Microsoft.Network firewallPolicies/ruleCollectionGroups
The firewallPolicies/ruleCollectionGroups resource type can be deployed to: Resource groups.
To learn about resource group deployments, see Bicep or ARM template.
For a list of changed properties in each API version, see change log.
Template format
To create a Microsoft.Network/firewallPolicies/ruleCollectionGroups resource, add the following Bicep or JSON to your template.
resource symbolicname 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-08-01' = {
name: 'string'
parent: resourceSymbolicName
properties: {
priority: int
ruleCollections: [
{
name: 'string'
priority: int
ruleCollectionType: 'string'
// For remaining properties, see FirewallPolicyRuleCollection objects
}
]
}
}
FirewallPolicyRuleCollection objects
Set the ruleCollectionType property to specify the type of object.
For FirewallPolicyFilterRuleCollection, use:
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'string'
}
rules: [
{
description: 'string'
name: 'string'
ruleType: 'string'
// For remaining properties, see FirewallPolicyRule objects
}
]
For FirewallPolicyNatRuleCollection, use:
ruleCollectionType: 'FirewallPolicyNatRuleCollection'
action: {
type: 'DNAT'
}
rules: [
{
description: 'string'
name: 'string'
ruleType: 'string'
// For remaining properties, see FirewallPolicyRule objects
}
]
FirewallPolicyRule objects
Set the ruleType property to specify the type of object.
For ApplicationRule, use:
ruleType: 'ApplicationRule'
destinationAddresses: [
'string'
]
fqdnTags: [
'string'
]
protocols: [
{
port: int
protocolType: 'string'
}
]
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
targetFqdns: [
'string'
]
targetUrls: [
'string'
]
terminateTLS: bool
webCategories: [
'string'
]
For NatRule, use:
ruleType: 'NatRule'
destinationAddresses: [
'string'
]
destinationPorts: [
'string'
]
ipProtocols: [
'string'
]
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
translatedAddress: 'string'
translatedFqdn: 'string'
translatedPort: 'string'
For NetworkRule, use:
ruleType: 'NetworkRule'
destinationAddresses: [
'string'
]
destinationFqdns: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
ipProtocols: [
'string'
]
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
Property values
firewallPolicies/ruleCollectionGroups
| Name | Description | Value |
|---|---|---|
| type | The resource type For Bicep, set this value in the resource declaration. |
'Microsoft.Network/firewallPolicies/ruleCollectionGroups' |
| apiVersion | The resource api version For Bicep, set this value in the resource declaration. |
'2021-08-01' |
| name | The resource name See how to set names and types for child resources in Bicep or JSON ARM templates. |
string (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: firewallPolicies |
| properties | The properties of the firewall policy rule collection group. | FirewallPolicyRuleCollectionGroupProperties |
FirewallPolicyRuleCollectionGroupProperties
| Name | Description | Value |
|---|---|---|
| priority | Priority of the Firewall Policy Rule Collection Group resource. | int |
| ruleCollections | Group of Firewall Policy rule collections. | FirewallPolicyRuleCollection[] |
FirewallPolicyRuleCollection
| Name | Description | Value |
|---|---|---|
| name | The name of the rule collection. | string |
| priority | Priority of the Firewall Policy Rule Collection resource. | int |
| ruleCollectionType | Set the object type | FirewallPolicyFilterRuleCollection FirewallPolicyNatRuleCollection |
FirewallPolicyFilterRuleCollection
| Name | Description | Value |
|---|---|---|
| ruleCollectionType | The type of the rule collection. | 'FirewallPolicyFilterRuleCollection' |
| action | The action type of a Filter rule collection. | FirewallPolicyFilterRuleCollectionAction |
| rules | List of rules included in a rule collection. | FirewallPolicyRule[] |
FirewallPolicyFilterRuleCollectionAction
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'Allow' 'Deny' |
FirewallPolicyRule
| Name | Description | Value |
|---|---|---|
| description | Description of the rule. | string |
| name | Name of the rule. | string |
| ruleType | Set the object type | ApplicationRule NatRule NetworkRule |
ApplicationRule
| Name | Description | Value |
|---|---|---|
| ruleType | Rule Type. | 'ApplicationRule' |
| destinationAddresses | List of destination IP addresses or Service Tags. | string[] |
| fqdnTags | List of FQDN Tags for this rule. | string[] |
| protocols | Array of Application Protocols. | FirewallPolicyRuleApplicationProtocol[] |
| sourceAddresses | List of source IP addresses for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
| targetFqdns | List of FQDNs for this rule. | string[] |
| targetUrls | List of Urls for this rule condition. | string[] |
| terminateTLS | Terminate TLS connections for this rule. | bool |
| webCategories | List of destination azure web categories. | string[] |
FirewallPolicyRuleApplicationProtocol
| Name | Description | Value |
|---|---|---|
| port | Port number for the protocol, cannot be greater than 64000. | int |
| protocolType | Protocol type. | 'Http' 'Https' |
NatRule
| Name | Description | Value |
|---|---|---|
| ruleType | Rule Type. | 'NatRule' |
| destinationAddresses | List of destination IP addresses or Service Tags. | string[] |
| destinationPorts | List of destination ports. | string[] |
| ipProtocols | Array of FirewallPolicyRuleNetworkProtocols. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
| translatedAddress | The translated address for this NAT rule. | string |
| translatedFqdn | The translated FQDN for this NAT rule. | string |
| translatedPort | The translated port for this NAT rule. | string |
NetworkRule
| Name | Description | Value |
|---|---|---|
| ruleType | Rule Type. | 'NetworkRule' |
| destinationAddresses | List of destination IP addresses or Service Tags. | string[] |
| destinationFqdns | List of destination FQDNs. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports. | string[] |
| ipProtocols | Array of FirewallPolicyRuleNetworkProtocols. | String array containing any of: 'Any' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyNatRuleCollection
| Name | Description | Value |
|---|---|---|
| ruleCollectionType | The type of the rule collection. | 'FirewallPolicyNatRuleCollection' |
| action | The action type of a Nat rule collection. | FirewallPolicyNatRuleCollectionAction |
| rules | List of rules included in a rule collection. | FirewallPolicyRule[] |
FirewallPolicyNatRuleCollectionAction
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'DNAT' |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
| Create a Firewall and FirewallPolicy with Rules and Ipgroups |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
| Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
| Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
| Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |