Microsoft.Network ApplicationGatewayWebApplicationFirewallPolicies 2024-03-01
- Latest
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-12-01
Bicep resource definition
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-03-01' = {
location: 'string'
name: 'string'
properties: {
customRules: [
{
action: 'string'
groupByUserSession: [
{
groupByVariables: [
{
variableName: 'string'
}
]
}
]
matchConditions: [
{
matchValues: [
'string'
]
matchVariables: [
{
selector: 'string'
variableName: 'string'
}
]
negationConditon: bool
operator: 'string'
transforms: [
'string'
]
}
]
name: 'string'
priority: int
rateLimitDuration: 'string'
rateLimitThreshold: int
ruleType: 'string'
state: 'string'
}
]
managedRules: {
exceptions: [
{
exceptionManagedRuleSets: [
{
ruleGroups: [
{
ruleGroupName: 'string'
rules: [
{
ruleId: 'string'
}
]
}
]
ruleSetType: 'string'
ruleSetVersion: 'string'
}
]
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
valueMatchOperator: 'string'
values: [
'string'
]
}
]
exclusions: [
{
exclusionManagedRuleSets: [
{
ruleGroups: [
{
ruleGroupName: 'string'
rules: [
{
ruleId: 'string'
}
]
}
]
ruleSetType: 'string'
ruleSetVersion: 'string'
}
]
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
}
]
managedRuleSets: [
{
ruleGroupOverrides: [
{
ruleGroupName: 'string'
rules: [
{
action: 'string'
ruleId: 'string'
sensitivity: 'string'
state: 'string'
}
]
}
]
ruleSetType: 'string'
ruleSetVersion: 'string'
}
]
}
policySettings: {
customBlockResponseBody: 'string'
customBlockResponseStatusCode: int
fileUploadEnforcement: bool
fileUploadLimitInMb: int
jsChallengeCookieExpirationInMins: int
logScrubbing: {
scrubbingRules: [
{
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
state: 'string'
}
]
state: 'string'
}
maxRequestBodySizeInKb: int
mode: 'string'
requestBodyCheck: bool
requestBodyEnforcement: bool
requestBodyInspectLimitInKB: int
state: 'string'
}
}
tags: {
{customized property}: 'string'
}
}
Property values
ExceptionEntry
Name | Description | Value |
---|---|---|
exceptionManagedRuleSets | The managed rule sets that are associated with the exception. | ExclusionManagedRuleSet[] |
matchVariable | The variable on which we evaluate the exception condition | 'RemoteAddr' 'RequestHeader' 'RequestURI' (required) |
selector | When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. | string |
selectorMatchOperator | When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector | 'Contains' 'EndsWith' 'Equals' 'StartsWith' |
valueMatchOperator | Operates on the allowed values for the matchVariable | 'Contains' 'EndsWith' 'Equals' 'IPMatch' 'StartsWith' (required) |
values | Allowed values for the matchVariable | string[] |
ExclusionManagedRule
Name | Description | Value |
---|---|---|
ruleId | Identifier for the managed rule. | string (required) |
ExclusionManagedRuleGroup
Name | Description | Value |
---|---|---|
ruleGroupName | The managed rule group for exclusion. | string (required) |
rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] |
ExclusionManagedRuleSet
Name | Description | Value |
---|---|---|
ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] |
ruleSetType | Defines the rule set type to use. | string (required) |
ruleSetVersion | Defines the version of the rule set to use. | string (required) |
GroupByUserSession
Name | Description | Value |
---|---|---|
groupByVariables | List of group by clause variables. | GroupByVariable[] (required) |
GroupByVariable
Name | Description | Value |
---|---|---|
variableName | User Session clause variable. | 'ClientAddr' 'GeoLocation' 'None' (required) |
ManagedRuleGroupOverride
Name | Description | Value |
---|---|---|
ruleGroupName | The managed rule group to override. | string (required) |
rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] |
ManagedRuleOverride
Name | Description | Value |
---|---|---|
action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'JSChallenge' 'Log' |
ruleId | Identifier for the managed rule. | string (required) |
sensitivity | Describes the override sensitivity to be applied when rule matches. | 'High' 'Low' 'Medium' 'None' |
state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' |
ManagedRulesDefinition
Name | Description | Value |
---|---|---|
exceptions | The exceptions that are applied on the policy. | ExceptionEntry[] |
exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] |
managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) |
ManagedRuleSet
Name | Description | Value |
---|---|---|
ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] |
ruleSetType | Defines the rule set type to use. | string (required) |
ruleSetVersion | Defines the version of the rule set to use. | string (required) |
MatchCondition
Name | Description | Value |
---|---|---|
matchValues | Match value. | string[] (required) |
matchVariables | List of match variables. | MatchVariable[] (required) |
negationConditon | Whether this is negate condition or not. | bool |
operator | The operator to be matched. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required) |
transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
MatchVariable
Name | Description | Value |
---|---|---|
selector | The selector of match variable. | string |
variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required) |
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
Name | Description | Value |
---|---|---|
location | Resource location. | string |
name | The resource name | string Constraints: Max length = (required) |
properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
OwaspCrsExclusionEntry
Name | Description | Value |
---|---|---|
exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] |
matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required) |
selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) |
selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) |
PolicySettings
Name | Description | Value |
---|---|---|
customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Max length = Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int Constraints: Min value = 0 |
fileUploadEnforcement | Whether allow WAF to enforce file upload limits. | bool |
fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int Constraints: Min value = 0 |
jsChallengeCookieExpirationInMins | Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. | int Constraints: Min value = 5 Max value = 1440 |
logScrubbing | To scrub sensitive log fields | PolicySettingsLogScrubbing |
maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int Constraints: Min value = 8 |
mode | The mode of the policy. | 'Detection' 'Prevention' |
requestBodyCheck | Whether to allow WAF to check request Body. | bool |
requestBodyEnforcement | Whether allow WAF to enforce request body limits. | bool |
requestBodyInspectLimitInKB | Max inspection limit in KB for request body inspection for WAF. | int |
state | The state of the policy. | 'Disabled' 'Enabled' |
PolicySettingsLogScrubbing
Name | Description | Value |
---|---|---|
scrubbingRules | The rules that are applied to the logs for scrubbing. | WebApplicationFirewallScrubbingRules[] |
state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' |
ResourceTags
Name | Description | Value |
---|
WebApplicationFirewallCustomRule
Name | Description | Value |
---|---|---|
action | Type of Actions. | 'Allow' 'Block' 'JSChallenge' 'Log' (required) |
groupByUserSession | List of user session identifier group by clauses. | GroupByUserSession[] |
matchConditions | List of match conditions. | MatchCondition[] (required) |
name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = |
priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
rateLimitDuration | Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. | 'FiveMins' 'OneMin' |
rateLimitThreshold | Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 | int |
ruleType | The rule type. | 'Invalid' 'MatchRule' 'RateLimitRule' (required) |
state | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
WebApplicationFirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] |
managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) |
policySettings | The PolicySettings for policy. | PolicySettings |
WebApplicationFirewallScrubbingRules
Name | Description | Value |
---|---|---|
matchVariable | The variable to be scrubbed from the logs. | 'RequestArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestJSONArgNames' 'RequestPostArgNames' (required) |
selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string |
selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) |
state | Defines the state of log scrubbing rule. Default value is Enabled. | 'Disabled' 'Enabled' |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Application Gateway with WAF and firewall policy | This template creates an Application Gateway with WAF configured along with a firewall policy |
Create an Azure WAF v2 on Azure Application Gateway | This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool |
Front Door Standard/Premium with Application Gateway origin | This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin. |
Front Door with Container Instances and Application Gateway | This template creates a Front Door Standard/Premium with a container group and Application Gateway. |
ARM template resource definition
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2024-03-01",
"name": "string",
"location": "string",
"properties": {
"customRules": [
{
"action": "string",
"groupByUserSession": [
{
"groupByVariables": [
{
"variableName": "string"
}
]
}
],
"matchConditions": [
{
"matchValues": [ "string" ],
"matchVariables": [
{
"selector": "string",
"variableName": "string"
}
],
"negationConditon": "bool",
"operator": "string",
"transforms": [ "string" ]
}
],
"name": "string",
"priority": "int",
"rateLimitDuration": "string",
"rateLimitThreshold": "int",
"ruleType": "string",
"state": "string"
}
],
"managedRules": {
"exceptions": [
{
"exceptionManagedRuleSets": [
{
"ruleGroups": [
{
"ruleGroupName": "string",
"rules": [
{
"ruleId": "string"
}
]
}
],
"ruleSetType": "string",
"ruleSetVersion": "string"
}
],
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string",
"valueMatchOperator": "string",
"values": [ "string" ]
}
],
"exclusions": [
{
"exclusionManagedRuleSets": [
{
"ruleGroups": [
{
"ruleGroupName": "string",
"rules": [
{
"ruleId": "string"
}
]
}
],
"ruleSetType": "string",
"ruleSetVersion": "string"
}
],
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string"
}
],
"managedRuleSets": [
{
"ruleGroupOverrides": [
{
"ruleGroupName": "string",
"rules": [
{
"action": "string",
"ruleId": "string",
"sensitivity": "string",
"state": "string"
}
]
}
],
"ruleSetType": "string",
"ruleSetVersion": "string"
}
]
},
"policySettings": {
"customBlockResponseBody": "string",
"customBlockResponseStatusCode": "int",
"fileUploadEnforcement": "bool",
"fileUploadLimitInMb": "int",
"jsChallengeCookieExpirationInMins": "int",
"logScrubbing": {
"scrubbingRules": [
{
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string",
"state": "string"
}
],
"state": "string"
},
"maxRequestBodySizeInKb": "int",
"mode": "string",
"requestBodyCheck": "bool",
"requestBodyEnforcement": "bool",
"requestBodyInspectLimitInKB": "int",
"state": "string"
}
},
"tags": {
"{customized property}": "string"
}
}
Property values
ExceptionEntry
Name | Description | Value |
---|---|---|
exceptionManagedRuleSets | The managed rule sets that are associated with the exception. | ExclusionManagedRuleSet[] |
matchVariable | The variable on which we evaluate the exception condition | 'RemoteAddr' 'RequestHeader' 'RequestURI' (required) |
selector | When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. | string |
selectorMatchOperator | When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector | 'Contains' 'EndsWith' 'Equals' 'StartsWith' |
valueMatchOperator | Operates on the allowed values for the matchVariable | 'Contains' 'EndsWith' 'Equals' 'IPMatch' 'StartsWith' (required) |
values | Allowed values for the matchVariable | string[] |
ExclusionManagedRule
Name | Description | Value |
---|---|---|
ruleId | Identifier for the managed rule. | string (required) |
ExclusionManagedRuleGroup
Name | Description | Value |
---|---|---|
ruleGroupName | The managed rule group for exclusion. | string (required) |
rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] |
ExclusionManagedRuleSet
Name | Description | Value |
---|---|---|
ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] |
ruleSetType | Defines the rule set type to use. | string (required) |
ruleSetVersion | Defines the version of the rule set to use. | string (required) |
GroupByUserSession
Name | Description | Value |
---|---|---|
groupByVariables | List of group by clause variables. | GroupByVariable[] (required) |
GroupByVariable
Name | Description | Value |
---|---|---|
variableName | User Session clause variable. | 'ClientAddr' 'GeoLocation' 'None' (required) |
ManagedRuleGroupOverride
Name | Description | Value |
---|---|---|
ruleGroupName | The managed rule group to override. | string (required) |
rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] |
ManagedRuleOverride
Name | Description | Value |
---|---|---|
action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'JSChallenge' 'Log' |
ruleId | Identifier for the managed rule. | string (required) |
sensitivity | Describes the override sensitivity to be applied when rule matches. | 'High' 'Low' 'Medium' 'None' |
state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' |
ManagedRulesDefinition
Name | Description | Value |
---|---|---|
exceptions | The exceptions that are applied on the policy. | ExceptionEntry[] |
exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] |
managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) |
ManagedRuleSet
Name | Description | Value |
---|---|---|
ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] |
ruleSetType | Defines the rule set type to use. | string (required) |
ruleSetVersion | Defines the version of the rule set to use. | string (required) |
MatchCondition
Name | Description | Value |
---|---|---|
matchValues | Match value. | string[] (required) |
matchVariables | List of match variables. | MatchVariable[] (required) |
negationConditon | Whether this is negate condition or not. | bool |
operator | The operator to be matched. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required) |
transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
MatchVariable
Name | Description | Value |
---|---|---|
selector | The selector of match variable. | string |
variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required) |
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2024-03-01' |
location | Resource location. | string |
name | The resource name | string Constraints: Max length = (required) |
properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies' |
OwaspCrsExclusionEntry
Name | Description | Value |
---|---|---|
exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] |
matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required) |
selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) |
selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) |
PolicySettings
Name | Description | Value |
---|---|---|
customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Max length = Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int Constraints: Min value = 0 |
fileUploadEnforcement | Whether allow WAF to enforce file upload limits. | bool |
fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int Constraints: Min value = 0 |
jsChallengeCookieExpirationInMins | Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. | int Constraints: Min value = 5 Max value = 1440 |
logScrubbing | To scrub sensitive log fields | PolicySettingsLogScrubbing |
maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int Constraints: Min value = 8 |
mode | The mode of the policy. | 'Detection' 'Prevention' |
requestBodyCheck | Whether to allow WAF to check request Body. | bool |
requestBodyEnforcement | Whether allow WAF to enforce request body limits. | bool |
requestBodyInspectLimitInKB | Max inspection limit in KB for request body inspection for WAF. | int |
state | The state of the policy. | 'Disabled' 'Enabled' |
PolicySettingsLogScrubbing
Name | Description | Value |
---|---|---|
scrubbingRules | The rules that are applied to the logs for scrubbing. | WebApplicationFirewallScrubbingRules[] |
state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' |
ResourceTags
Name | Description | Value |
---|
WebApplicationFirewallCustomRule
Name | Description | Value |
---|---|---|
action | Type of Actions. | 'Allow' 'Block' 'JSChallenge' 'Log' (required) |
groupByUserSession | List of user session identifier group by clauses. | GroupByUserSession[] |
matchConditions | List of match conditions. | MatchCondition[] (required) |
name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = |
priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
rateLimitDuration | Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. | 'FiveMins' 'OneMin' |
rateLimitThreshold | Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 | int |
ruleType | The rule type. | 'Invalid' 'MatchRule' 'RateLimitRule' (required) |
state | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
WebApplicationFirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] |
managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) |
policySettings | The PolicySettings for policy. | PolicySettings |
WebApplicationFirewallScrubbingRules
Name | Description | Value |
---|---|---|
matchVariable | The variable to be scrubbed from the logs. | 'RequestArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestJSONArgNames' 'RequestPostArgNames' (required) |
selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string |
selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) |
state | Defines the state of log scrubbing rule. Default value is Enabled. | 'Disabled' 'Enabled' |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Application Gateway with WAF and firewall policy |
This template creates an Application Gateway with WAF configured along with a firewall policy |
Create an Azure WAF v2 on Azure Application Gateway |
This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool |
Front Door Standard/Premium with Application Gateway origin |
This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin. |
Front Door with Container Instances and Application Gateway |
This template creates a Front Door Standard/Premium with a container group and Application Gateway. |
Terraform (AzAPI provider) resource definition
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-03-01"
name = "string"
location = "string"
body = jsonencode({
properties = {
customRules = [
{
action = "string"
groupByUserSession = [
{
groupByVariables = [
{
variableName = "string"
}
]
}
]
matchConditions = [
{
matchValues = [
"string"
]
matchVariables = [
{
selector = "string"
variableName = "string"
}
]
negationConditon = bool
operator = "string"
transforms = [
"string"
]
}
]
name = "string"
priority = int
rateLimitDuration = "string"
rateLimitThreshold = int
ruleType = "string"
state = "string"
}
]
managedRules = {
exceptions = [
{
exceptionManagedRuleSets = [
{
ruleGroups = [
{
ruleGroupName = "string"
rules = [
{
ruleId = "string"
}
]
}
]
ruleSetType = "string"
ruleSetVersion = "string"
}
]
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
valueMatchOperator = "string"
values = [
"string"
]
}
]
exclusions = [
{
exclusionManagedRuleSets = [
{
ruleGroups = [
{
ruleGroupName = "string"
rules = [
{
ruleId = "string"
}
]
}
]
ruleSetType = "string"
ruleSetVersion = "string"
}
]
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
}
]
managedRuleSets = [
{
ruleGroupOverrides = [
{
ruleGroupName = "string"
rules = [
{
action = "string"
ruleId = "string"
sensitivity = "string"
state = "string"
}
]
}
]
ruleSetType = "string"
ruleSetVersion = "string"
}
]
}
policySettings = {
customBlockResponseBody = "string"
customBlockResponseStatusCode = int
fileUploadEnforcement = bool
fileUploadLimitInMb = int
jsChallengeCookieExpirationInMins = int
logScrubbing = {
scrubbingRules = [
{
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
state = "string"
}
]
state = "string"
}
maxRequestBodySizeInKb = int
mode = "string"
requestBodyCheck = bool
requestBodyEnforcement = bool
requestBodyInspectLimitInKB = int
state = "string"
}
}
})
tags = {
{customized property} = "string"
}
}
Property values
ExceptionEntry
Name | Description | Value |
---|---|---|
exceptionManagedRuleSets | The managed rule sets that are associated with the exception. | ExclusionManagedRuleSet[] |
matchVariable | The variable on which we evaluate the exception condition | 'RemoteAddr' 'RequestHeader' 'RequestURI' (required) |
selector | When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. | string |
selectorMatchOperator | When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector | 'Contains' 'EndsWith' 'Equals' 'StartsWith' |
valueMatchOperator | Operates on the allowed values for the matchVariable | 'Contains' 'EndsWith' 'Equals' 'IPMatch' 'StartsWith' (required) |
values | Allowed values for the matchVariable | string[] |
ExclusionManagedRule
Name | Description | Value |
---|---|---|
ruleId | Identifier for the managed rule. | string (required) |
ExclusionManagedRuleGroup
Name | Description | Value |
---|---|---|
ruleGroupName | The managed rule group for exclusion. | string (required) |
rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] |
ExclusionManagedRuleSet
Name | Description | Value |
---|---|---|
ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] |
ruleSetType | Defines the rule set type to use. | string (required) |
ruleSetVersion | Defines the version of the rule set to use. | string (required) |
GroupByUserSession
Name | Description | Value |
---|---|---|
groupByVariables | List of group by clause variables. | GroupByVariable[] (required) |
GroupByVariable
Name | Description | Value |
---|---|---|
variableName | User Session clause variable. | 'ClientAddr' 'GeoLocation' 'None' (required) |
ManagedRuleGroupOverride
Name | Description | Value |
---|---|---|
ruleGroupName | The managed rule group to override. | string (required) |
rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] |
ManagedRuleOverride
Name | Description | Value |
---|---|---|
action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'JSChallenge' 'Log' |
ruleId | Identifier for the managed rule. | string (required) |
sensitivity | Describes the override sensitivity to be applied when rule matches. | 'High' 'Low' 'Medium' 'None' |
state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' |
ManagedRulesDefinition
Name | Description | Value |
---|---|---|
exceptions | The exceptions that are applied on the policy. | ExceptionEntry[] |
exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] |
managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) |
ManagedRuleSet
Name | Description | Value |
---|---|---|
ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] |
ruleSetType | Defines the rule set type to use. | string (required) |
ruleSetVersion | Defines the version of the rule set to use. | string (required) |
MatchCondition
Name | Description | Value |
---|---|---|
matchValues | Match value. | string[] (required) |
matchVariables | List of match variables. | MatchVariable[] (required) |
negationConditon | Whether this is negate condition or not. | bool |
operator | The operator to be matched. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required) |
transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
MatchVariable
Name | Description | Value |
---|---|---|
selector | The selector of match variable. | string |
variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required) |
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
Name | Description | Value |
---|---|---|
location | Resource location. | string |
name | The resource name | string Constraints: Max length = (required) |
properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-03-01" |
OwaspCrsExclusionEntry
Name | Description | Value |
---|---|---|
exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] |
matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required) |
selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) |
selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) |
PolicySettings
Name | Description | Value |
---|---|---|
customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Max length = Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int Constraints: Min value = 0 |
fileUploadEnforcement | Whether allow WAF to enforce file upload limits. | bool |
fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int Constraints: Min value = 0 |
jsChallengeCookieExpirationInMins | Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. | int Constraints: Min value = 5 Max value = 1440 |
logScrubbing | To scrub sensitive log fields | PolicySettingsLogScrubbing |
maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int Constraints: Min value = 8 |
mode | The mode of the policy. | 'Detection' 'Prevention' |
requestBodyCheck | Whether to allow WAF to check request Body. | bool |
requestBodyEnforcement | Whether allow WAF to enforce request body limits. | bool |
requestBodyInspectLimitInKB | Max inspection limit in KB for request body inspection for WAF. | int |
state | The state of the policy. | 'Disabled' 'Enabled' |
PolicySettingsLogScrubbing
Name | Description | Value |
---|---|---|
scrubbingRules | The rules that are applied to the logs for scrubbing. | WebApplicationFirewallScrubbingRules[] |
state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' |
ResourceTags
Name | Description | Value |
---|
WebApplicationFirewallCustomRule
Name | Description | Value |
---|---|---|
action | Type of Actions. | 'Allow' 'Block' 'JSChallenge' 'Log' (required) |
groupByUserSession | List of user session identifier group by clauses. | GroupByUserSession[] |
matchConditions | List of match conditions. | MatchCondition[] (required) |
name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = |
priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
rateLimitDuration | Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. | 'FiveMins' 'OneMin' |
rateLimitThreshold | Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 | int |
ruleType | The rule type. | 'Invalid' 'MatchRule' 'RateLimitRule' (required) |
state | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
WebApplicationFirewallPolicyPropertiesFormat
Name | Description | Value |
---|---|---|
customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] |
managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) |
policySettings | The PolicySettings for policy. | PolicySettings |
WebApplicationFirewallScrubbingRules
Name | Description | Value |
---|---|---|
matchVariable | The variable to be scrubbed from the logs. | 'RequestArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestJSONArgNames' 'RequestPostArgNames' (required) |
selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string |
selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) |
state | Defines the state of log scrubbing rule. Default value is Enabled. | 'Disabled' 'Enabled' |