Policies - Create Or Update

Reference

Service:: Front Door Service

API Version:: 2024-02-01

Create or update policy with specified rule set name within a resource group.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{policyName}?api-version=2024-02-01

URI Parameters

Name	In	Required	Type	Description
policyName	path	True	string	The name of the Web Application Firewall Policy.
resourceGroupName	path	True	string	Name of the Resource group within the Azure subscription. Regex pattern: `^[a-zA-Z0-9_\-\.]*[^\.]$`
subscriptionId	path	True	string	The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
api-version	query	True	string	Client API version.

Request Body

Name	Type	Description
etag	string	Gets a unique read-only string that changes whenever the resource is updated.
location	string	Resource location.
properties.customRules	CustomRuleList	Describes custom rules inside the policy.
properties.managedRules	ManagedRuleSetList	Describes managed rules inside the policy.
properties.policySettings	PolicySettings	Describes settings for the policy.
sku	Sku	The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified.
tags	object	Resource tags.

Responses

Name	Type	Description
200 OK	WebApplicationFirewallPolicy	OK. The request has succeeded.
201 Created	WebApplicationFirewallPolicy	Created. The request has been fulfilled and a new protection policy has been created.
202 Accepted	WebApplicationFirewallPolicy	Accepted. The request has been accepted for processing and the operation will complete asynchronously.
Other Status Codes	ErrorResponse	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Creates specific policy

Sample request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1?api-version=2024-02-01

{
  "location": "WestUs",
  "properties": {
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "javascriptChallengeExpirationInMinutes": 30,
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "ruleType": "RateLimitRule",
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "operator": "IPMatch",
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ]
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "ruleType": "MatchRule",
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "operator": "GeoMatch",
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "operator": "Contains",
              "selector": "UserAgent",
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    }
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}


import com.azure.resourcemanager.frontdoor.models.ActionType;
import com.azure.resourcemanager.frontdoor.models.CustomRule;
import com.azure.resourcemanager.frontdoor.models.CustomRuleList;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleEnabledState;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleExclusion;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleExclusionMatchVariable;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleExclusionSelectorMatchOperator;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleGroupOverride;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleOverride;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleSet;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleSetActionType;
import com.azure.resourcemanager.frontdoor.models.ManagedRuleSetList;
import com.azure.resourcemanager.frontdoor.models.MatchCondition;
import com.azure.resourcemanager.frontdoor.models.MatchVariable;
import com.azure.resourcemanager.frontdoor.models.Operator;
import com.azure.resourcemanager.frontdoor.models.PolicyEnabledState;
import com.azure.resourcemanager.frontdoor.models.PolicyMode;
import com.azure.resourcemanager.frontdoor.models.PolicyRequestBodyCheck;
import com.azure.resourcemanager.frontdoor.models.PolicySettings;
import com.azure.resourcemanager.frontdoor.models.RuleType;
import com.azure.resourcemanager.frontdoor.models.ScrubbingRuleEntryMatchOperator;
import com.azure.resourcemanager.frontdoor.models.ScrubbingRuleEntryMatchVariable;
import com.azure.resourcemanager.frontdoor.models.ScrubbingRuleEntryState;
import com.azure.resourcemanager.frontdoor.models.Sku;
import com.azure.resourcemanager.frontdoor.models.SkuName;
import com.azure.resourcemanager.frontdoor.models.TransformType;
import com.azure.resourcemanager.frontdoor.models.WebApplicationFirewallScrubbingRules;
import com.azure.resourcemanager.frontdoor.models.WebApplicationFirewallScrubbingState;
import java.util.Arrays;

/**
 * Samples for Policies CreateOrUpdate.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/frontdoor/resource-manager/Microsoft.Network/stable/2024-02-01/examples/WafPolicyCreateOrUpdate.
     * json
     */
    /**
     * Sample code: Creates specific policy.
     * 
     * @param manager Entry point to FrontDoorManager.
     */
    public static void createsSpecificPolicy(com.azure.resourcemanager.frontdoor.FrontDoorManager manager) {
        manager.policies().define("Policy1").withRegion("WestUs").withExistingResourceGroup("rg1")
            .withSku(new Sku().withName(SkuName.PREMIUM_AZURE_FRONT_DOOR))
            .withPolicySettings(new PolicySettings().withEnabledState(PolicyEnabledState.ENABLED)
                .withMode(PolicyMode.PREVENTION).withRedirectUrl("http://www.bing.com")
                .withCustomBlockResponseStatusCode(429)
                .withCustomBlockResponseBody(
                    "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==")
                .withRequestBodyCheck(
                    PolicyRequestBodyCheck.DISABLED)
                .withJavascriptChallengeExpirationInMinutes(30).withState(WebApplicationFirewallScrubbingState.ENABLED)
                .withScrubbingRules(Arrays.asList(new WebApplicationFirewallScrubbingRules()
                    .withMatchVariable(ScrubbingRuleEntryMatchVariable.REQUEST_IPADDRESS)
                    .withSelectorMatchOperator(ScrubbingRuleEntryMatchOperator.EQUALS_ANY)
                    .withState(ScrubbingRuleEntryState.ENABLED))))
            .withCustomRules(new CustomRuleList().withRules(Arrays.asList(
                new CustomRule().withName("Rule1").withPriority(1).withRuleType(RuleType.RATE_LIMIT_RULE)
                    .withRateLimitThreshold(1000)
                    .withMatchConditions(Arrays.asList(new MatchCondition().withMatchVariable(MatchVariable.REMOTE_ADDR)
                        .withOperator(Operator.IPMATCH).withMatchValue(Arrays.asList("192.168.1.0/24", "10.0.0.0/24"))))
                    .withAction(ActionType.BLOCK),
                new CustomRule().withName("Rule2").withPriority(2).withRuleType(RuleType.MATCH_RULE)
                    .withMatchConditions(Arrays.asList(
                        new MatchCondition().withMatchVariable(MatchVariable.REMOTE_ADDR)
                            .withOperator(Operator.GEO_MATCH).withMatchValue(Arrays.asList("CH")),
                        new MatchCondition().withMatchVariable(MatchVariable.REQUEST_HEADER).withSelector("UserAgent")
                            .withOperator(Operator.CONTAINS).withMatchValue(Arrays.asList("windows"))
                            .withTransforms(Arrays.asList(TransformType.LOWERCASE))))
                    .withAction(ActionType.BLOCK))))
            .withManagedRules(new ManagedRuleSetList()
                .withManagedRuleSets(Arrays.asList(new ManagedRuleSet().withRuleSetType("DefaultRuleSet")
                    .withRuleSetVersion("1.0").withRuleSetAction(ManagedRuleSetActionType.BLOCK)
                    .withExclusions(Arrays.asList(new ManagedRuleExclusion()
                        .withMatchVariable(ManagedRuleExclusionMatchVariable.REQUEST_HEADER_NAMES)
                        .withSelectorMatchOperator(ManagedRuleExclusionSelectorMatchOperator.EQUALS)
                        .withSelector("User-Agent")))
                    .withRuleGroupOverrides(
                        Arrays.asList(new ManagedRuleGroupOverride().withRuleGroupName("SQLI")
                            .withExclusions(Arrays.asList(new ManagedRuleExclusion()
                                .withMatchVariable(ManagedRuleExclusionMatchVariable.REQUEST_COOKIE_NAMES)
                                .withSelectorMatchOperator(ManagedRuleExclusionSelectorMatchOperator.STARTS_WITH)
                                .withSelector("token")))
                            .withRules(
                                Arrays
                                    .asList(
                                        new ManagedRuleOverride().withRuleId("942100")
                                            .withEnabledState(ManagedRuleEnabledState.ENABLED)
                                            .withAction(ActionType.REDIRECT)
                                            .withExclusions(Arrays.asList(new ManagedRuleExclusion()
                                                .withMatchVariable(
                                                    ManagedRuleExclusionMatchVariable.QUERY_STRING_ARG_NAMES)
                                                .withSelectorMatchOperator(
                                                    ManagedRuleExclusionSelectorMatchOperator.EQUALS)
                                                .withSelector("query"))),
                                        new ManagedRuleOverride().withRuleId("942110")
                                            .withEnabledState(ManagedRuleEnabledState.DISABLED))))))))
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armfrontdoor_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/frontdoor/armfrontdoor"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/b54ffc9278eff071455b1dbb4ad2e772afce885d/specification/frontdoor/resource-manager/Microsoft.Network/stable/2024-02-01/examples/WafPolicyCreateOrUpdate.json
func ExamplePoliciesClient_BeginCreateOrUpdate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armfrontdoor.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewPoliciesClient().BeginCreateOrUpdate(ctx, "rg1", "Policy1", armfrontdoor.WebApplicationFirewallPolicy{
		Location: to.Ptr("WestUs"),
		Properties: &armfrontdoor.WebApplicationFirewallPolicyProperties{
			CustomRules: &armfrontdoor.CustomRuleList{
				Rules: []*armfrontdoor.CustomRule{
					{
						Name:   to.Ptr("Rule1"),
						Action: to.Ptr(armfrontdoor.ActionTypeBlock),
						MatchConditions: []*armfrontdoor.MatchCondition{
							{
								MatchValue: []*string{
									to.Ptr("192.168.1.0/24"),
									to.Ptr("10.0.0.0/24")},
								MatchVariable: to.Ptr(armfrontdoor.MatchVariableRemoteAddr),
								Operator:      to.Ptr(armfrontdoor.OperatorIPMatch),
							}},
						Priority:           to.Ptr[int32](1),
						RateLimitThreshold: to.Ptr[int32](1000),
						RuleType:           to.Ptr(armfrontdoor.RuleTypeRateLimitRule),
					},
					{
						Name:   to.Ptr("Rule2"),
						Action: to.Ptr(armfrontdoor.ActionTypeBlock),
						MatchConditions: []*armfrontdoor.MatchCondition{
							{
								MatchValue: []*string{
									to.Ptr("CH")},
								MatchVariable: to.Ptr(armfrontdoor.MatchVariableRemoteAddr),
								Operator:      to.Ptr(armfrontdoor.OperatorGeoMatch),
							},
							{
								MatchValue: []*string{
									to.Ptr("windows")},
								MatchVariable: to.Ptr(armfrontdoor.MatchVariableRequestHeader),
								Operator:      to.Ptr(armfrontdoor.OperatorContains),
								Selector:      to.Ptr("UserAgent"),
								Transforms: []*armfrontdoor.TransformType{
									to.Ptr(armfrontdoor.TransformTypeLowercase)},
							}},
						Priority: to.Ptr[int32](2),
						RuleType: to.Ptr(armfrontdoor.RuleTypeMatchRule),
					}},
			},
			ManagedRules: &armfrontdoor.ManagedRuleSetList{
				ManagedRuleSets: []*armfrontdoor.ManagedRuleSet{
					{
						Exclusions: []*armfrontdoor.ManagedRuleExclusion{
							{
								MatchVariable:         to.Ptr(armfrontdoor.ManagedRuleExclusionMatchVariableRequestHeaderNames),
								Selector:              to.Ptr("User-Agent"),
								SelectorMatchOperator: to.Ptr(armfrontdoor.ManagedRuleExclusionSelectorMatchOperatorEquals),
							}},
						RuleGroupOverrides: []*armfrontdoor.ManagedRuleGroupOverride{
							{
								Exclusions: []*armfrontdoor.ManagedRuleExclusion{
									{
										MatchVariable:         to.Ptr(armfrontdoor.ManagedRuleExclusionMatchVariableRequestCookieNames),
										Selector:              to.Ptr("token"),
										SelectorMatchOperator: to.Ptr(armfrontdoor.ManagedRuleExclusionSelectorMatchOperatorStartsWith),
									}},
								RuleGroupName: to.Ptr("SQLI"),
								Rules: []*armfrontdoor.ManagedRuleOverride{
									{
										Action:       to.Ptr(armfrontdoor.ActionTypeRedirect),
										EnabledState: to.Ptr(armfrontdoor.ManagedRuleEnabledStateEnabled),
										Exclusions: []*armfrontdoor.ManagedRuleExclusion{
											{
												MatchVariable:         to.Ptr(armfrontdoor.ManagedRuleExclusionMatchVariableQueryStringArgNames),
												Selector:              to.Ptr("query"),
												SelectorMatchOperator: to.Ptr(armfrontdoor.ManagedRuleExclusionSelectorMatchOperatorEquals),
											}},
										RuleID: to.Ptr("942100"),
									},
									{
										EnabledState: to.Ptr(armfrontdoor.ManagedRuleEnabledStateDisabled),
										RuleID:       to.Ptr("942110"),
									}},
							}},
						RuleSetAction:  to.Ptr(armfrontdoor.ManagedRuleSetActionTypeBlock),
						RuleSetType:    to.Ptr("DefaultRuleSet"),
						RuleSetVersion: to.Ptr("1.0"),
					}},
			},
			PolicySettings: &armfrontdoor.PolicySettings{
				CustomBlockResponseBody:                to.Ptr("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="),
				CustomBlockResponseStatusCode:          to.Ptr[int32](429),
				EnabledState:                           to.Ptr(armfrontdoor.PolicyEnabledStateEnabled),
				JavascriptChallengeExpirationInMinutes: to.Ptr[int32](30),
				LogScrubbing: &armfrontdoor.PolicySettingsLogScrubbing{
					ScrubbingRules: []*armfrontdoor.WebApplicationFirewallScrubbingRules{
						{
							MatchVariable:         to.Ptr(armfrontdoor.ScrubbingRuleEntryMatchVariableRequestIPAddress),
							SelectorMatchOperator: to.Ptr(armfrontdoor.ScrubbingRuleEntryMatchOperatorEqualsAny),
							State:                 to.Ptr(armfrontdoor.ScrubbingRuleEntryStateEnabled),
						}},
					State: to.Ptr(armfrontdoor.WebApplicationFirewallScrubbingStateEnabled),
				},
				Mode:             to.Ptr(armfrontdoor.PolicyModePrevention),
				RedirectURL:      to.Ptr("http://www.bing.com"),
				RequestBodyCheck: to.Ptr(armfrontdoor.PolicyRequestBodyCheckDisabled),
			},
		},
		SKU: &armfrontdoor.SKU{
			Name: to.Ptr(armfrontdoor.SKUNamePremiumAzureFrontDoor),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	res, err := poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.WebApplicationFirewallPolicy = armfrontdoor.WebApplicationFirewallPolicy{
	// 	Name: to.Ptr("Policy1"),
	// 	Type: to.Ptr("Microsoft.Network/frontdoorwebapplicationfirewallpolicies"),
	// 	ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1"),
	// 	Location: to.Ptr("WestUs"),
	// 	Tags: map[string]*string{
	// 		"key1": to.Ptr("value1"),
	// 		"key2": to.Ptr("value2"),
	// 	},
	// 	Properties: &armfrontdoor.WebApplicationFirewallPolicyProperties{
	// 		CustomRules: &armfrontdoor.CustomRuleList{
	// 			Rules: []*armfrontdoor.CustomRule{
	// 				{
	// 					Name: to.Ptr("Rule1"),
	// 					Action: to.Ptr(armfrontdoor.ActionTypeBlock),
	// 					EnabledState: to.Ptr(armfrontdoor.CustomRuleEnabledStateEnabled),
	// 					MatchConditions: []*armfrontdoor.MatchCondition{
	// 						{
	// 							MatchValue: []*string{
	// 								to.Ptr("192.168.1.0/24"),
	// 								to.Ptr("10.0.0.0/24")},
	// 								MatchVariable: to.Ptr(armfrontdoor.MatchVariableRemoteAddr),
	// 								NegateCondition: to.Ptr(false),
	// 								Operator: to.Ptr(armfrontdoor.OperatorIPMatch),
	// 								Transforms: []*armfrontdoor.TransformType{
	// 								},
	// 						}},
	// 						Priority: to.Ptr[int32](1),
	// 						RateLimitDurationInMinutes: to.Ptr[int32](0),
	// 						RateLimitThreshold: to.Ptr[int32](1000),
	// 						RuleType: to.Ptr(armfrontdoor.RuleTypeRateLimitRule),
	// 					},
	// 					{
	// 						Name: to.Ptr("Rule2"),
	// 						Action: to.Ptr(armfrontdoor.ActionTypeBlock),
	// 						EnabledState: to.Ptr(armfrontdoor.CustomRuleEnabledStateEnabled),
	// 						MatchConditions: []*armfrontdoor.MatchCondition{
	// 							{
	// 								MatchValue: []*string{
	// 									to.Ptr("CH")},
	// 									MatchVariable: to.Ptr(armfrontdoor.MatchVariableRemoteAddr),
	// 									NegateCondition: to.Ptr(false),
	// 									Operator: to.Ptr(armfrontdoor.OperatorGeoMatch),
	// 								},
	// 								{
	// 									MatchValue: []*string{
	// 										to.Ptr("windows")},
	// 										MatchVariable: to.Ptr(armfrontdoor.MatchVariableRequestHeader),
	// 										NegateCondition: to.Ptr(false),
	// 										Operator: to.Ptr(armfrontdoor.OperatorContains),
	// 										Selector: to.Ptr("UserAgent"),
	// 										Transforms: []*armfrontdoor.TransformType{
	// 											to.Ptr(armfrontdoor.TransformTypeLowercase)},
	// 									}},
	// 									Priority: to.Ptr[int32](2),
	// 									RateLimitDurationInMinutes: to.Ptr[int32](0),
	// 									RateLimitThreshold: to.Ptr[int32](0),
	// 									RuleType: to.Ptr(armfrontdoor.RuleTypeMatchRule),
	// 							}},
	// 						},
	// 						FrontendEndpointLinks: []*armfrontdoor.FrontendEndpointLink{
	// 						},
	// 						ManagedRules: &armfrontdoor.ManagedRuleSetList{
	// 							ManagedRuleSets: []*armfrontdoor.ManagedRuleSet{
	// 								{
	// 									Exclusions: []*armfrontdoor.ManagedRuleExclusion{
	// 										{
	// 											MatchVariable: to.Ptr(armfrontdoor.ManagedRuleExclusionMatchVariableRequestHeaderNames),
	// 											Selector: to.Ptr("User-Agent"),
	// 											SelectorMatchOperator: to.Ptr(armfrontdoor.ManagedRuleExclusionSelectorMatchOperatorEquals),
	// 									}},
	// 									RuleGroupOverrides: []*armfrontdoor.ManagedRuleGroupOverride{
	// 										{
	// 											Exclusions: []*armfrontdoor.ManagedRuleExclusion{
	// 												{
	// 													MatchVariable: to.Ptr(armfrontdoor.ManagedRuleExclusionMatchVariableRequestCookieNames),
	// 													Selector: to.Ptr("token"),
	// 													SelectorMatchOperator: to.Ptr(armfrontdoor.ManagedRuleExclusionSelectorMatchOperatorStartsWith),
	// 											}},
	// 											RuleGroupName: to.Ptr("SQLI"),
	// 											Rules: []*armfrontdoor.ManagedRuleOverride{
	// 												{
	// 													Action: to.Ptr(armfrontdoor.ActionTypeRedirect),
	// 													EnabledState: to.Ptr(armfrontdoor.ManagedRuleEnabledStateEnabled),
	// 													Exclusions: []*armfrontdoor.ManagedRuleExclusion{
	// 														{
	// 															MatchVariable: to.Ptr(armfrontdoor.ManagedRuleExclusionMatchVariableQueryStringArgNames),
	// 															Selector: to.Ptr("query"),
	// 															SelectorMatchOperator: to.Ptr(armfrontdoor.ManagedRuleExclusionSelectorMatchOperatorEquals),
	// 													}},
	// 													RuleID: to.Ptr("942100"),
	// 												},
	// 												{
	// 													EnabledState: to.Ptr(armfrontdoor.ManagedRuleEnabledStateDisabled),
	// 													RuleID: to.Ptr("942110"),
	// 											}},
	// 									}},
	// 									RuleSetAction: to.Ptr(armfrontdoor.ManagedRuleSetActionTypeBlock),
	// 									RuleSetType: to.Ptr("DefaultRuleSet"),
	// 									RuleSetVersion: to.Ptr("1.0"),
	// 							}},
	// 						},
	// 						PolicySettings: &armfrontdoor.PolicySettings{
	// 							CustomBlockResponseBody: to.Ptr("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="),
	// 							CustomBlockResponseStatusCode: to.Ptr[int32](429),
	// 							EnabledState: to.Ptr(armfrontdoor.PolicyEnabledStateEnabled),
	// 							JavascriptChallengeExpirationInMinutes: to.Ptr[int32](30),
	// 							LogScrubbing: &armfrontdoor.PolicySettingsLogScrubbing{
	// 								ScrubbingRules: []*armfrontdoor.WebApplicationFirewallScrubbingRules{
	// 									{
	// 										MatchVariable: to.Ptr(armfrontdoor.ScrubbingRuleEntryMatchVariableRequestIPAddress),
	// 										SelectorMatchOperator: to.Ptr(armfrontdoor.ScrubbingRuleEntryMatchOperatorEqualsAny),
	// 										State: to.Ptr(armfrontdoor.ScrubbingRuleEntryStateEnabled),
	// 								}},
	// 								State: to.Ptr(armfrontdoor.WebApplicationFirewallScrubbingStateEnabled),
	// 							},
	// 							Mode: to.Ptr(armfrontdoor.PolicyModePrevention),
	// 							RedirectURL: to.Ptr("http://www.bing.com"),
	// 							RequestBodyCheck: to.Ptr(armfrontdoor.PolicyRequestBodyCheckDisabled),
	// 						},
	// 						ProvisioningState: to.Ptr("Succeeded"),
	// 						ResourceState: to.Ptr(armfrontdoor.PolicyResourceStateEnabled),
	// 						SecurityPolicyLinks: []*armfrontdoor.SecurityPolicyLink{
	// 						},
	// 					},
	// 					SKU: &armfrontdoor.SKU{
	// 						Name: to.Ptr(armfrontdoor.SKUNamePremiumAzureFrontDoor),
	// 					},
	// 				}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { FrontDoorManagementClient } = require("@azure/arm-frontdoor");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Create or update policy with specified rule set name within a resource group.
 *
 * @summary Create or update policy with specified rule set name within a resource group.
 * x-ms-original-file: specification/frontdoor/resource-manager/Microsoft.Network/stable/2024-02-01/examples/WafPolicyCreateOrUpdate.json
 */
async function createsSpecificPolicy() {
  const subscriptionId = process.env["FRONTDOOR_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["FRONTDOOR_RESOURCE_GROUP"] || "rg1";
  const policyName = "Policy1";
  const parameters = {
    customRules: {
      rules: [
        {
          name: "Rule1",
          action: "Block",
          matchConditions: [
            {
              matchValue: ["192.168.1.0/24", "10.0.0.0/24"],
              matchVariable: "RemoteAddr",
              operator: "IPMatch",
            },
          ],
          priority: 1,
          rateLimitThreshold: 1000,
          ruleType: "RateLimitRule",
        },
        {
          name: "Rule2",
          action: "Block",
          matchConditions: [
            {
              matchValue: ["CH"],
              matchVariable: "RemoteAddr",
              operator: "GeoMatch",
            },
            {
              matchValue: ["windows"],
              matchVariable: "RequestHeader",
              operator: "Contains",
              selector: "UserAgent",
              transforms: ["Lowercase"],
            },
          ],
          priority: 2,
          ruleType: "MatchRule",
        },
      ],
    },
    location: "WestUs",
    managedRules: {
      managedRuleSets: [
        {
          exclusions: [
            {
              matchVariable: "RequestHeaderNames",
              selector: "User-Agent",
              selectorMatchOperator: "Equals",
            },
          ],
          ruleGroupOverrides: [
            {
              exclusions: [
                {
                  matchVariable: "RequestCookieNames",
                  selector: "token",
                  selectorMatchOperator: "StartsWith",
                },
              ],
              ruleGroupName: "SQLI",
              rules: [
                {
                  action: "Redirect",
                  enabledState: "Enabled",
                  exclusions: [
                    {
                      matchVariable: "QueryStringArgNames",
                      selector: "query",
                      selectorMatchOperator: "Equals",
                    },
                  ],
                  ruleId: "942100",
                },
                { enabledState: "Disabled", ruleId: "942110" },
              ],
            },
          ],
          ruleSetAction: "Block",
          ruleSetType: "DefaultRuleSet",
          ruleSetVersion: "1.0",
        },
      ],
    },
    policySettings: {
      customBlockResponseBody:
        "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      customBlockResponseStatusCode: 429,
      enabledState: "Enabled",
      javascriptChallengeExpirationInMinutes: 30,
      mode: "Prevention",
      redirectUrl: "http://www.bing.com",
      requestBodyCheck: "Disabled",
      scrubbingRules: [
        {
          matchVariable: "RequestIPAddress",
          selector: undefined,
          selectorMatchOperator: "EqualsAny",
          state: "Enabled",
        },
      ],
      state: "Enabled",
    },
    sku: { name: "Premium_AzureFrontDoor" },
  };
  const credential = new DefaultAzureCredential();
  const client = new FrontDoorManagementClient(credential, subscriptionId);
  const result = await client.policies.beginCreateOrUpdateAndWait(
    resourceGroupName,
    policyName,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.FrontDoor.Models;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.FrontDoor;

// Generated from example definition: specification/frontdoor/resource-manager/Microsoft.Network/stable/2024-02-01/examples/WafPolicyCreateOrUpdate.json
// this example is just showing the usage of "Policies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);

// get the collection of this FrontDoorWebApplicationFirewallPolicyResource
FrontDoorWebApplicationFirewallPolicyCollection collection = resourceGroupResource.GetFrontDoorWebApplicationFirewallPolicies();

// invoke the operation
string policyName = "Policy1";
FrontDoorWebApplicationFirewallPolicyData data = new FrontDoorWebApplicationFirewallPolicyData(new AzureLocation("WestUs"))
{
    SkuName = FrontDoorSkuName.PremiumAzureFrontDoor,
    PolicySettings = new FrontDoorWebApplicationFirewallPolicySettings()
    {
        EnabledState = PolicyEnabledState.Enabled,
        Mode = FrontDoorWebApplicationFirewallPolicyMode.Prevention,
        RedirectUri = new Uri("http://www.bing.com"),
        CustomBlockResponseStatusCode = 429,
        CustomBlockResponseBody = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
        RequestBodyCheck = PolicyRequestBodyCheck.Disabled,
        JavascriptChallengeExpirationInMinutes = 30,
        State = WebApplicationFirewallScrubbingState.Enabled,
        ScrubbingRules =
        {
        new WebApplicationFirewallScrubbingRules(ScrubbingRuleEntryMatchVariable.RequestIPAddress,ScrubbingRuleEntryMatchOperator.EqualsAny)
        {
        Selector = null,
        State = ScrubbingRuleEntryState.Enabled,
        }
        },
    },
    Rules =
    {
    new WebApplicationCustomRule(1,WebApplicationRuleType.RateLimitRule,new WebApplicationRuleMatchCondition[]
    {
    new WebApplicationRuleMatchCondition(WebApplicationRuleMatchVariable.RemoteAddr,WebApplicationRuleMatchOperator.IPMatch,new string[]
    {
    "192.168.1.0/24","10.0.0.0/24"
    })
    },RuleMatchActionType.Block)
    {
    Name = "Rule1",
    RateLimitThreshold = 1000,
    },new WebApplicationCustomRule(2,WebApplicationRuleType.MatchRule,new WebApplicationRuleMatchCondition[]
    {
    new WebApplicationRuleMatchCondition(WebApplicationRuleMatchVariable.RemoteAddr,WebApplicationRuleMatchOperator.GeoMatch,new string[]
    {
    "CH"
    }),new WebApplicationRuleMatchCondition(WebApplicationRuleMatchVariable.RequestHeader,WebApplicationRuleMatchOperator.Contains,new string[]
    {
    "windows"
    })
    {
    Selector = "UserAgent",
    Transforms =
    {
    WebApplicationRuleMatchTransformType.Lowercase
    },
    }
    },RuleMatchActionType.Block)
    {
    Name = "Rule2",
    }
    },
    ManagedRuleSets =
    {
    new ManagedRuleSet("DefaultRuleSet","1.0")
    {
    RuleSetAction = ManagedRuleSetActionType.Block,
    Exclusions =
    {
    new ManagedRuleExclusion(ManagedRuleExclusionMatchVariable.RequestHeaderNames,ManagedRuleExclusionSelectorMatchOperator.EqualsValue,"User-Agent")
    },
    RuleGroupOverrides =
    {
    new ManagedRuleGroupOverride("SQLI")
    {
    Exclusions =
    {
    new ManagedRuleExclusion(ManagedRuleExclusionMatchVariable.RequestCookieNames,ManagedRuleExclusionSelectorMatchOperator.StartsWith,"token")
    },
    Rules =
    {
    new ManagedRuleOverride("942100")
    {
    EnabledState = ManagedRuleEnabledState.Enabled,
    Action = RuleMatchActionType.Redirect,
    Exclusions =
    {
    new ManagedRuleExclusion(ManagedRuleExclusionMatchVariable.QueryStringArgNames,ManagedRuleExclusionSelectorMatchOperator.EqualsValue,"query")
    },
    },new ManagedRuleOverride("942110")
    {
    EnabledState = ManagedRuleEnabledState.Disabled,
    }
    },
    }
    },
    }
    },
};
ArmOperation<FrontDoorWebApplicationFirewallPolicyResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, policyName, data);
FrontDoorWebApplicationFirewallPolicyResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
FrontDoorWebApplicationFirewallPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "name": "Policy1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "location": "WestUs",
  "properties": {
    "resourceState": "Enabled",
    "provisioningState": "Succeeded",
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "javascriptChallengeExpirationInMinutes": 30,
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "enabledState": "Enabled",
          "ruleType": "RateLimitRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "IPMatch",
              "negateCondition": false,
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "enabledState": "Enabled",
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 0,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "selector": "UserAgent",
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": []
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}

Status code:: 201

{
  "name": "Policy1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "location": "WestUs",
  "properties": {
    "resourceState": "Enabled",
    "provisioningState": "Succeeded",
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "enabledState": "Enabled",
          "ruleType": "RateLimitRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "IPMatch",
              "negateCondition": false,
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "enabledState": "Enabled",
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 0,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "selector": "UserAgent",
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": []
  },
  "sku": {
    "name": "Classic_AzureFrontDoor"
  }
}

Status code:: 202

{
  "name": "Policy1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "location": "WestUs",
  "properties": {
    "resourceState": "Enabled",
    "provisioningState": "Succeeded",
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "enabledState": "Enabled",
          "ruleType": "RateLimitRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "IPMatch",
              "negateCondition": false,
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "enabledState": "Enabled",
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 0,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "selector": "UserAgent",
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": []
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}

Definitions

Name	Description
scrubbingRuleEntryMatchOperator	When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.
scrubbingRuleEntryState	Defines the state of a log scrubbing rule. Default value is enabled.
ActionType	Defines the action to take on rule match.
CustomRule	Defines contents of a web application rule
CustomRuleEnabledState	Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.
CustomRuleList	Defines contents of custom rules
ErrorResponse	Error response indicates Front Door service is not able to process the incoming request. The reason is provided in the error message.
FrontendEndpointLink	Defines the Resource ID for a Frontend Endpoint.
GroupByVariable	Describes the variables available to group the rate limit requests
ManagedRuleEnabledState	Describes if the managed rule is in enabled or disabled state.
ManagedRuleExclusion	Exclude variables from managed rule evaluation.
ManagedRuleExclusionMatchVariable	The variable type to be excluded.
ManagedRuleExclusionSelectorMatchOperator	Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.
ManagedRuleGroupOverride	Defines a managed rule group override setting.
ManagedRuleOverride	Defines a managed rule group override setting.
ManagedRuleSet	Defines a managed rule set.
ManagedRuleSetActionType	Defines the action to take when a managed rule set score threshold is met.
ManagedRuleSetList	Defines the list of managed rule sets for the policy.
MatchCondition	Define a match condition.
MatchVariable	Request variable to compare with.
Operator	Comparison type to use for matching with the variable value.
PolicyEnabledState	Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.
PolicyMode	Describes if it is in detection mode or prevention mode at policy level.
PolicyRequestBodyCheck	Describes if policy managed rules will inspect the request body content.
PolicyResourceState	Resource status of the policy.
PolicySettings	Defines top-level WebApplicationFirewallPolicy configuration settings.
RoutingRuleLink	Defines the Resource ID for a Routing Rule.
RuleType	Describes type of rule.
scrubbingRuleEntryMatchVariable	The variable to be scrubbed from the logs.
SecurityPolicyLink	Defines the Resource ID for a Security Policy.
Sku	The pricing tier of the web application firewall policy.
SkuName	Name of the pricing tier.
TransformType	Describes what transforms applied before matching.
VariableName	Describes the supported variable for group by
WebApplicationFirewallPolicy	Defines web application firewall policy.
WebApplicationFirewallScrubbingRules	Defines the contents of the log scrubbing rules.
WebApplicationFirewallScrubbingState	State of the log scrubbing config. Default value is Enabled.

scrubbingRuleEntryMatchOperator

When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.

Name	Type	Description
Equals	string
EqualsAny	string

scrubbingRuleEntryState

Defines the state of a log scrubbing rule. Default value is enabled.

Name	Type	Description
Disabled	string
Enabled	string

ActionType

Defines the action to take on rule match.

Name	Type	Description
Allow	string
AnomalyScoring	string
Block	string
JSChallenge	string
Log	string
Redirect	string

CustomRule

Defines contents of a web application rule

Name	Type	Description
action	ActionType	Describes what action to be applied when rule matches.
enabledState	CustomRuleEnabledState	Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.
groupBy	GroupByVariable[]	Describes the list of variables to group the rate limit requests
matchConditions	MatchCondition[]	List of match conditions.
name	string	Describes the name of the rule.
priority	integer	Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
rateLimitDurationInMinutes	integer	Time window for resetting the rate limit count. Default is 1 minute.
rateLimitThreshold	integer	Number of allowed requests per client within the time window.
ruleType	RuleType	Describes type of rule.

CustomRuleEnabledState

Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.

Name	Type	Description
Disabled	string
Enabled	string

CustomRuleList

Defines contents of custom rules

Name	Type	Description
rules	CustomRule[]	List of rules

ErrorResponse

Error response indicates Front Door service is not able to process the incoming request. The reason is provided in the error message.

Name	Type	Description
code	string	Error code.
message	string	Error message indicating why the operation failed.

FrontendEndpointLink

Defines the Resource ID for a Frontend Endpoint.

Name	Type	Description
id	string	Resource ID.

GroupByVariable

Describes the variables available to group the rate limit requests

Name	Type	Description
variableName	VariableName	Describes the supported variable for group by

ManagedRuleEnabledState

Describes if the managed rule is in enabled or disabled state.

Name	Type	Description
Disabled	string
Enabled	string

ManagedRuleExclusion

Exclude variables from managed rule evaluation.

Name	Type	Description
matchVariable	ManagedRuleExclusionMatchVariable	The variable type to be excluded.
selector	string	Selector value for which elements in the collection this exclusion applies to.
selectorMatchOperator	ManagedRuleExclusionSelectorMatchOperator	Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.

ManagedRuleExclusionMatchVariable

The variable type to be excluded.

Name	Type	Description
QueryStringArgNames	string
RequestBodyJsonArgNames	string
RequestBodyPostArgNames	string
RequestCookieNames	string
RequestHeaderNames	string

ManagedRuleExclusionSelectorMatchOperator

Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.

Name	Type	Description
Contains	string
EndsWith	string
Equals	string
EqualsAny	string
StartsWith	string

ManagedRuleGroupOverride

Defines a managed rule group override setting.

Name	Type	Description
exclusions	ManagedRuleExclusion[]	Describes the exclusions that are applied to all rules in the group.
ruleGroupName	string	Describes the managed rule group to override.
rules	ManagedRuleOverride[]	List of rules that will be disabled. If none specified, all rules in the group will be disabled.

ManagedRuleOverride

Defines a managed rule group override setting.

Name	Type	Description
action	ActionType	Describes the override action to be applied when rule matches.
enabledState	ManagedRuleEnabledState	Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified.
exclusions	ManagedRuleExclusion[]	Describes the exclusions that are applied to this specific rule.
ruleId	string	Identifier for the managed rule.

ManagedRuleSet

Defines a managed rule set.

Name	Type	Description
exclusions	ManagedRuleExclusion[]	Describes the exclusions that are applied to all rules in the set.
ruleGroupOverrides	ManagedRuleGroupOverride[]	Defines the rule group overrides to apply to the rule set.
ruleSetAction	ManagedRuleSetActionType	ruleSetAction Defines the rule set action.
ruleSetType	string	Defines the rule set type to use.
ruleSetVersion	string	Defines the version of the rule set to use.

ManagedRuleSetActionType

Defines the action to take when a managed rule set score threshold is met.

Name	Type	Description
Block	string
Log	string
Redirect	string

ManagedRuleSetList

Defines the list of managed rule sets for the policy.

Name	Type	Description
managedRuleSets	ManagedRuleSet[]	List of rule sets.

MatchCondition

Define a match condition.

Name	Type	Description
matchValue	string[]	List of possible match values.
matchVariable	MatchVariable	Request variable to compare with.
negateCondition	boolean	Describes if the result of this condition should be negated.
operator	Operator	Comparison type to use for matching with the variable value.
selector	string	Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null.
transforms	TransformType[]	List of transforms.

MatchVariable

Request variable to compare with.

Name	Type	Description
Cookies	string
PostArgs	string
QueryString	string
RemoteAddr	string
RequestBody	string
RequestHeader	string
RequestMethod	string
RequestUri	string
SocketAddr	string

Operator

Comparison type to use for matching with the variable value.

Name	Type	Description
Any	string
BeginsWith	string
Contains	string
EndsWith	string
Equal	string
GeoMatch	string
GreaterThan	string
GreaterThanOrEqual	string
IPMatch	string
LessThan	string
LessThanOrEqual	string
RegEx	string

PolicyEnabledState

Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.

Name	Type	Description
Disabled	string
Enabled	string

PolicyMode

Describes if it is in detection mode or prevention mode at policy level.

Name	Type	Description
Detection	string
Prevention	string

PolicyRequestBodyCheck

Describes if policy managed rules will inspect the request body content.

Name	Type	Description
Disabled	string
Enabled	string

PolicyResourceState

Resource status of the policy.

Name	Type	Description
Creating	string
Deleting	string
Disabled	string
Disabling	string
Enabled	string
Enabling	string

PolicySettings

Defines top-level WebApplicationFirewallPolicy configuration settings.

Name	Type	Description
customBlockResponseBody	string	If the action type is block, customer can override the response body. The body must be specified in base64 encoding.
customBlockResponseStatusCode	integer	If the action type is block, customer can override the response status code.
enabledState	PolicyEnabledState	Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.
javascriptChallengeExpirationInMinutes	integer	Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30.
logScrubbing.scrubbingRules	WebApplicationFirewallScrubbingRules[]	List of log scrubbing rules applied to the Web Application Firewall logs.
logScrubbing.state	WebApplicationFirewallScrubbingState	State of the log scrubbing config. Default value is Enabled.
mode	PolicyMode	Describes if it is in detection mode or prevention mode at policy level.
redirectUrl	string	If action type is redirect, this field represents redirect URL for the client.
requestBodyCheck	PolicyRequestBodyCheck	Describes if policy managed rules will inspect the request body content.

RoutingRuleLink

Defines the Resource ID for a Routing Rule.

Name	Type	Description
id	string	Resource ID.

RuleType

Describes type of rule.

Name	Type	Description
MatchRule	string
RateLimitRule	string

scrubbingRuleEntryMatchVariable

The variable to be scrubbed from the logs.

Name	Type	Description
QueryStringArgNames	string
RequestBodyJsonArgNames	string
RequestBodyPostArgNames	string
RequestCookieNames	string
RequestHeaderNames	string
RequestIPAddress	string
RequestUri	string

SecurityPolicyLink

Defines the Resource ID for a Security Policy.

Name	Type	Description
id	string	Resource ID.

Sku

The pricing tier of the web application firewall policy.

Name	Type	Description
name	SkuName	Name of the pricing tier.

SkuName

Name of the pricing tier.

Name	Type	Description
Classic_AzureFrontDoor	string
Premium_AzureFrontDoor	string
Standard_AzureFrontDoor	string

TransformType

Describes what transforms applied before matching.

Name	Type	Description
Lowercase	string
RemoveNulls	string
Trim	string
Uppercase	string
UrlDecode	string
UrlEncode	string

VariableName

Describes the supported variable for group by

Name	Type	Description
GeoLocation	string
None	string
SocketAddr	string

WebApplicationFirewallPolicy

Defines web application firewall policy.

Name	Type	Description
etag	string	Gets a unique read-only string that changes whenever the resource is updated.
id	string	Resource ID.
location	string	Resource location.
name	string	Resource name.
properties.customRules	CustomRuleList	Describes custom rules inside the policy.
properties.frontendEndpointLinks	FrontendEndpointLink[]	Describes Frontend Endpoints associated with this Web Application Firewall policy.
properties.managedRules	ManagedRuleSetList	Describes managed rules inside the policy.
properties.policySettings	PolicySettings	Describes settings for the policy.
properties.provisioningState	string	Provisioning state of the policy.
properties.resourceState	PolicyResourceState	Resource status of the policy.
properties.routingRuleLinks	RoutingRuleLink[]	Describes Routing Rules associated with this Web Application Firewall policy.
properties.securityPolicyLinks	SecurityPolicyLink[]	Describes Security Policy associated with this Web Application Firewall policy.
sku	Sku	The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified.
tags	object	Resource tags.
type	string	Resource type.

WebApplicationFirewallScrubbingRules

Defines the contents of the log scrubbing rules.

Name	Type	Description
matchVariable	scrubbingRuleEntryMatchVariable	The variable to be scrubbed from the logs.
selector	string	When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to.
selectorMatchOperator	scrubbingRuleEntryMatchOperator	When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.
state	scrubbingRuleEntryState	Defines the state of a log scrubbing rule. Default value is enabled.

WebApplicationFirewallScrubbingState

State of the log scrubbing config. Default value is Enabled.

Name	Type	Description
Disabled	string
Enabled	string

Share via

Policies - Create Or Update

URI Parameters

Request Body

Responses

Security

azure_auth

Scopes

Examples

Creates specific policy

Sample request

Sample response

Definitions

scrubbingRuleEntryMatchOperator

scrubbingRuleEntryState

ActionType

CustomRule

CustomRuleEnabledState

CustomRuleList

ErrorResponse

FrontendEndpointLink

GroupByVariable

ManagedRuleEnabledState

ManagedRuleExclusion

ManagedRuleExclusionMatchVariable

ManagedRuleExclusionSelectorMatchOperator

ManagedRuleGroupOverride

ManagedRuleOverride

ManagedRuleSet

ManagedRuleSetActionType

ManagedRuleSetList

MatchCondition

MatchVariable

Operator

PolicyEnabledState

PolicyMode

PolicyRequestBodyCheck

PolicyResourceState

PolicySettings

RoutingRuleLink

RuleType

scrubbingRuleEntryMatchVariable

SecurityPolicyLink

Sku

SkuName

TransformType

VariableName

WebApplicationFirewallPolicy

WebApplicationFirewallScrubbingRules

WebApplicationFirewallScrubbingState

Additional resources