Bicep resource definition
The firewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/firewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/firewallPolicies@2021-02-01' = {
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
location: 'string'
name: 'string'
properties: {
basePolicy: {
id: 'string'
}
dnsSettings: {
enableProxy: bool
requireProxyForNetworkRules: bool
servers: [
'string'
]
}
insights: {
isEnabled: bool
logAnalyticsResources: {
defaultWorkspaceId: {
id: 'string'
}
workspaces: [
{
region: 'string'
workspaceId: {
id: 'string'
}
}
]
}
retentionDays: int
}
intrusionDetection: {
configuration: {
bypassTrafficSettings: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocol: 'string'
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
}
]
signatureOverrides: [
{
id: 'string'
mode: 'string'
}
]
}
mode: 'string'
}
sku: {
tier: 'string'
}
snat: {
privateRanges: [
'string'
]
}
threatIntelMode: 'string'
threatIntelWhitelist: {
fqdns: [
'string'
]
ipAddresses: [
'string'
]
}
transportSecurity: {
certificateAuthority: {
keyVaultSecretId: 'string'
name: 'string'
}
}
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.Network/firewallPolicies
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
DnsSettings
| Name |
Description |
Value |
| enableProxy |
Enable DNS Proxy on Firewalls attached to the Firewall Policy. |
bool |
| requireProxyForNetworkRules |
FQDNs in Network Rules are supported when set to true. |
bool |
| servers |
List of Custom DNS Servers. |
string[] |
FirewallPolicyCertificateAuthority
| Name |
Description |
Value |
| keyVaultSecretId |
Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. |
string |
| name |
Name of the CA certificate. |
string |
FirewallPolicyInsights
| Name |
Description |
Value |
| isEnabled |
A flag to indicate if the insights are enabled on the policy. |
bool |
| logAnalyticsResources |
Workspaces needed to configure the Firewall Policy Insights. |
FirewallPolicyLogAnalyticsResources |
| retentionDays |
Number of days the insights should be enabled on the policy. |
int |
FirewallPolicyIntrusionDetection
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
| Name |
Description |
Value |
| description |
Description of the bypass traffic rule. |
string |
| destinationAddresses |
List of destination IP addresses or ranges for this rule. |
string[] |
| destinationIpGroups |
List of destination IpGroups for this rule. |
string[] |
| destinationPorts |
List of destination ports or ranges. |
string[] |
| name |
Name of the bypass traffic rule. |
string |
| protocol |
The rule bypass protocol. |
'ANY'
'ICMP'
'TCP'
'UDP' |
| sourceAddresses |
List of source IP addresses or ranges for this rule. |
string[] |
| sourceIpGroups |
List of source IpGroups for this rule. |
string[] |
FirewallPolicyIntrusionDetectionConfiguration
FirewallPolicyIntrusionDetectionSignatureSpecification
| Name |
Description |
Value |
| id |
Signature id. |
string |
| mode |
The signature state. |
'Alert'
'Deny'
'Off' |
FirewallPolicyLogAnalyticsResources
FirewallPolicyLogAnalyticsWorkspace
| Name |
Description |
Value |
| region |
Region to configure the Workspace. |
string |
| workspaceId |
The workspace Id for Firewall Policy Insights. |
SubResource |
FirewallPolicySku
| Name |
Description |
Value |
| tier |
Tier of Firewall Policy. |
'Premium'
'Standard' |
FirewallPolicySnat
| Name |
Description |
Value |
| privateRanges |
List of private IP addresses/IP address ranges to not be SNAT. |
string[] |
FirewallPolicyThreatIntelWhitelist
| Name |
Description |
Value |
| fqdns |
List of FQDNs for the ThreatIntel Whitelist. |
string[] |
| ipAddresses |
List of IP addresses for the ThreatIntel Whitelist. |
string[] |
FirewallPolicyTransportSecurity
ManagedServiceIdentity
| Name |
Description |
Value |
| type |
The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. |
'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' |
| userAssignedIdentities |
The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
SubResource
| Name |
Description |
Value |
| id |
Resource ID. |
string |
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File |
Description |
| Create a Firewall and FirewallPolicy with Rules and Ipgroups |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
| Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
| Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
ARM template resource definition
The firewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/firewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2021-02-01",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"location": "string",
"properties": {
"basePolicy": {
"id": "string"
},
"dnsSettings": {
"enableProxy": "bool",
"requireProxyForNetworkRules": "bool",
"servers": [ "string" ]
},
"insights": {
"isEnabled": "bool",
"logAnalyticsResources": {
"defaultWorkspaceId": {
"id": "string"
},
"workspaces": [
{
"region": "string",
"workspaceId": {
"id": "string"
}
}
]
},
"retentionDays": "int"
},
"intrusionDetection": {
"configuration": {
"bypassTrafficSettings": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocol": "string",
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
],
"signatureOverrides": [
{
"id": "string",
"mode": "string"
}
]
},
"mode": "string"
},
"sku": {
"tier": "string"
},
"snat": {
"privateRanges": [ "string" ]
},
"threatIntelMode": "string",
"threatIntelWhitelist": {
"fqdns": [ "string" ],
"ipAddresses": [ "string" ]
},
"transportSecurity": {
"certificateAuthority": {
"keyVaultSecretId": "string",
"name": "string"
}
}
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.Network/firewallPolicies
| Name |
Description |
Value |
| apiVersion |
The api version |
'2021-02-01' |
| identity |
The identity of the firewall policy. |
ManagedServiceIdentity |
| location |
Resource location. |
string |
| name |
The resource name |
string (required) |
| properties |
Properties of the firewall policy. |
FirewallPolicyPropertiesFormat |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
| type |
The resource type |
'Microsoft.Network/firewallPolicies' |
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
DnsSettings
| Name |
Description |
Value |
| enableProxy |
Enable DNS Proxy on Firewalls attached to the Firewall Policy. |
bool |
| requireProxyForNetworkRules |
FQDNs in Network Rules are supported when set to true. |
bool |
| servers |
List of Custom DNS Servers. |
string[] |
FirewallPolicyCertificateAuthority
| Name |
Description |
Value |
| keyVaultSecretId |
Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. |
string |
| name |
Name of the CA certificate. |
string |
FirewallPolicyInsights
| Name |
Description |
Value |
| isEnabled |
A flag to indicate if the insights are enabled on the policy. |
bool |
| logAnalyticsResources |
Workspaces needed to configure the Firewall Policy Insights. |
FirewallPolicyLogAnalyticsResources |
| retentionDays |
Number of days the insights should be enabled on the policy. |
int |
FirewallPolicyIntrusionDetection
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
| Name |
Description |
Value |
| description |
Description of the bypass traffic rule. |
string |
| destinationAddresses |
List of destination IP addresses or ranges for this rule. |
string[] |
| destinationIpGroups |
List of destination IpGroups for this rule. |
string[] |
| destinationPorts |
List of destination ports or ranges. |
string[] |
| name |
Name of the bypass traffic rule. |
string |
| protocol |
The rule bypass protocol. |
'ANY'
'ICMP'
'TCP'
'UDP' |
| sourceAddresses |
List of source IP addresses or ranges for this rule. |
string[] |
| sourceIpGroups |
List of source IpGroups for this rule. |
string[] |
FirewallPolicyIntrusionDetectionConfiguration
FirewallPolicyIntrusionDetectionSignatureSpecification
| Name |
Description |
Value |
| id |
Signature id. |
string |
| mode |
The signature state. |
'Alert'
'Deny'
'Off' |
FirewallPolicyLogAnalyticsResources
FirewallPolicyLogAnalyticsWorkspace
| Name |
Description |
Value |
| region |
Region to configure the Workspace. |
string |
| workspaceId |
The workspace Id for Firewall Policy Insights. |
SubResource |
FirewallPolicySku
| Name |
Description |
Value |
| tier |
Tier of Firewall Policy. |
'Premium'
'Standard' |
FirewallPolicySnat
| Name |
Description |
Value |
| privateRanges |
List of private IP addresses/IP address ranges to not be SNAT. |
string[] |
FirewallPolicyThreatIntelWhitelist
| Name |
Description |
Value |
| fqdns |
List of FQDNs for the ThreatIntel Whitelist. |
string[] |
| ipAddresses |
List of IP addresses for the ThreatIntel Whitelist. |
string[] |
FirewallPolicyTransportSecurity
ManagedServiceIdentity
| Name |
Description |
Value |
| type |
The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. |
'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' |
| userAssignedIdentities |
The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
SubResource
| Name |
Description |
Value |
| id |
Resource ID. |
string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template |
Description |
Create a Firewall and FirewallPolicy with Rules and Ipgroups
 |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Create a Firewall with FirewallPolicy and IpGroups
|
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall, FirewallPolicy with Explicit Proxy
|
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a sandbox setup with Firewall Policy
|
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Secured virtual hubs
|
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
Testing environment for Azure Firewall Premium
|
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology
|
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
The firewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/firewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/firewallPolicies@2021-02-01"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
location = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
basePolicy = {
id = "string"
}
dnsSettings = {
enableProxy = bool
requireProxyForNetworkRules = bool
servers = [
"string"
]
}
insights = {
isEnabled = bool
logAnalyticsResources = {
defaultWorkspaceId = {
id = "string"
}
workspaces = [
{
region = "string"
workspaceId = {
id = "string"
}
}
]
}
retentionDays = int
}
intrusionDetection = {
configuration = {
bypassTrafficSettings = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationIpGroups = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocol = "string"
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
}
]
signatureOverrides = [
{
id = "string"
mode = "string"
}
]
}
mode = "string"
}
sku = {
tier = "string"
}
snat = {
privateRanges = [
"string"
]
}
threatIntelMode = "string"
threatIntelWhitelist = {
fqdns = [
"string"
]
ipAddresses = [
"string"
]
}
transportSecurity = {
certificateAuthority = {
keyVaultSecretId = "string"
name = "string"
}
}
}
}
}
Property Values
Microsoft.Network/firewallPolicies
| Name |
Description |
Value |
| identity |
The identity of the firewall policy. |
ManagedServiceIdentity |
| location |
Resource location. |
string |
| name |
The resource name |
string (required) |
| properties |
Properties of the firewall policy. |
FirewallPolicyPropertiesFormat |
| tags |
Resource tags |
Dictionary of tag names and values. |
| type |
The resource type |
"Microsoft.Network/firewallPolicies@2021-02-01" |
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
DnsSettings
| Name |
Description |
Value |
| enableProxy |
Enable DNS Proxy on Firewalls attached to the Firewall Policy. |
bool |
| requireProxyForNetworkRules |
FQDNs in Network Rules are supported when set to true. |
bool |
| servers |
List of Custom DNS Servers. |
string[] |
FirewallPolicyCertificateAuthority
| Name |
Description |
Value |
| keyVaultSecretId |
Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. |
string |
| name |
Name of the CA certificate. |
string |
FirewallPolicyInsights
| Name |
Description |
Value |
| isEnabled |
A flag to indicate if the insights are enabled on the policy. |
bool |
| logAnalyticsResources |
Workspaces needed to configure the Firewall Policy Insights. |
FirewallPolicyLogAnalyticsResources |
| retentionDays |
Number of days the insights should be enabled on the policy. |
int |
FirewallPolicyIntrusionDetection
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
| Name |
Description |
Value |
| description |
Description of the bypass traffic rule. |
string |
| destinationAddresses |
List of destination IP addresses or ranges for this rule. |
string[] |
| destinationIpGroups |
List of destination IpGroups for this rule. |
string[] |
| destinationPorts |
List of destination ports or ranges. |
string[] |
| name |
Name of the bypass traffic rule. |
string |
| protocol |
The rule bypass protocol. |
'ANY'
'ICMP'
'TCP'
'UDP' |
| sourceAddresses |
List of source IP addresses or ranges for this rule. |
string[] |
| sourceIpGroups |
List of source IpGroups for this rule. |
string[] |
FirewallPolicyIntrusionDetectionConfiguration
FirewallPolicyIntrusionDetectionSignatureSpecification
| Name |
Description |
Value |
| id |
Signature id. |
string |
| mode |
The signature state. |
'Alert'
'Deny'
'Off' |
FirewallPolicyLogAnalyticsResources
FirewallPolicyLogAnalyticsWorkspace
| Name |
Description |
Value |
| region |
Region to configure the Workspace. |
string |
| workspaceId |
The workspace Id for Firewall Policy Insights. |
SubResource |
FirewallPolicySku
| Name |
Description |
Value |
| tier |
Tier of Firewall Policy. |
'Premium'
'Standard' |
FirewallPolicySnat
| Name |
Description |
Value |
| privateRanges |
List of private IP addresses/IP address ranges to not be SNAT. |
string[] |
FirewallPolicyThreatIntelWhitelist
| Name |
Description |
Value |
| fqdns |
List of FQDNs for the ThreatIntel Whitelist. |
string[] |
| ipAddresses |
List of IP addresses for the ThreatIntel Whitelist. |
string[] |
FirewallPolicyTransportSecurity
ManagedServiceIdentity
| Name |
Description |
Value |
| type |
The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. |
'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' |
| userAssignedIdentities |
The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
ManagedServiceIdentityUserAssignedIdentities |
ManagedServiceIdentityUserAssignedIdentities
SubResource
| Name |
Description |
Value |
| id |
Resource ID. |
string |
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.