Microsoft.Network firewallPolicies/firewallPolicyDrafts
Bicep resource definition
The firewallPolicies/firewallPolicyDrafts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies/firewallPolicyDrafts resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/firewallPolicies/firewallPolicyDrafts@2024-03-01' = {
location: 'string'
name: 'default'
properties: {
basePolicy: {
id: 'string'
}
dnsSettings: {
enableProxy: bool
requireProxyForNetworkRules: bool
servers: [
'string'
]
}
explicitProxy: {
enableExplicitProxy: bool
enablePacFile: bool
httpPort: int
httpsPort: int
pacFile: 'string'
pacFilePort: int
}
insights: {
isEnabled: bool
logAnalyticsResources: {
defaultWorkspaceId: {
id: 'string'
}
workspaces: [
{
region: 'string'
workspaceId: {
id: 'string'
}
}
]
}
retentionDays: int
}
intrusionDetection: {
configuration: {
bypassTrafficSettings: [
{
description: 'string'
destinationAddresses: [
'string'
]
destinationIpGroups: [
'string'
]
destinationPorts: [
'string'
]
name: 'string'
protocol: 'string'
sourceAddresses: [
'string'
]
sourceIpGroups: [
'string'
]
}
]
privateRanges: [
'string'
]
signatureOverrides: [
{
id: 'string'
mode: 'string'
}
]
}
mode: 'string'
profile: 'string'
}
snat: {
autoLearnPrivateRanges: 'string'
privateRanges: [
'string'
]
}
sql: {
allowSqlRedirect: bool
}
threatIntelMode: 'string'
threatIntelWhitelist: {
fqdns: [
'string'
]
ipAddresses: [
'string'
]
}
}
tags: {
{customized property}: 'string'
}
}
Property values
DnsSettings
| Name | Description | Value |
|---|---|---|
| enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
| requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
| servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
| Name | Description | Value |
|---|---|---|
| enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
| enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
| httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| pacFile | SAS URL for PAC file. | string |
| pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyDraftProperties
| Name | Description | Value |
|---|---|---|
| basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
| dnsSettings | DNS Proxy Settings definition. | DnsSettings |
| explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
| insights | Insights on Firewall Policy. | FirewallPolicyInsights |
| intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
| snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
| sql | SQL Settings definition. | FirewallPolicySQL |
| threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
| threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
FirewallPolicyInsights
| Name | Description | Value |
|---|---|---|
| isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
| logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
| retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
| Name | Description | Value |
|---|---|---|
| configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
| mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
| profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
| Name | Description | Value |
|---|---|---|
| description | Description of the bypass traffic rule. | string |
| destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports or ranges. | string[] |
| name | Name of the bypass traffic rule. | string |
| protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
| Name | Description | Value |
|---|---|---|
| bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
| privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
| signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
| Name | Description | Value |
|---|---|---|
| id | Signature id. | string |
| mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
| Name | Description | Value |
|---|---|---|
| defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
| workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
| Name | Description | Value |
|---|---|---|
| region | Region to configure the Workspace. | string |
| workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicySnat
| Name | Description | Value |
|---|---|---|
| autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
| privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
| Name | Description | Value |
|---|---|---|
| allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
| Name | Description | Value |
|---|---|---|
| fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
| ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
Microsoft.Network/firewallPolicies/firewallPolicyDrafts
| Name | Description | Value |
|---|---|---|
| location | Resource location. | string |
| name | The resource name | 'default' (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: firewallPolicies |
| properties | Properties of the firewall policy. | FirewallPolicyDraftProperties |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
ResourceTags
| Name | Description | Value |
|---|
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
ARM template resource definition
The firewallPolicies/firewallPolicyDrafts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies/firewallPolicyDrafts resource, add the following JSON to your template.
{
"type": "Microsoft.Network/firewallPolicies/firewallPolicyDrafts",
"apiVersion": "2024-03-01",
"name": "string",
"location": "string",
"properties": {
"basePolicy": {
"id": "string"
},
"dnsSettings": {
"enableProxy": "bool",
"requireProxyForNetworkRules": "bool",
"servers": [ "string" ]
},
"explicitProxy": {
"enableExplicitProxy": "bool",
"enablePacFile": "bool",
"httpPort": "int",
"httpsPort": "int",
"pacFile": "string",
"pacFilePort": "int"
},
"insights": {
"isEnabled": "bool",
"logAnalyticsResources": {
"defaultWorkspaceId": {
"id": "string"
},
"workspaces": [
{
"region": "string",
"workspaceId": {
"id": "string"
}
}
]
},
"retentionDays": "int"
},
"intrusionDetection": {
"configuration": {
"bypassTrafficSettings": [
{
"description": "string",
"destinationAddresses": [ "string" ],
"destinationIpGroups": [ "string" ],
"destinationPorts": [ "string" ],
"name": "string",
"protocol": "string",
"sourceAddresses": [ "string" ],
"sourceIpGroups": [ "string" ]
}
],
"privateRanges": [ "string" ],
"signatureOverrides": [
{
"id": "string",
"mode": "string"
}
]
},
"mode": "string",
"profile": "string"
},
"snat": {
"autoLearnPrivateRanges": "string",
"privateRanges": [ "string" ]
},
"sql": {
"allowSqlRedirect": "bool"
},
"threatIntelMode": "string",
"threatIntelWhitelist": {
"fqdns": [ "string" ],
"ipAddresses": [ "string" ]
}
},
"tags": {
"{customized property}": "string"
}
}
Property values
DnsSettings
| Name | Description | Value |
|---|---|---|
| enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
| requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
| servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
| Name | Description | Value |
|---|---|---|
| enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
| enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
| httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| pacFile | SAS URL for PAC file. | string |
| pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyDraftProperties
| Name | Description | Value |
|---|---|---|
| basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
| dnsSettings | DNS Proxy Settings definition. | DnsSettings |
| explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
| insights | Insights on Firewall Policy. | FirewallPolicyInsights |
| intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
| snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
| sql | SQL Settings definition. | FirewallPolicySQL |
| threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
| threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
FirewallPolicyInsights
| Name | Description | Value |
|---|---|---|
| isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
| logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
| retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
| Name | Description | Value |
|---|---|---|
| configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
| mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
| profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
| Name | Description | Value |
|---|---|---|
| description | Description of the bypass traffic rule. | string |
| destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports or ranges. | string[] |
| name | Name of the bypass traffic rule. | string |
| protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
| Name | Description | Value |
|---|---|---|
| bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
| privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
| signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
| Name | Description | Value |
|---|---|---|
| id | Signature id. | string |
| mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
| Name | Description | Value |
|---|---|---|
| defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
| workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
| Name | Description | Value |
|---|---|---|
| region | Region to configure the Workspace. | string |
| workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicySnat
| Name | Description | Value |
|---|---|---|
| autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
| privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
| Name | Description | Value |
|---|---|---|
| allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
| Name | Description | Value |
|---|---|---|
| fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
| ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
Microsoft.Network/firewallPolicies/firewallPolicyDrafts
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-03-01' |
| location | Resource location. | string |
| name | The resource name | 'default' (required) |
| properties | Properties of the firewall policy. | FirewallPolicyDraftProperties |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Network/firewallPolicies/firewallPolicyDrafts' |
ResourceTags
| Name | Description | Value |
|---|
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
Terraform (AzAPI provider) resource definition
The firewallPolicies/firewallPolicyDrafts resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/firewallPolicies/firewallPolicyDrafts resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/firewallPolicies/firewallPolicyDrafts@2024-03-01"
name = "string"
location = "string"
body = jsonencode({
properties = {
basePolicy = {
id = "string"
}
dnsSettings = {
enableProxy = bool
requireProxyForNetworkRules = bool
servers = [
"string"
]
}
explicitProxy = {
enableExplicitProxy = bool
enablePacFile = bool
httpPort = int
httpsPort = int
pacFile = "string"
pacFilePort = int
}
insights = {
isEnabled = bool
logAnalyticsResources = {
defaultWorkspaceId = {
id = "string"
}
workspaces = [
{
region = "string"
workspaceId = {
id = "string"
}
}
]
}
retentionDays = int
}
intrusionDetection = {
configuration = {
bypassTrafficSettings = [
{
description = "string"
destinationAddresses = [
"string"
]
destinationIpGroups = [
"string"
]
destinationPorts = [
"string"
]
name = "string"
protocol = "string"
sourceAddresses = [
"string"
]
sourceIpGroups = [
"string"
]
}
]
privateRanges = [
"string"
]
signatureOverrides = [
{
id = "string"
mode = "string"
}
]
}
mode = "string"
profile = "string"
}
snat = {
autoLearnPrivateRanges = "string"
privateRanges = [
"string"
]
}
sql = {
allowSqlRedirect = bool
}
threatIntelMode = "string"
threatIntelWhitelist = {
fqdns = [
"string"
]
ipAddresses = [
"string"
]
}
}
})
tags = {
{customized property} = "string"
}
}
Property values
DnsSettings
| Name | Description | Value |
|---|---|---|
| enableProxy | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | bool |
| requireProxyForNetworkRules | FQDNs in Network Rules are supported when set to true. | bool |
| servers | List of Custom DNS Servers. | string[] |
ExplicitProxy
| Name | Description | Value |
|---|---|---|
| enableExplicitProxy | When set to true, explicit proxy mode is enabled. | bool |
| enablePacFile | When set to true, pac file port and url needs to be provided. | bool |
| httpPort | Port number for explicit proxy http protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| httpsPort | Port number for explicit proxy https protocol, cannot be greater than 64000. | int Constraints: Min value = 0 Max value = 64000 |
| pacFile | SAS URL for PAC file. | string |
| pacFilePort | Port number for firewall to serve PAC file. | int Constraints: Min value = 0 Max value = 64000 |
FirewallPolicyDraftProperties
| Name | Description | Value |
|---|---|---|
| basePolicy | The parent firewall policy from which rules are inherited. | SubResource |
| dnsSettings | DNS Proxy Settings definition. | DnsSettings |
| explicitProxy | Explicit Proxy Settings definition. | ExplicitProxy |
| insights | Insights on Firewall Policy. | FirewallPolicyInsights |
| intrusionDetection | The configuration for Intrusion detection. | FirewallPolicyIntrusionDetection |
| snat | The private IP addresses/IP ranges to which traffic will not be SNAT. | FirewallPolicySnat |
| sql | SQL Settings definition. | FirewallPolicySQL |
| threatIntelMode | The operation mode for Threat Intelligence. | 'Alert' 'Deny' 'Off' |
| threatIntelWhitelist | ThreatIntel Whitelist for Firewall Policy. | FirewallPolicyThreatIntelWhitelist |
FirewallPolicyInsights
| Name | Description | Value |
|---|---|---|
| isEnabled | A flag to indicate if the insights are enabled on the policy. | bool |
| logAnalyticsResources | Workspaces needed to configure the Firewall Policy Insights. | FirewallPolicyLogAnalyticsResources |
| retentionDays | Number of days the insights should be enabled on the policy. | int |
FirewallPolicyIntrusionDetection
| Name | Description | Value |
|---|---|---|
| configuration | Intrusion detection configuration properties. | FirewallPolicyIntrusionDetectionConfiguration |
| mode | Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. | 'Alert' 'Deny' 'Off' |
| profile | IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. | 'Advanced' 'Basic' 'Extended' 'Standard' |
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications
| Name | Description | Value |
|---|---|---|
| description | Description of the bypass traffic rule. | string |
| destinationAddresses | List of destination IP addresses or ranges for this rule. | string[] |
| destinationIpGroups | List of destination IpGroups for this rule. | string[] |
| destinationPorts | List of destination ports or ranges. | string[] |
| name | Name of the bypass traffic rule. | string |
| protocol | The rule bypass protocol. | 'ANY' 'ICMP' 'TCP' 'UDP' |
| sourceAddresses | List of source IP addresses or ranges for this rule. | string[] |
| sourceIpGroups | List of source IpGroups for this rule. | string[] |
FirewallPolicyIntrusionDetectionConfiguration
| Name | Description | Value |
|---|---|---|
| bypassTrafficSettings | List of rules for traffic to bypass. | FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[] |
| privateRanges | IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property | string[] |
| signatureOverrides | List of specific signatures states. | FirewallPolicyIntrusionDetectionSignatureSpecification[] |
FirewallPolicyIntrusionDetectionSignatureSpecification
| Name | Description | Value |
|---|---|---|
| id | Signature id. | string |
| mode | The signature state. | 'Alert' 'Deny' 'Off' |
FirewallPolicyLogAnalyticsResources
| Name | Description | Value |
|---|---|---|
| defaultWorkspaceId | The default workspace Id for Firewall Policy Insights. | SubResource |
| workspaces | List of workspaces for Firewall Policy Insights. | FirewallPolicyLogAnalyticsWorkspace[] |
FirewallPolicyLogAnalyticsWorkspace
| Name | Description | Value |
|---|---|---|
| region | Region to configure the Workspace. | string |
| workspaceId | The workspace Id for Firewall Policy Insights. | SubResource |
FirewallPolicySnat
| Name | Description | Value |
|---|---|---|
| autoLearnPrivateRanges | The operation mode for automatically learning private ranges to not be SNAT | 'Disabled' 'Enabled' |
| privateRanges | List of private IP addresses/IP address ranges to not be SNAT. | string[] |
FirewallPolicySQL
| Name | Description | Value |
|---|---|---|
| allowSqlRedirect | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | bool |
FirewallPolicyThreatIntelWhitelist
| Name | Description | Value |
|---|---|---|
| fqdns | List of FQDNs for the ThreatIntel Whitelist. | string[] |
| ipAddresses | List of IP addresses for the ThreatIntel Whitelist. | string[] |
Microsoft.Network/firewallPolicies/firewallPolicyDrafts
| Name | Description | Value |
|---|---|---|
| location | Resource location. | string |
| name | The resource name | 'default' (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: firewallPolicies |
| properties | Properties of the firewall policy. | FirewallPolicyDraftProperties |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Network/firewallPolicies/firewallPolicyDrafts@2024-03-01" |
ResourceTags
| Name | Description | Value |
|---|
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |