The firewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/firewallPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2023-04-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"identity": {
"type": "string",
"userAssignedIdentities": {}
},
"properties": {
"basePolicy": {
"id": "string"
},
"dnsSettings": {
"enableProxy": "bool",
"requireProxyForNetworkRules": "bool",
"servers": [ "string" ]
},
"explicitProxy": {
"enableExplicitProxy": "bool",
"enablePacFile": "bool",
"httpPort": "int",
"httpsPort": "int",
"pacFile": "string",
"pacFilePort": "int"
},
"insights": {
"isEnabled": "bool",
"logAnalyticsResources": {
"defaultWorkspaceId": {
"id": "string"
},
"workspaces": [
{
"region": "string",
"workspaceId": {
"id": "string"
}
}
]
},
"retentionDays": "int"
},
"intrusionDetection": {
"configuration": {
"bypassTrafficSettings": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocol": "string",
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
],
"privateRanges": [ "string" ],
"signatureOverrides": [
{
"id": "string",
"mode": "string"
}
]
},
"mode": "string"
},
"sku": {
"tier": "string"
},
"snat": {
"autoLearnPrivateRanges": "string",
"privateRanges": [ "string" ]
},
"sql": {
"allowSqlRedirect": "bool"
},
"threatIntelMode": "string",
"threatIntelWhitelist": {
"fqdns": [ "string" ],
"ipAddresses": [ "string" ]
},
"transportSecurity": {
"certificateAuthority": {
"keyVaultSecretId": "string",
"name": "string"
}
}
}
}
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.Network/firewallPolicies' |
apiVersion | The resource api version | '2023-04-01' |
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
identity | The identity of the firewall policy. | ManagedServiceIdentity |
properties | Properties of the firewall policy. | FirewallPolicyPropertiesFormat |
Name | Description | Value |
---|---|---|
type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | object |
Name | Description | Value |
---|---|---|
basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
dnsSettings | DNS Proxy Settings definition. | DnsSettings |
explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
insights | Insights on Firewall Policy. | FirewallPolicyInsights |
intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
sku | The Firewall Policy SKU. | FirewallPolicySku |
snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
sql | SQL Settings definition. | FirewallPolicySQL |
threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
threatIntelWhitelist | ThreatIntel Allowlist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
transportSecurity | TLS Configuration definition. | FirewallPolicyTransportSecurity |
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
Name | Description | Value |
---|---|---|
enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
servers | List of Custom DNS Servers. | string[] |
Name | Description | Value |
---|---|---|
enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int |
httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int |
pacFile | SAS URL for PAC file. | string |
pacFilePort | Port number for firewall to serve PAC file. | int |
Name | Description | Value |
---|---|---|
isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
retentionDays | Number of days the insights should be enabled on the policy. | int |
Name | Description | Value |
---|---|---|
defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
Name | Description | Value |
---|---|---|
region | Region to configure the Workspace. | string |
workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
Name | Description | Value |
---|---|---|
configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
mode | Intrusion detection general state. | 'Alert' 'Deny' 'Off' |
Name | Description | Value |
---|---|---|
bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...[] |
privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecificati...[] |
Name | Description | Value |
---|---|---|
description | Description of the bypass traffic rule. | string |
destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
destinationIpGroups | List of destination IpGroups for this rule. | string[] |
destinationPorts | List of destination ports or ranges. | string[] |
name | Name of the bypass traffic rule. | string |
protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
sourceIpGroups | List of source IpGroups for this rule. | string[] |
Name | Description | Value |
---|---|---|
id | Signature id. | string |
mode | The signature state. | 'Alert' 'Deny' 'Off' |
Name | Description | Value |
---|---|---|
tier | Tier of Firewall Policy. | 'Basic' 'Premium' 'Standard' |
Name | Description | Value |
---|---|---|
autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
Name | Description | Value |
---|---|---|
allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
Name | Description | Value |
---|---|---|
fqdns | List of FQDNs for the ThreatIntel Allowlist. | string[] |
ipAddresses | List of IP addresses for the ThreatIntel Allowlist. | string[] |
Name | Description | Value |
---|---|---|
certificateAuthority | The CA used for intermediate CA generation. | FirewallPolicyCertificateAuthority |
Name | Description | Value |
---|---|---|
keyVaultSecretId | Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. | string |
name | Name of the CA certificate. | string |
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Create a Firewall and FirewallPolicy with Rules and Ipgroups |
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules. |
Create a Firewall, FirewallPolicy with Explicit Proxy |
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Create a sandbox setup with Firewall Policy |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
Azure Virtual WAN Routing Intent and Policies |
This template provisions an Azure Virtual WAN with two hubs with Routing Intent and Policies feature enabled. |