-01
{
  "tags": {
    "key1": "value1"
  },
  "location": "West US",
  "zones": [],
  "properties": {
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "properties": {
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "ipGroups": [],
    "additionalProperties": {
      "key1": "value1",
      "key2": "value2"
    }
  }
}

Sample Response

{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedPort": "880",
              "translatedFqdn": "internalhttpserver"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "protocols": [
                "TCP"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {
      "key1": "value1",
      "key2": "value2"
    }
  }
}
{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {
      "key1": "value1",
      "key2": "value2"
    }
  }
}

Create Azure Firewall With IpGroups

Sample Request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2020-05-01
{
  "tags": {
    "key1": "value1"
  },
  "location": "West US",
  "zones": [],
  "properties": {
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "properties": {
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ]
  }
}

Sample Response

{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedPort": "880",
              "translatedFqdn": "internalhttpserver"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "protocols": [
                "TCP"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {}
  }
}
{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceIpGroups": [
                "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceIpGroups": [
                "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationIpGroups": [
                "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups2"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "ipGroups": [
      {
        "id": "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups1",
        "changeNumber": "5"
      },
      {
        "id": "/subscriptions/subId/providers/Microsoft.Network/resourceGroup/myResourceGroup/ipGroups/ipGroups2",
        "changeNumber": "4"
      }
    ],
    "additionalProperties": {}
  }
}

Create Azure Firewall With management subnet

Sample Request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2020-05-01
{
  "tags": {
    "key1": "value1"
  },
  "location": "West US",
  "zones": [],
  "properties": {
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "properties": {
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "managementIpConfiguration": {
      "name": "azureFirewallMgmtIpConfiguration",
      "properties": {
        "subnet": {
          "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallManagementSubnet"
        },
        "publicIPAddress": {
          "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/managementPipName"
        }
      }
    },
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ]
  }
}

Sample Response

{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedPort": "880",
              "translatedFqdn": "internalhttpserver"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "protocols": [
                "TCP"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {}
  }
}
{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "zones": [],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {}
  }
}

Create Azure Firewall With Zones

Sample Request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall?api-version=2020-05-01
{
  "location": "West US 2",
  "tags": {
    "key1": "value1"
  },
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "threatIntelMode": "Alert",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "properties": {
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ]
  }
}

Sample Response

{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US 2",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "ipGroups": [],
    "additionalProperties": {}
  }
}
{
  "name": "azurefirewall",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azurefirewall",
  "type": "Microsoft.Network/azureFirewalls",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US 2",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "provisioningState": "Succeeded",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "threatIntelMode": "Alert",
    "ipConfigurations": [
      {
        "name": "azureFirewallIpConfiguration",
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azfirewallgw/ipConfigurations/azureFirewallIpConfiguration",
        "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAddress": "10.0.0.0",
          "subnet": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet2/subnets/AzureFirewallSubnet"
          },
          "publicIPAddress": {
            "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pipName"
          }
        }
      }
    ],
    "applicationRuleCollections": [
      {
        "name": "apprulecoll",
        "properties": {
          "priority": 110,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "rule1",
              "description": "Deny inbound rule",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "targetFqdns": [
                "www.test.com"
              ],
              "sourceAddresses": [
                "216.58.216.164",
                "10.0.0.0/24"
              ]
            }
          ]
        }
      }
    ],
    "natRuleCollections": [
      {
        "name": "natrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Dnat"
          },
          "rules": [
            {
              "name": "DNAT-HTTPS-traffic",
              "description": "D-NAT all outbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "443"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedAddress": "1.2.3.5",
              "translatedPort": "8443"
            },
            {
              "name": "DNAT-HTTP-traffic-With-FQDN",
              "description": "D-NAT all inbound web traffic for inspection",
              "sourceAddresses": [
                "*"
              ],
              "destinationAddresses": [
                "1.2.3.4"
              ],
              "destinationPorts": [
                "80"
              ],
              "protocols": [
                "TCP"
              ],
              "translatedFqdn": "internalhttpserver",
              "translatedPort": "880"
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "name": "netrulecoll",
        "properties": {
          "priority": 112,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "L4-traffic",
              "description": "Block traffic based on source IPs and ports",
              "sourceAddresses": [
                "192.168.1.1-192.168.1.12",
                "10.1.4.12-10.1.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationAddresses": [
                "*"
              ],
              "protocols": [
                "TCP"
              ]
            },
            {
              "name": "L4-traffic-with-FQDN",
              "description": "Block traffic based on source IPs and ports to amazon",
              "sourceAddresses": [
                "10.2.4.12-10.2.4.255"
              ],
              "destinationPorts": [
                "443-444",
                "8443"
              ],
              "destinationFqdns": [
                "www.amazon.com"
              ],
              "protocols": [
                "TCP"
              ]
            }
          ]
        }
      }
    ],
    "additionalProperties": {}
  }
}

Definitions

AzureFirewall

Azure Firewall resource.

AzureFirewallApplicationRule

Properties of an application rule.

AzureFirewallApplicationRuleCollection

Application rule collection resource.

AzureFirewallApplicationRuleProtocol

Properties of the application rule protocol.

AzureFirewallApplicationRuleProtocolType

The protocol type of a Application Rule resource.

AzureFirewallIPConfiguration

IP configuration of an Azure Firewall.

AzureFirewallIpGroups

IpGroups associated with azure firewall.

AzureFirewallNatRCAction

AzureFirewall NAT Rule Collection Action.

AzureFirewallNatRCActionType

The action type of a NAT rule collection.

AzureFirewallNatRule

Properties of a NAT rule.

AzureFirewallNatRuleCollection

NAT rule collection resource.

AzureFirewallNetworkRule

Properties of the network rule.

AzureFirewallNetworkRuleCollection

Network rule collection resource.

AzureFirewallPublicIPAddress

Public IP Address associated with azure firewall.

AzureFirewallRCAction

Properties of the AzureFirewallRCAction.

AzureFirewallRCActionType

The action type of a rule collection.

AzureFirewallSku

SKU of an Azure Firewall.

AzureFirewallSkuName

Name of an Azure Firewall SKU.

AzureFirewallSkuTier

Tier of an Azure Firewall.

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

CloudError

An error response from the service.

CloudErrorBody

An error response from the service.

HubIPAddresses

IP addresses associated with azure firewall.

HubPublicIPAddresses

Public IP addresses associated with azure firewall.

ProvisioningState

The current provisioning state.

SubResource

Reference to another subresource.

AzureFirewall

Azure Firewall resource.

Name Type Description
etag
  • string

A unique read-only string that changes whenever the resource is updated.

id
  • string

Resource ID.

location
  • string

Resource location.

name
  • string

Resource name.

properties.additionalProperties
  • object

The additional properties used to further config this azure firewall.

properties.applicationRuleCollections

Collection of application rule collections used by Azure Firewall.

properties.firewallPolicy

The firewallPolicy associated with this azure firewall.

properties.hubIPAddresses

IP addresses associated with AzureFirewall.

properties.ipConfigurations

IP configuration of the Azure Firewall resource.

properties.ipGroups

IpGroups associated with AzureFirewall.

properties.managementIpConfiguration

IP configuration of the Azure Firewall used for management traffic.

properties.natRuleCollections

Collection of NAT rule collections used by Azure Firewall.

properties.networkRuleCollections

Collection of network rule collections used by Azure Firewall.

properties.provisioningState

The provisioning state of the Azure firewall resource.

properties.sku

The Azure Firewall Resource SKU.

properties.threatIntelMode

The operation mode for Threat Intelligence.

properties.virtualHub

The virtualHub to which the firewall belongs.

tags
  • object

Resource tags.

type
  • string

Resource type.

zones
  • string[]

A list of availability zones denoting where the resource needs to come from.

AzureFirewallApplicationRule

Properties of an application rule.

Name Type Description
description
  • string

Description of the rule.

fqdnTags
  • string[]

List of FQDN Tags for this rule.

name
  • string

Name of the application rule.

protocols

Array of ApplicationRuleProtocols.

sourceAddresses
  • string[]

List of source IP addresses for this rule.

sourceIpGroups
  • string[]

List of source IpGroups for this rule.

targetFqdns
  • string[]

List of FQDNs for this rule.

AzureFirewallApplicationRuleCollection

Application rule collection resource.

Name Type Description
etag
  • string

A unique read-only string that changes whenever the resource is updated.

id
  • string

Resource ID.

name
  • string

The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.

properties.action

The action type of a rule collection.

properties.priority
  • integer

Priority of the application rule collection resource.

properties.provisioningState

The provisioning state of the application rule collection resource.

properties.rules

Collection of rules used by a application rule collection.

AzureFirewallApplicationRuleProtocol

Properties of the application rule protocol.

Name Type Description
port
  • integer

Port number for the protocol, cannot be greater than 64000. This field is optional.

protocolType

Protocol type.

AzureFirewallApplicationRuleProtocolType

The protocol type of a Application Rule resource.

Name Type Description
Http
  • string
Https
  • string
Mssql
  • string

AzureFirewallIPConfiguration

IP configuration of an Azure Firewall.

Name Type Description
etag
  • string

A unique read-only string that changes whenever the resource is updated.

id
  • string

Resource ID.

name
  • string

Name of the resource that is unique within a resource group. This name can be used to access the resource.

properties.privateIPAddress
  • string

The Firewall Internal Load Balancer IP to be used as the next hop in User Defined Routes.

properties.provisioningState

The provisioning state of the Azure firewall IP configuration resource.

properties.publicIPAddress

Reference to the PublicIP resource. This field is a mandatory input if subnet is not null.

properties.subnet

Reference to the subnet resource. This resource must be named 'AzureFirewallSubnet' or 'AzureFirewallManagementSubnet'.

type
  • string

Type of the resource.

AzureFirewallIpGroups

IpGroups associated with azure firewall.

Name Type Description
changeNumber
  • string

The iteration number.

id
  • string

Resource ID.

AzureFirewallNatRCAction

AzureFirewall NAT Rule Collection Action.

Name Type Description
type

The type of action.

AzureFirewallNatRCActionType

The action type of a NAT rule collection.

Name Type Description
Dnat
  • string
Snat
  • string

AzureFirewallNatRule

Properties of a NAT rule.

Name Type Description
description
  • string

Description of the rule.

destinationAddresses
  • string[]

List of destination IP addresses for this rule. Supports IP ranges, prefixes, and service tags.

destinationPorts
  • string[]

List of destination ports.

name
  • string

Name of the NAT rule.

protocols
  • string[]

Array of AzureFirewallNetworkRuleProtocols applicable to this NAT rule.

sourceAddresses
  • string[]

List of source IP addresses for this rule.

sourceIpGroups
  • string[]

List of source IpGroups for this rule.

translatedAddress
  • string

The translated address for this NAT rule.

translatedFqdn
  • string

The translated FQDN for this NAT rule.

translatedPort
  • string

The translated port for this NAT rule.

AzureFirewallNatRuleCollection

NAT rule collection resource.

Name Type Description
etag
  • string

A unique read-only string that changes whenever the resource is updated.

id
  • string

Resource ID.

name
  • string

The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.

properties.action

The action type of a NAT rule collection.

properties.priority
  • integer

Priority of the NAT rule collection resource.

properties.provisioningState

The provisioning state of the NAT rule collection resource.

properties.rules

Collection of rules used by a NAT rule collection.

AzureFirewallNetworkRule

Properties of the network rule.

Name Type Description
description
  • string

Description of the rule.

destinationAddresses
  • string[]

List of destination IP addresses.

destinationFqdns
  • string[]

List of destination FQDNs.

destinationIpGroups
  • string[]

List of destination IpGroups for this rule.

destinationPorts
  • string[]

List of destination ports.

name
  • string

Name of the network rule.

protocols
  • string[]

Array of AzureFirewallNetworkRuleProtocols.

sourceAddresses
  • string[]

List of source IP addresses for this rule.

sourceIpGroups
  • string[]

List of source IpGroups for this rule.

AzureFirewallNetworkRuleCollection

Network rule collection resource.

Name Type Description
etag
  • string

A unique read-only string that changes whenever the resource is updated.

id
  • string

Resource ID.

name
  • string

The name of the resource that is unique within the Azure firewall. This name can be used to access the resource.

properties.action

The action type of a rule collection.

properties.priority
  • integer

Priority of the network rule collection resource.

properties.provisioningState

The provisioning state of the network rule collection resource.

properties.rules

Collection of rules used by a network rule collection.

AzureFirewallPublicIPAddress

Public IP Address associated with azure firewall.

Name Type Description
address
  • string

Public IP Address value.

AzureFirewallRCAction

Properties of the AzureFirewallRCAction.

Name Type Description
type

The type of action.

AzureFirewallRCActionType

The action type of a rule collection.

Name Type Description
Allow
  • string
Deny
  • string

AzureFirewallSku

SKU of an Azure Firewall.

Name Type Description
name

Name of an Azure Firewall SKU.

tier

Tier of an Azure Firewall.

AzureFirewallSkuName

Name of an Azure Firewall SKU.

Name Type Description
AZFW_Hub
  • string
AZFW_VNet
  • string

AzureFirewallSkuTier

Tier of an Azure Firewall.

Name Type Description
Premium
  • string
Standard
  • string

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

Name Type Description
Alert
  • string
Deny
  • string
Off
  • string

CloudError

An error response from the service.

Name Type Description
error

Cloud error body.

CloudErrorBody

An error response from the service.

Name Type Description
code
  • string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

details

A list of additional details about the error.

message
  • string

A message describing the error, intended to be suitable for display in a user interface.

target
  • string

The target of the particular error. For example, the name of the property in error.

HubIPAddresses

IP addresses associated with azure firewall.

Name Type Description
privateIPAddress
  • string

Private IP Address associated with azure firewall.

publicIPs

Public IP addresses associated with azure firewall.

HubPublicIPAddresses

Public IP addresses associated with azure firewall.

Name Type Description
addresses

The list of Public IP addresses associated with azure firewall or IP addresses to be retained.

count
  • integer

The number of Public IP addresses associated with azure firewall.

ProvisioningState

The current provisioning state.

Name Type Description
Deleting
  • string
Failed
  • string
Succeeded
  • string
Updating
  • string

SubResource

Reference to another subresource.

Name Type Description
id
  • string

Resource ID.