Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies 2022-05-01

• Latest
• 2024-03-01
• 2024-01-01
• 2023-11-01
• 2023-09-01
• 2023-06-01
• 2023-05-01
• 2023-04-01
• 2023-02-01
• 2022-11-01
• 2022-09-01
• 2022-07-01
• 2022-05-01
• 2022-01-01
• 2021-08-01
• 2021-05-01
• 2021-03-01
• 2021-02-01
• 2020-11-01
• 2020-08-01
• 2020-07-01
• 2020-06-01
• 2020-05-01
• 2020-04-01
• 2020-03-01
• 2019-12-01
• 2019-11-01
• 2019-09-01
• 2019-08-01
• 2019-07-01
• 2019-06-01
• 2019-04-01
• 2019-02-01
• 2018-12-01

Bicep resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-05-01' = {
  location: 'string'
  name: 'string'
  properties: {
    customRules: [
      {
        action: 'string'
        matchConditions: [
          {
            matchValues: [
              'string'
            ]
            matchVariables: [
              {
                selector: 'string'
                variableName: 'string'
              }
            ]
            negationConditon: bool
            operator: 'string'
            transforms: [
              'string'
            ]
          }
        ]
        name: 'string'
        priority: int
        ruleType: 'string'
      }
    ]
    managedRules: {
      exclusions: [
        {
          exclusionManagedRuleSets: [
            {
              ruleGroups: [
                {
                  ruleGroupName: 'string'
                  rules: [
                    {
                      ruleId: 'string'
                    }
                  ]
                }
              ]
              ruleSetType: 'string'
              ruleSetVersion: 'string'
            }
          ]
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
        }
      ]
      managedRuleSets: [
        {
          ruleGroupOverrides: [
            {
              ruleGroupName: 'string'
              rules: [
                {
                  action: 'string'
                  ruleId: 'string'
                  state: 'string'
                }
              ]
            }
          ]
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      fileUploadLimitInMb: int
      maxRequestBodySizeInKb: int
      mode: 'string'
      requestBodyCheck: bool
      state: 'string'
    }
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

ExclusionManagedRule

Name	Description	Value
ruleId	Identifier for the managed rule.	string (required)

ExclusionManagedRuleGroup

Name	Description	Value
ruleGroupName	The managed rule group for exclusion.	string (required)
rules	List of rules that will be excluded. If none specified, all rules in the group will be excluded.	ExclusionManagedRule[]

ExclusionManagedRuleSet

Name	Description	Value
ruleGroups	Defines the rule groups to apply to the rule set.	ExclusionManagedRuleGroup[]
ruleSetType	Defines the rule set type to use.	string (required)
ruleSetVersion	Defines the version of the rule set to use.	string (required)

ManagedRuleGroupOverride

Name	Description	Value
ruleGroupName	The managed rule group to override.	string (required)
rules	List of rules that will be disabled. If none specified, all rules in the group will be disabled.	ManagedRuleOverride[]

ManagedRuleOverride

Name	Description	Value
action	Describes the override action to be applied when rule matches.	'Allow' 'AnomalyScoring' 'Block' 'Log'
ruleId	Identifier for the managed rule.	string (required)
state	The state of the managed rule. Defaults to Disabled if not specified.	'Disabled' 'Enabled'

ManagedRulesDefinition

Name	Description	Value
exclusions	The Exclusions that are applied on the policy.	OwaspCrsExclusionEntry[]
managedRuleSets	The managed rule sets that are associated with the policy.	ManagedRuleSet[] (required)

ManagedRuleSet

Name	Description	Value
ruleGroupOverrides	Defines the rule group overrides to apply to the rule set.	ManagedRuleGroupOverride[]
ruleSetType	Defines the rule set type to use.	string (required)
ruleSetVersion	Defines the version of the rule set to use.	string (required)

MatchCondition

Name	Description	Value
matchValues	Match value.	string[] (required)
matchVariables	List of match variables.	MatchVariable[] (required)
negationConditon	Whether this is negate condition or not.	bool
operator	The operator to be matched.	'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required)
transforms	List of transforms.	String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode'

MatchVariable

Name	Description	Value
selector	The selector of match variable.	string
variableName	Match Variable.	'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name	Description	Value
location	Resource location.	string
name	The resource name	string Constraints: Max length = (required)
properties	Properties of the web application firewall policy.	WebApplicationFirewallPolicyPropertiesFormat
tags	Resource tags	Dictionary of tag names and values. See Tags in templates

OwaspCrsExclusionEntry

Name	Description	Value
exclusionManagedRuleSets	The managed rule sets that are associated with the exclusion.	ExclusionManagedRuleSet[]
matchVariable	The variable to be excluded.	'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required)
selector	When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.	string (required)
selectorMatchOperator	When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.	'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required)

PolicySettings

Name	Description	Value
fileUploadLimitInMb	Maximum file upload size in Mb for WAF.	int Constraints: Min value = 0
maxRequestBodySizeInKb	Maximum request body size in Kb for WAF.	int Constraints: Min value = 8
mode	The mode of the policy.	'Detection' 'Prevention'
requestBodyCheck	Whether to allow WAF to check request Body.	bool
state	The state of the policy.	'Disabled' 'Enabled'

ResourceTags

Name	Description	Value

WebApplicationFirewallCustomRule

Name	Description	Value
action	Type of Actions.	'Allow' 'Block' 'Log' (required)
matchConditions	List of match conditions.	MatchCondition[] (required)
name	The name of the resource that is unique within a policy. This name can be used to access the resource.	string Constraints: Max length =
priority	Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.	int (required)
ruleType	The rule type.	'Invalid' 'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name	Description	Value
customRules	The custom rules inside the policy.	WebApplicationFirewallCustomRule[]
managedRules	Describes the managedRules structure.	ManagedRulesDefinition (required)
policySettings	The PolicySettings for policy.	PolicySettings

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File	Description
AKS Cluster with a NAT Gateway and an Application Gateway	This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller	This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy	This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway	This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin	This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway	This template creates a Front Door Standard/Premium with a container group and Application Gateway.

ARM template resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2022-05-01",
  "name": "string",
  "location": "string",
  "properties": {
    "customRules": [
      {
        "action": "string",
        "matchConditions": [
          {
            "matchValues": [ "string" ],
            "matchVariables": [
              {
                "selector": "string",
                "variableName": "string"
              }
            ],
            "negationConditon": "bool",
            "operator": "string",
            "transforms": [ "string" ]
          }
        ],
        "name": "string",
        "priority": "int",
        "ruleType": "string"
      }
    ],
    "managedRules": {
      "exclusions": [
        {
          "exclusionManagedRuleSets": [
            {
              "ruleGroups": [
                {
                  "ruleGroupName": "string",
                  "rules": [
                    {
                      "ruleId": "string"
                    }
                  ]
                }
              ],
              "ruleSetType": "string",
              "ruleSetVersion": "string"
            }
          ],
          "matchVariable": "string",
          "selector": "string",
          "selectorMatchOperator": "string"
        }
      ],
      "managedRuleSets": [
        {
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "string",
              "rules": [
                {
                  "action": "string",
                  "ruleId": "string",
                  "state": "string"
                }
              ]
            }
          ],
          "ruleSetType": "string",
          "ruleSetVersion": "string"
        }
      ]
    },
    "policySettings": {
      "fileUploadLimitInMb": "int",
      "maxRequestBodySizeInKb": "int",
      "mode": "string",
      "requestBodyCheck": "bool",
      "state": "string"
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

ExclusionManagedRule

Name	Description	Value
ruleId	Identifier for the managed rule.	string (required)

ExclusionManagedRuleGroup

Name	Description	Value
ruleGroupName	The managed rule group for exclusion.	string (required)
rules	List of rules that will be excluded. If none specified, all rules in the group will be excluded.	ExclusionManagedRule[]

ExclusionManagedRuleSet

Name	Description	Value
ruleGroups	Defines the rule groups to apply to the rule set.	ExclusionManagedRuleGroup[]
ruleSetType	Defines the rule set type to use.	string (required)
ruleSetVersion	Defines the version of the rule set to use.	string (required)

ManagedRuleGroupOverride

Name	Description	Value
ruleGroupName	The managed rule group to override.	string (required)
rules	List of rules that will be disabled. If none specified, all rules in the group will be disabled.	ManagedRuleOverride[]

ManagedRuleOverride

Name	Description	Value
action	Describes the override action to be applied when rule matches.	'Allow' 'AnomalyScoring' 'Block' 'Log'
ruleId	Identifier for the managed rule.	string (required)
state	The state of the managed rule. Defaults to Disabled if not specified.	'Disabled' 'Enabled'

ManagedRulesDefinition

Name	Description	Value
exclusions	The Exclusions that are applied on the policy.	OwaspCrsExclusionEntry[]
managedRuleSets	The managed rule sets that are associated with the policy.	ManagedRuleSet[] (required)

ManagedRuleSet

Name	Description	Value
ruleGroupOverrides	Defines the rule group overrides to apply to the rule set.	ManagedRuleGroupOverride[]
ruleSetType	Defines the rule set type to use.	string (required)
ruleSetVersion	Defines the version of the rule set to use.	string (required)

MatchCondition

Name	Description	Value
matchValues	Match value.	string[] (required)
matchVariables	List of match variables.	MatchVariable[] (required)
negationConditon	Whether this is negate condition or not.	bool
operator	The operator to be matched.	'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required)
transforms	List of transforms.	String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode'

MatchVariable

Name	Description	Value
selector	The selector of match variable.	string
variableName	Match Variable.	'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name	Description	Value
apiVersion	The api version	'2022-05-01'
location	Resource location.	string
name	The resource name	string Constraints: Max length = (required)
properties	Properties of the web application firewall policy.	WebApplicationFirewallPolicyPropertiesFormat
tags	Resource tags	Dictionary of tag names and values. See Tags in templates
type	The resource type	'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies'

OwaspCrsExclusionEntry

Name	Description	Value
exclusionManagedRuleSets	The managed rule sets that are associated with the exclusion.	ExclusionManagedRuleSet[]
matchVariable	The variable to be excluded.	'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required)
selector	When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.	string (required)
selectorMatchOperator	When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.	'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required)

PolicySettings

Name	Description	Value
fileUploadLimitInMb	Maximum file upload size in Mb for WAF.	int Constraints: Min value = 0
maxRequestBodySizeInKb	Maximum request body size in Kb for WAF.	int Constraints: Min value = 8
mode	The mode of the policy.	'Detection' 'Prevention'
requestBodyCheck	Whether to allow WAF to check request Body.	bool
state	The state of the policy.	'Disabled' 'Enabled'

ResourceTags

Name	Description	Value

WebApplicationFirewallCustomRule

Name	Description	Value
action	Type of Actions.	'Allow' 'Block' 'Log' (required)
matchConditions	List of match conditions.	MatchCondition[] (required)
name	The name of the resource that is unique within a policy. This name can be used to access the resource.	string Constraints: Max length =
priority	Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.	int (required)
ruleType	The rule type.	'Invalid' 'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name	Description	Value
customRules	The custom rules inside the policy.	WebApplicationFirewallCustomRule[]
managedRules	Describes the managedRules structure.	ManagedRulesDefinition (required)
policySettings	The PolicySettings for policy.	PolicySettings

Quickstart templates

The following quickstart templates deploy this resource type.

Template	Description
AKS Cluster with a NAT Gateway and an Application Gateway	This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller	This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with WAF and firewall policy	This template creates an Application Gateway with WAF configured along with a firewall policy
Create an Azure WAF v2 on Azure Application Gateway	This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool
Front Door Standard/Premium with Application Gateway origin	This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway	This template creates a Front Door Standard/Premium with a container group and Application Gateway.

Terraform (AzAPI provider) resource definition

The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:

• Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-05-01"
  name = "string"
  location = "string"
  body = jsonencode({
    properties = {
      customRules = [
        {
          action = "string"
          matchConditions = [
            {
              matchValues = [
                "string"
              ]
              matchVariables = [
                {
                  selector = "string"
                  variableName = "string"
                }
              ]
              negationConditon = bool
              operator = "string"
              transforms = [
                "string"
              ]
            }
          ]
          name = "string"
          priority = int
          ruleType = "string"
        }
      ]
      managedRules = {
        exclusions = [
          {
            exclusionManagedRuleSets = [
              {
                ruleGroups = [
                  {
                    ruleGroupName = "string"
                    rules = [
                      {
                        ruleId = "string"
                      }
                    ]
                  }
                ]
                ruleSetType = "string"
                ruleSetVersion = "string"
              }
            ]
            matchVariable = "string"
            selector = "string"
            selectorMatchOperator = "string"
          }
        ]
        managedRuleSets = [
          {
            ruleGroupOverrides = [
              {
                ruleGroupName = "string"
                rules = [
                  {
                    action = "string"
                    ruleId = "string"
                    state = "string"
                  }
                ]
              }
            ]
            ruleSetType = "string"
            ruleSetVersion = "string"
          }
        ]
      }
      policySettings = {
        fileUploadLimitInMb = int
        maxRequestBodySizeInKb = int
        mode = "string"
        requestBodyCheck = bool
        state = "string"
      }
    }
  })
  tags = {
    {customized property} = "string"
  }
}

Property values

ExclusionManagedRule

Name	Description	Value
ruleId	Identifier for the managed rule.	string (required)

ExclusionManagedRuleGroup

Name	Description	Value
ruleGroupName	The managed rule group for exclusion.	string (required)
rules	List of rules that will be excluded. If none specified, all rules in the group will be excluded.	ExclusionManagedRule[]

ExclusionManagedRuleSet

Name	Description	Value
ruleGroups	Defines the rule groups to apply to the rule set.	ExclusionManagedRuleGroup[]
ruleSetType	Defines the rule set type to use.	string (required)
ruleSetVersion	Defines the version of the rule set to use.	string (required)

ManagedRuleGroupOverride

Name	Description	Value
ruleGroupName	The managed rule group to override.	string (required)
rules	List of rules that will be disabled. If none specified, all rules in the group will be disabled.	ManagedRuleOverride[]

ManagedRuleOverride

Name	Description	Value
action	Describes the override action to be applied when rule matches.	'Allow' 'AnomalyScoring' 'Block' 'Log'
ruleId	Identifier for the managed rule.	string (required)
state	The state of the managed rule. Defaults to Disabled if not specified.	'Disabled' 'Enabled'

ManagedRulesDefinition

Name	Description	Value
exclusions	The Exclusions that are applied on the policy.	OwaspCrsExclusionEntry[]
managedRuleSets	The managed rule sets that are associated with the policy.	ManagedRuleSet[] (required)

ManagedRuleSet

Name	Description	Value
ruleGroupOverrides	Defines the rule group overrides to apply to the rule set.	ManagedRuleGroupOverride[]
ruleSetType	Defines the rule set type to use.	string (required)
ruleSetVersion	Defines the version of the rule set to use.	string (required)

MatchCondition

Name	Description	Value
matchValues	Match value.	string[] (required)
matchVariables	List of match variables.	MatchVariable[] (required)
negationConditon	Whether this is negate condition or not.	bool
operator	The operator to be matched.	'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required)
transforms	List of transforms.	String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode'

MatchVariable

Name	Description	Value
selector	The selector of match variable.	string
variableName	Match Variable.	'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required)

Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Name	Description	Value
location	Resource location.	string
name	The resource name	string Constraints: Max length = (required)
properties	Properties of the web application firewall policy.	WebApplicationFirewallPolicyPropertiesFormat
tags	Resource tags	Dictionary of tag names and values.
type	The resource type	"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-05-01"

OwaspCrsExclusionEntry

Name	Description	Value
exclusionManagedRuleSets	The managed rule sets that are associated with the exclusion.	ExclusionManagedRuleSet[]
matchVariable	The variable to be excluded.	'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required)
selector	When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.	string (required)
selectorMatchOperator	When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.	'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required)

PolicySettings

Name	Description	Value
fileUploadLimitInMb	Maximum file upload size in Mb for WAF.	int Constraints: Min value = 0
maxRequestBodySizeInKb	Maximum request body size in Kb for WAF.	int Constraints: Min value = 8
mode	The mode of the policy.	'Detection' 'Prevention'
requestBodyCheck	Whether to allow WAF to check request Body.	bool
state	The state of the policy.	'Disabled' 'Enabled'

ResourceTags

Name	Description	Value

WebApplicationFirewallCustomRule

Name	Description	Value
action	Type of Actions.	'Allow' 'Block' 'Log' (required)
matchConditions	List of match conditions.	MatchCondition[] (required)
name	The name of the resource that is unique within a policy. This name can be used to access the resource.	string Constraints: Max length =
priority	Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.	int (required)
ruleType	The rule type.	'Invalid' 'MatchRule' (required)

WebApplicationFirewallPolicyPropertiesFormat

Name	Description	Value
customRules	The custom rules inside the policy.	WebApplicationFirewallCustomRule[]
managedRules	Describes the managedRules structure.	ManagedRulesDefinition (required)
policySettings	The PolicySettings for policy.	PolicySettings