Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed to: Resource groups.
To learn about resource group deployments, see Bicep or ARM template.
For a list of changed properties in each API version, see change log.
Template format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep or JSON to your template.
resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-08-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
properties: {
customRules: [
{
action: 'string'
matchConditions: [
{
matchValues: [
'string'
]
matchVariables: [
{
selector: 'string'
variableName: 'string'
}
]
negationConditon: bool
operator: 'string'
transforms: [
'string'
]
}
]
name: 'string'
priority: int
ruleType: 'string'
}
]
managedRules: {
exclusions: [
{
exclusionManagedRuleSets: [
{
ruleGroups: [
{
ruleGroupName: 'string'
rules: [
{
ruleId: 'string'
}
]
}
]
ruleSetType: 'string'
ruleSetVersion: 'string'
}
]
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
}
]
managedRuleSets: [
{
ruleGroupOverrides: [
{
ruleGroupName: 'string'
rules: [
{
ruleId: 'string'
state: 'Disabled'
}
]
}
]
ruleSetType: 'string'
ruleSetVersion: 'string'
}
]
}
policySettings: {
fileUploadLimitInMb: int
maxRequestBodySizeInKb: int
mode: 'string'
requestBodyCheck: bool
state: 'string'
}
}
}
Property values
ApplicationGatewayWebApplicationFirewallPolicies
| Name | Description | Value |
|---|---|---|
| type | The resource type For Bicep, set this value in the resource declaration. |
'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies' |
| apiVersion | The resource api version For Bicep, set this value in the resource declaration. |
'2021-08-01' |
| name | The resource name | string (required) |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] |
| managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) |
| policySettings | The PolicySettings for policy. | PolicySettings |
WebApplicationFirewallCustomRule
| Name | Description | Value |
|---|---|---|
| action | Type of Actions. | 'Allow' 'Block' 'Log' |
| matchConditions | List of match conditions. | MatchCondition[] (required) |
| name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string |
| priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
| ruleType | The rule type. | 'Invalid' 'MatchRule' |
MatchCondition
| Name | Description | Value |
|---|---|---|
| matchValues | Match value. | string[] (required) |
| matchVariables | List of match variables. | MatchVariable[] (required) |
| negationConditon | Whether this is negate condition or not. | bool |
| operator | The operator to be matched. | 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' |
| transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'UrlDecode' 'UrlEncode' |
MatchVariable
| Name | Description | Value |
|---|---|---|
| selector | The selector of match variable. | string |
| variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' |
ManagedRulesDefinition
| Name | Description | Value |
|---|---|---|
| exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] |
| managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) |
OwaspCrsExclusionEntry
| Name | Description | Value |
|---|---|---|
| exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] |
| matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' |
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) |
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' |
ExclusionManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] |
| ruleSetType | Defines the rule set type to use. | string (required) |
| ruleSetVersion | Defines the version of the rule set to use. | string (required) |
ExclusionManagedRuleGroup
| Name | Description | Value |
|---|---|---|
| ruleGroupName | The managed rule group for exclusion. | string (required) |
| rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] |
ExclusionManagedRule
| Name | Description | Value |
|---|---|---|
| ruleId | Identifier for the managed rule. | string (required) |
ManagedRuleSet
| Name | Description | Value |
|---|---|---|
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] |
| ruleSetType | Defines the rule set type to use. | string (required) |
| ruleSetVersion | Defines the version of the rule set to use. | string (required) |
ManagedRuleGroupOverride
| Name | Description | Value |
|---|---|---|
| ruleGroupName | The managed rule group to override. | string (required) |
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] |
ManagedRuleOverride
| Name | Description | Value |
|---|---|---|
| ruleId | Identifier for the managed rule. | string (required) |
| state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' |
PolicySettings
| Name | Description | Value |
|---|---|---|
| fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int |
| maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int |
| mode | The mode of the policy. | 'Detection' 'Prevention' |
| requestBodyCheck | Whether to allow WAF to check request Body. | bool |
| state | The state of the policy. | 'Disabled' 'Enabled' |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create an Azure WAF v2 on Azure Application Gateway |
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool |
| AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
| Front Door Standard/Premium with Application Gateway origin |
This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin. |
| Front Door with Container Instances and Application Gateway |
This template creates a Front Door Standard/Premium with a container group and Application Gateway. |
| AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
| Application Gateway with WAF and firewall policy |
This template creates an Application Gateway with WAF configured along with a firewall policy |