Microsoft.Network firewallPolicies/firewallPolicyDrafts 2023-11-01
Bicep resource definition
The firewallPolicies/firewallPolicyDrafts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies/firewallPolicyDrafts resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/firewallPolicies/firewallPolicyDrafts@2023-11-01' = {
name: 'default'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
parent: resourceSymbolicName
properties: {
basePolicy: {
id: 'string'
}
dnsSettings: {
enableProxy: bool
requireProxyForNetworkRules: bool
servers: [
'string'
]
}
explicitProxy: {
enableExplicitProxy: bool
enablePacFile: bool
httpPort: int
httpsPort: int
pacFile: 'string'
pacFilePort: int
}
insights: {
isEnabled: bool
logAnalyticsResources: {
defaultWorkspaceId: {
id: 'string'
}
workspaces: [
{
region: 'string'
workspaceId: {
id: 'string'
}
}
]
}
retentionDays: int
}
intrusionDetection: {
configuration: {
bypassTrafficSettings: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocol: 'string'
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
}
]
privateRanges: [
'string'
]
signatureOverrides: [
{
id: 'string'
mode: 'string'
}
]
}
mode: 'string'
profile: 'string'
}
snat: {
autoLearnPrivateRanges: 'string'
privateRanges: [
'string'
]
}
sql: {
allowSqlRedirect: bool
}
threatIntelMode: 'string'
threatIntelWhitelist: {
fqdns: [
'string'
]
ipAddresses: [
'string'
]
}
}
}
Property values
firewallPolicies/firewallPolicyDrafts
| Name | Description | Value |
|---|---|---|
| name | The resource name See how to set names and types for child resources in Bicep. |
'default' |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: firewallPolicies |
| properties | Properties of the firewall policy. | FirewallPolicyDraftProperties |
FirewallPolicyDraftProperties
| Name | Description | Value |
|---|---|---|
| basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
| dnsSettings | DNS Proxy Settings definition. | DnsSettings |
| explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
| insights | Insights on Firewall Policy. | FirewallPolicyInsights |
| intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
| snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
| sql | SQL Settings definition. | FirewallPolicySQL |
| threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
| threatIntelWhitelist | ThreatIntel Allowlist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
DnsSettings
| Name | Description | Value |
|---|---|---|
| enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
| requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
| servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
| Name | Description | Value |
|---|---|---|
| enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
| enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
| httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| pacFile | SAS URL for PAC file. | string |
| pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyInsights
| Name | Description | Value |
|---|---|---|
| isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
| logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
| retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyLogAnalyticsResources
| Name | Description | Value |
|---|---|---|
| defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
| workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
| Name | Description | Value |
|---|---|---|
| region | Region to configure the Workspace. | string |
| workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyIntrusionDetection
| Name | Description | Value |
|---|---|---|
| configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
| mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
| profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionConfiguration
| Name | Description | Value |
|---|---|---|
| bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...[] |
| privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
| signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecificati...[] |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...
| Name | Description | Value |
|---|---|---|
| description | Description of the bypass traffic rule. | string |
| destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports or ranges. | string[] |
| name | Name of the bypass traffic rule. | string |
| protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionSignatureSpecificati...
| Name | Description | Value |
|---|---|---|
| id | Signature id. | string |
| mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicySnat
| Name | Description | Value |
|---|---|---|
| autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
| privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
| Name | Description | Value |
|---|---|---|
| allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
| Name | Description | Value |
|---|---|---|
| fqdns | List of FQDNs for the ThreatIntel Allowlist. | string[] |
| ipAddresses | List of IP addresses for the ThreatIntel Allowlist. | string[] |
ARM template resource definition
The firewallPolicies/firewallPolicyDrafts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies/firewallPolicyDrafts resource, add the following JSON to your template.
{
"type": "Microsoft.Network/firewallPolicies/firewallPolicyDrafts",
"apiVersion": "2023-11-01",
"name": "default",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"basePolicy": {
"id": "string"
},
"dnsSettings": {
"enableProxy": "bool",
"requireProxyForNetworkRules": "bool",
"servers": [ "string" ]
},
"explicitProxy": {
"enableExplicitProxy": "bool",
"enablePacFile": "bool",
"httpPort": "int",
"httpsPort": "int",
"pacFile": "string",
"pacFilePort": "int"
},
"insights": {
"isEnabled": "bool",
"logAnalyticsResources": {
"defaultWorkspaceId": {
"id": "string"
},
"workspaces": [
{
"region": "string",
"workspaceId": {
"id": "string"
}
}
]
},
"retentionDays": "int"
},
"intrusionDetection": {
"configuration": {
"bypassTrafficSettings": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocol": "string",
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
],
"privateRanges": [ "string" ],
"signatureOverrides": [
{
"id": "string",
"mode": "string"
}
]
},
"mode": "string",
"profile": "string"
},
"snat": {
"autoLearnPrivateRanges": "string",
"privateRanges": [ "string" ]
},
"sql": {
"allowSqlRedirect": "bool"
},
"threatIntelMode": "string",
"threatIntelWhitelist": {
"fqdns": [ "string" ],
"ipAddresses": [ "string" ]
}
}
}
Property values
firewallPolicies/firewallPolicyDrafts
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Network/firewallPolicies/firewallPolicyDrafts' |
| apiVersion | The resource api version | '2023-11-01' |
| name | The resource name See how to set names and types for child resources in JSON ARM templates. |
'default' |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| properties | Properties of the firewall policy. | FirewallPolicyDraftProperties |
FirewallPolicyDraftProperties
| Name | Description | Value |
|---|---|---|
| basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
| dnsSettings | DNS Proxy Settings definition. | DnsSettings |
| explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
| insights | Insights on Firewall Policy. | FirewallPolicyInsights |
| intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
| snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
| sql | SQL Settings definition. | FirewallPolicySQL |
| threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
| threatIntelWhitelist | ThreatIntel Allowlist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
DnsSettings
| Name | Description | Value |
|---|---|---|
| enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
| requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
| servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
| Name | Description | Value |
|---|---|---|
| enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
| enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
| httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| pacFile | SAS URL for PAC file. | string |
| pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyInsights
| Name | Description | Value |
|---|---|---|
| isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
| logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
| retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyLogAnalyticsResources
| Name | Description | Value |
|---|---|---|
| defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
| workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
| Name | Description | Value |
|---|---|---|
| region | Region to configure the Workspace. | string |
| workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyIntrusionDetection
| Name | Description | Value |
|---|---|---|
| configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
| mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
| profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionConfiguration
| Name | Description | Value |
|---|---|---|
| bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...[] |
| privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
| signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecificati...[] |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...
| Name | Description | Value |
|---|---|---|
| description | Description of the bypass traffic rule. | string |
| destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports or ranges. | string[] |
| name | Name of the bypass traffic rule. | string |
| protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionSignatureSpecificati...
| Name | Description | Value |
|---|---|---|
| id | Signature id. | string |
| mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicySnat
| Name | Description | Value |
|---|---|---|
| autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
| privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
| Name | Description | Value |
|---|---|---|
| allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
| Name | Description | Value |
|---|---|---|
| fqdns | List of FQDNs for the ThreatIntel Allowlist. | string[] |
| ipAddresses | List of IP addresses for the ThreatIntel Allowlist. | string[] |
Terraform (AzAPI provider) resource definition
The firewallPolicies/firewallPolicyDrafts resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies/firewallPolicyDrafts resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/firewallPolicies/firewallPolicyDrafts@2023-11-01"
name = "default"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
basePolicy = {
id = "string"
}
dnsSettings = {
enableProxy = bool
requireProxyForNetworkRules = bool
servers = [
"string"
]
}
explicitProxy = {
enableExplicitProxy = bool
enablePacFile = bool
httpPort = int
httpsPort = int
pacFile = "string"
pacFilePort = int
}
insights = {
isEnabled = bool
logAnalyticsResources = {
defaultWorkspaceId = {
id = "string"
}
workspaces = [
{
region = "string"
workspaceId = {
id = "string"
}
}
]
}
retentionDays = int
}
intrusionDetection = {
configuration = {
bypassTrafficSettings = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationIpGroups = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocol = "string"
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
}
]
privateRanges = [
"string"
]
signatureOverrides = [
{
id = "string"
mode = "string"
}
]
}
mode = "string"
profile = "string"
}
snat = {
autoLearnPrivateRanges = "string"
privateRanges = [
"string"
]
}
sql = {
allowSqlRedirect = bool
}
threatIntelMode = "string"
threatIntelWhitelist = {
fqdns = [
"string"
]
ipAddresses = [
"string"
]
}
}
})
}
Property values
firewallPolicies/firewallPolicyDrafts
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Network/firewallPolicies/firewallPolicyDrafts@2023-11-01" |
| name | The resource name | "default" |
| location | Resource location. | string |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: firewallPolicies |
| tags | Resource tags. | Dictionary of tag names and values. |
| properties | Properties of the firewall policy. | FirewallPolicyDraftProperties |
FirewallPolicyDraftProperties
| Name | Description | Value |
|---|---|---|
| basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
| dnsSettings | DNS Proxy Settings definition. | DnsSettings |
| explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
| insights | Insights on Firewall Policy. | FirewallPolicyInsights |
| intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
| snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
| sql | SQL Settings definition. | FirewallPolicySQL |
| threatIntelMode | The operation mode for Threat Intelligence. | "Alert" "Deny" "Off" |
| threatIntelWhitelist | ThreatIntel Allowlist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
DnsSettings
| Name | Description | Value |
|---|---|---|
| enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
| requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
| servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
| Name | Description | Value |
|---|---|---|
| enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
| enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
| httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| pacFile | SAS URL for PAC file. | string |
| pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyInsights
| Name | Description | Value |
|---|---|---|
| isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
| logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
| retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyLogAnalyticsResources
| Name | Description | Value |
|---|---|---|
| defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
| workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
| Name | Description | Value |
|---|---|---|
| region | Region to configure the Workspace. | string |
| workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicyIntrusionDetection
| Name | Description | Value |
|---|---|---|
| configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
| mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | "Alert" "Deny" "Off" |
| profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | "Advanced" "Basic" "Extended" "Standard" |
FirewallPolicyIntrusionDetectionConfiguration
| Name | Description | Value |
|---|---|---|
| bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...[] |
| privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
| signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecificati...[] |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifi...
| Name | Description | Value |
|---|---|---|
| description | Description of the bypass traffic rule. | string |
| destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports or ranges. | string[] |
| name | Name of the bypass traffic rule. | string |
| protocol | The rule bypass protocol. | "ANY" "ICMP" "TCP" "UDP" |
| sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionSignatureSpecificati...
| Name | Description | Value |
|---|---|---|
| id | Signature id. | string |
| mode | The signature state. | "Alert" "Deny" "Off" |
FirewallPolicySnat
| Name | Description | Value |
|---|---|---|
| autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | "Disabled" "Enabled" |
| privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
| Name | Description | Value |
|---|---|---|
| allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
| Name | Description | Value |
|---|---|---|
| fqdns | List of FQDNs for the ThreatIntel Allowlist. | string[] |
| ipAddresses | List of IP addresses for the ThreatIntel Allowlist. | string[] |