Firewall Policies - Create Or Update

Reference

Service:: Virtual Networks

API Version:: 2024-03-01

Creates or updates the specified Firewall Policy.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}?api-version=2024-03-01

URI Parameters

Name	In	Required	Type	Description
firewallPolicyName	path	True	string	The name of the Firewall Policy.
resourceGroupName	path	True	string	The name of the resource group.
subscriptionId	path	True	string	The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
api-version	query	True	string	Client API version.

Request Body

Name	Type	Description
id	string	Resource ID.
identity	ManagedServiceIdentity	The identity of the firewall policy.
location	string	Resource location.
properties.basePolicy	SubResource	The parent firewall policy from which rules are inherited.
properties.dnsSettings	DnsSettings	DNS Proxy Settings definition.
properties.explicitProxy	ExplicitProxy	Explicit Proxy Settings definition.
properties.insights	FirewallPolicyInsights	Insights on Firewall Policy.
properties.intrusionDetection	FirewallPolicyIntrusionDetection	The configuration for Intrusion detection.
properties.sku	FirewallPolicySku	The Firewall Policy SKU.
properties.snat	FirewallPolicySNAT	The private IP addresses/IP ranges to which traffic will not be SNAT.
properties.sql	FirewallPolicySQL	SQL Settings definition.
properties.threatIntelMode	AzureFirewallThreatIntelMode	The operation mode for Threat Intelligence.
properties.threatIntelWhitelist	FirewallPolicyThreatIntelWhitelist	ThreatIntel Whitelist for Firewall Policy.
properties.transportSecurity	FirewallPolicyTransportSecurity	TLS Configuration definition.
tags	object	Resource tags.

Responses

Name	Type	Description
200 OK	FirewallPolicy	Request successful. The operation returns the resulting FirewallPolicy resource.
201 Created	FirewallPolicy	Request received successfully. The operation returns the resulting FirewallPolicy resource.
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Create FirewallPolicy

Sample request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy?api-version=2024-03-01

{
  "tags": {
    "key1": "value1"
  },
  "location": "West US",
  "properties": {
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "sku": {
      "tier": "Premium"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "profile": "Balanced",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    },
    "transportSecurity": {
      "certificateAuthority": {
        "name": "clientcert",
        "keyVaultSecretId": "https://kv/secret"
      }
    }
  }
}


import com.azure.core.management.SubResource;
import com.azure.resourcemanager.network.fluent.models.FirewallPolicyInner;
import com.azure.resourcemanager.network.models.AzureFirewallThreatIntelMode;
import com.azure.resourcemanager.network.models.DnsSettings;
import com.azure.resourcemanager.network.models.ExplicitProxy;
import com.azure.resourcemanager.network.models.FirewallPolicyCertificateAuthority;
import com.azure.resourcemanager.network.models.FirewallPolicyInsights;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetection;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetectionBypassTrafficSpecifications;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetectionConfiguration;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetectionProfileType;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetectionProtocol;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetectionSignatureSpecification;
import com.azure.resourcemanager.network.models.FirewallPolicyIntrusionDetectionStateType;
import com.azure.resourcemanager.network.models.FirewallPolicyLogAnalyticsResources;
import com.azure.resourcemanager.network.models.FirewallPolicyLogAnalyticsWorkspace;
import com.azure.resourcemanager.network.models.FirewallPolicySku;
import com.azure.resourcemanager.network.models.FirewallPolicySkuTier;
import com.azure.resourcemanager.network.models.FirewallPolicySnat;
import com.azure.resourcemanager.network.models.FirewallPolicySql;
import com.azure.resourcemanager.network.models.FirewallPolicyThreatIntelWhitelist;
import com.azure.resourcemanager.network.models.FirewallPolicyTransportSecurity;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

/**
 * Samples for FirewallPolicies CreateOrUpdate.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/network/resource-manager/Microsoft.Network/stable/2024-03-01/examples/FirewallPolicyPut.json
     */
    /**
     * Sample code: Create FirewallPolicy.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void createFirewallPolicy(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.networks().manager().serviceClient().getFirewallPolicies().createOrUpdate("rg1", "firewallPolicy",
            new FirewallPolicyInner().withLocation("West US").withTags(mapOf("key1", "fakeTokenPlaceholder"))
                .withThreatIntelMode(AzureFirewallThreatIntelMode.ALERT)
                .withThreatIntelWhitelist(new FirewallPolicyThreatIntelWhitelist()
                    .withIpAddresses(Arrays.asList("20.3.4.5")).withFqdns(Arrays.asList("*.microsoft.com")))
                .withInsights(new FirewallPolicyInsights().withIsEnabled(true).withRetentionDays(100)
                    .withLogAnalyticsResources(new FirewallPolicyLogAnalyticsResources()
                        .withWorkspaces(Arrays.asList(new FirewallPolicyLogAnalyticsWorkspace().withRegion("westus")
                            .withWorkspaceId(new SubResource().withId(
                                "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1")),
                            new FirewallPolicyLogAnalyticsWorkspace().withRegion("eastus")
                                .withWorkspaceId(new SubResource().withId(
                                    "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"))))
                        .withDefaultWorkspaceId(new SubResource().withId(
                            "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"))))
                .withSnat(new FirewallPolicySnat().withPrivateRanges(Arrays.asList("IANAPrivateRanges")))
                .withSql(new FirewallPolicySql().withAllowSqlRedirect(true))
                .withDnsSettings(new DnsSettings().withServers(Arrays.asList("30.3.4.5")).withEnableProxy(true)
                    .withRequireProxyForNetworkRules(false))
                .withExplicitProxy(new ExplicitProxy().withEnableExplicitProxy(true).withHttpPort(8087)
                    .withHttpsPort(8087).withEnablePacFile(true).withPacFilePort(8087).withPacFile(
                        "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"))
                .withIntrusionDetection(
                    new FirewallPolicyIntrusionDetection().withMode(FirewallPolicyIntrusionDetectionStateType.ALERT)
                        .withProfile(FirewallPolicyIntrusionDetectionProfileType.fromString("Balanced"))
                        .withConfiguration(new FirewallPolicyIntrusionDetectionConfiguration()
                            .withSignatureOverrides(
                                Arrays.asList(new FirewallPolicyIntrusionDetectionSignatureSpecification()
                                    .withId("2525004").withMode(FirewallPolicyIntrusionDetectionStateType.DENY)))
                            .withBypassTrafficSettings(
                                Arrays.asList(new FirewallPolicyIntrusionDetectionBypassTrafficSpecifications()
                                    .withName("bypassRule1").withDescription("Rule 1")
                                    .withProtocol(FirewallPolicyIntrusionDetectionProtocol.TCP)
                                    .withSourceAddresses(Arrays.asList("1.2.3.4"))
                                    .withDestinationAddresses(Arrays.asList("5.6.7.8"))
                                    .withDestinationPorts(Arrays.asList("*"))))))
                .withTransportSecurity(new FirewallPolicyTransportSecurity()
                    .withCertificateAuthority(new FirewallPolicyCertificateAuthority()
                        .withKeyVaultSecretId("fakeTokenPlaceholder").withName("clientcert")))
                .withSku(new FirewallPolicySku().withTier(FirewallPolicySkuTier.PREMIUM)),
            com.azure.core.util.Context.NONE);
    }

    // Use "Map.of" if available
    @SuppressWarnings("unchecked")
    private static <T> Map<String, T> mapOf(Object... inputs) {
        Map<String, T> map = new HashMap<>();
        for (int i = 0; i < inputs.length; i += 2) {
            String key = (String) inputs[i];
            T value = (T) inputs[i + 1];
            map.put(key, value);
        }
        return map;
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.network import NetworkManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-network
# USAGE
    python firewall_policy_put.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = NetworkManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subid",
    )

    response = client.firewall_policies.begin_create_or_update(
        resource_group_name="rg1",
        firewall_policy_name="firewallPolicy",
        parameters={
            "location": "West US",
            "properties": {
                "dnsSettings": {"enableProxy": True, "requireProxyForNetworkRules": False, "servers": ["30.3.4.5"]},
                "explicitProxy": {
                    "enableExplicitProxy": True,
                    "enablePacFile": True,
                    "httpPort": 8087,
                    "httpsPort": 8087,
                    "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D",
                    "pacFilePort": 8087,
                },
                "insights": {
                    "isEnabled": True,
                    "logAnalyticsResources": {
                        "defaultWorkspaceId": {
                            "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
                        },
                        "workspaces": [
                            {
                                "region": "westus",
                                "workspaceId": {
                                    "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
                                },
                            },
                            {
                                "region": "eastus",
                                "workspaceId": {
                                    "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
                                },
                            },
                        ],
                    },
                    "retentionDays": 100,
                },
                "intrusionDetection": {
                    "configuration": {
                        "bypassTrafficSettings": [
                            {
                                "description": "Rule 1",
                                "destinationAddresses": ["5.6.7.8"],
                                "destinationPorts": ["*"],
                                "name": "bypassRule1",
                                "protocol": "TCP",
                                "sourceAddresses": ["1.2.3.4"],
                            }
                        ],
                        "signatureOverrides": [{"id": "2525004", "mode": "Deny"}],
                    },
                    "mode": "Alert",
                    "profile": "Balanced",
                },
                "sku": {"tier": "Premium"},
                "snat": {"privateRanges": ["IANAPrivateRanges"]},
                "sql": {"allowSqlRedirect": True},
                "threatIntelMode": "Alert",
                "threatIntelWhitelist": {"fqdns": ["*.microsoft.com"], "ipAddresses": ["20.3.4.5"]},
                "transportSecurity": {
                    "certificateAuthority": {"keyVaultSecretId": "https://kv/secret", "name": "clientcert"}
                },
            },
            "tags": {"key1": "value1"},
        },
    ).result()
    print(response)


# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2024-03-01/examples/FirewallPolicyPut.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armnetwork_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/4883fa5dbf6f2c9093fac8ce334547e9dfac68fa/specification/network/resource-manager/Microsoft.Network/stable/2024-03-01/examples/FirewallPolicyPut.json
func ExampleFirewallPoliciesClient_BeginCreateOrUpdate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewFirewallPoliciesClient().BeginCreateOrUpdate(ctx, "rg1", "firewallPolicy", armnetwork.FirewallPolicy{
		Location: to.Ptr("West US"),
		Tags: map[string]*string{
			"key1": to.Ptr("value1"),
		},
		Properties: &armnetwork.FirewallPolicyPropertiesFormat{
			DNSSettings: &armnetwork.DNSSettings{
				EnableProxy:                 to.Ptr(true),
				RequireProxyForNetworkRules: to.Ptr(false),
				Servers: []*string{
					to.Ptr("30.3.4.5")},
			},
			Insights: &armnetwork.FirewallPolicyInsights{
				IsEnabled: to.Ptr(true),
				LogAnalyticsResources: &armnetwork.FirewallPolicyLogAnalyticsResources{
					DefaultWorkspaceID: &armnetwork.SubResource{
						ID: to.Ptr("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"),
					},
					Workspaces: []*armnetwork.FirewallPolicyLogAnalyticsWorkspace{
						{
							Region: to.Ptr("westus"),
							WorkspaceID: &armnetwork.SubResource{
								ID: to.Ptr("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"),
							},
						},
						{
							Region: to.Ptr("eastus"),
							WorkspaceID: &armnetwork.SubResource{
								ID: to.Ptr("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"),
							},
						}},
				},
				RetentionDays: to.Ptr[int32](100),
			},
			IntrusionDetection: &armnetwork.FirewallPolicyIntrusionDetection{
				Configuration: &armnetwork.FirewallPolicyIntrusionDetectionConfiguration{
					BypassTrafficSettings: []*armnetwork.FirewallPolicyIntrusionDetectionBypassTrafficSpecifications{
						{
							Name:        to.Ptr("bypassRule1"),
							Description: to.Ptr("Rule 1"),
							DestinationAddresses: []*string{
								to.Ptr("5.6.7.8")},
							DestinationPorts: []*string{
								to.Ptr("*")},
							SourceAddresses: []*string{
								to.Ptr("1.2.3.4")},
							Protocol: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionProtocolTCP),
						}},
					SignatureOverrides: []*armnetwork.FirewallPolicyIntrusionDetectionSignatureSpecification{
						{
							ID:   to.Ptr("2525004"),
							Mode: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionStateTypeDeny),
						}},
				},
				Mode:    to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionStateTypeAlert),
				Profile: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionProfileType("Balanced")),
			},
			SKU: &armnetwork.FirewallPolicySKU{
				Tier: to.Ptr(armnetwork.FirewallPolicySKUTierPremium),
			},
			Snat: &armnetwork.FirewallPolicySNAT{
				PrivateRanges: []*string{
					to.Ptr("IANAPrivateRanges")},
			},
			SQL: &armnetwork.FirewallPolicySQL{
				AllowSQLRedirect: to.Ptr(true),
			},
			ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
			ThreatIntelWhitelist: &armnetwork.FirewallPolicyThreatIntelWhitelist{
				Fqdns: []*string{
					to.Ptr("*.microsoft.com")},
				IPAddresses: []*string{
					to.Ptr("20.3.4.5")},
			},
			TransportSecurity: &armnetwork.FirewallPolicyTransportSecurity{
				CertificateAuthority: &armnetwork.FirewallPolicyCertificateAuthority{
					Name:             to.Ptr("clientcert"),
					KeyVaultSecretID: to.Ptr("https://kv/secret"),
				},
			},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	res, err := poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.FirewallPolicy = armnetwork.FirewallPolicy{
	// 	Name: to.Ptr("firewallPolicy"),
	// 	Type: to.Ptr("Microsoft.Network/firewallPolicies"),
	// 	ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy"),
	// 	Location: to.Ptr("West US"),
	// 	Tags: map[string]*string{
	// 		"key1": to.Ptr("value1"),
	// 	},
	// 	Etag: to.Ptr("w/\\00000000-0000-0000-0000-000000000000\\"),
	// 	Properties: &armnetwork.FirewallPolicyPropertiesFormat{
	// 		DNSSettings: &armnetwork.DNSSettings{
	// 			EnableProxy: to.Ptr(true),
	// 			RequireProxyForNetworkRules: to.Ptr(false),
	// 			Servers: []*string{
	// 				to.Ptr("30.3.4.5")},
	// 			},
	// 			Firewalls: []*armnetwork.SubResource{
	// 			},
	// 			Insights: &armnetwork.FirewallPolicyInsights{
	// 				IsEnabled: to.Ptr(true),
	// 				LogAnalyticsResources: &armnetwork.FirewallPolicyLogAnalyticsResources{
	// 					DefaultWorkspaceID: &armnetwork.SubResource{
	// 						ID: to.Ptr("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"),
	// 					},
	// 					Workspaces: []*armnetwork.FirewallPolicyLogAnalyticsWorkspace{
	// 						{
	// 							Region: to.Ptr("westus"),
	// 							WorkspaceID: &armnetwork.SubResource{
	// 								ID: to.Ptr("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"),
	// 							},
	// 						},
	// 						{
	// 							Region: to.Ptr("eastus"),
	// 							WorkspaceID: &armnetwork.SubResource{
	// 								ID: to.Ptr("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"),
	// 							},
	// 					}},
	// 				},
	// 				RetentionDays: to.Ptr[int32](100),
	// 			},
	// 			IntrusionDetection: &armnetwork.FirewallPolicyIntrusionDetection{
	// 				Configuration: &armnetwork.FirewallPolicyIntrusionDetectionConfiguration{
	// 					BypassTrafficSettings: []*armnetwork.FirewallPolicyIntrusionDetectionBypassTrafficSpecifications{
	// 						{
	// 							Name: to.Ptr("bypassRule1"),
	// 							Description: to.Ptr("Rule 1"),
	// 							DestinationAddresses: []*string{
	// 								to.Ptr("5.6.7.8")},
	// 								DestinationPorts: []*string{
	// 									to.Ptr("*")},
	// 									SourceAddresses: []*string{
	// 										to.Ptr("1.2.3.4")},
	// 										Protocol: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionProtocolTCP),
	// 								}},
	// 								SignatureOverrides: []*armnetwork.FirewallPolicyIntrusionDetectionSignatureSpecification{
	// 									{
	// 										ID: to.Ptr("2525004"),
	// 										Mode: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionStateTypeDeny),
	// 								}},
	// 							},
	// 							Mode: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionStateTypeAlert),
	// 							Profile: to.Ptr(armnetwork.FirewallPolicyIntrusionDetectionProfileType("Balanced")),
	// 						},
	// 						ProvisioningState: to.Ptr(armnetwork.ProvisioningStateSucceeded),
	// 						RuleCollectionGroups: []*armnetwork.SubResource{
	// 							{
	// 								ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup1"),
	// 							},
	// 							{
	// 								ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup2"),
	// 						}},
	// 						Size: to.Ptr("0.5MB"),
	// 						SKU: &armnetwork.FirewallPolicySKU{
	// 							Tier: to.Ptr(armnetwork.FirewallPolicySKUTierPremium),
	// 						},
	// 						Snat: &armnetwork.FirewallPolicySNAT{
	// 							PrivateRanges: []*string{
	// 								to.Ptr("IANAPrivateRanges")},
	// 							},
	// 							SQL: &armnetwork.FirewallPolicySQL{
	// 								AllowSQLRedirect: to.Ptr(true),
	// 							},
	// 							ThreatIntelMode: to.Ptr(armnetwork.AzureFirewallThreatIntelModeAlert),
	// 							ThreatIntelWhitelist: &armnetwork.FirewallPolicyThreatIntelWhitelist{
	// 								Fqdns: []*string{
	// 									to.Ptr("*.microsoft.com")},
	// 									IPAddresses: []*string{
	// 										to.Ptr("20.3.4.5")},
	// 									},
	// 									TransportSecurity: &armnetwork.FirewallPolicyTransportSecurity{
	// 										CertificateAuthority: &armnetwork.FirewallPolicyCertificateAuthority{
	// 											Name: to.Ptr("clientcert"),
	// 											KeyVaultSecretID: to.Ptr("https://kv/secret"),
	// 										},
	// 									},
	// 								},
	// 							}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Creates or updates the specified Firewall Policy.
 *
 * @summary Creates or updates the specified Firewall Policy.
 * x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2024-03-01/examples/FirewallPolicyPut.json
 */
async function createFirewallPolicy() {
  const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
  const firewallPolicyName = "firewallPolicy";
  const parameters = {
    dnsSettings: {
      enableProxy: true,
      requireProxyForNetworkRules: false,
      servers: ["30.3.4.5"],
    },
    explicitProxy: {
      enableExplicitProxy: true,
      enablePacFile: true,
      httpPort: 8087,
      httpsPort: 8087,
      pacFile:
        "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D",
      pacFilePort: 8087,
    },
    insights: {
      isEnabled: true,
      logAnalyticsResources: {
        defaultWorkspaceId: {
          id: "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace",
        },
        workspaces: [
          {
            region: "westus",
            workspaceId: {
              id: "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1",
            },
          },
          {
            region: "eastus",
            workspaceId: {
              id: "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2",
            },
          },
        ],
      },
      retentionDays: 100,
    },
    intrusionDetection: {
      configuration: {
        bypassTrafficSettings: [
          {
            name: "bypassRule1",
            description: "Rule 1",
            destinationAddresses: ["5.6.7.8"],
            destinationPorts: ["*"],
            sourceAddresses: ["1.2.3.4"],
            protocol: "TCP",
          },
        ],
        signatureOverrides: [{ id: "2525004", mode: "Deny" }],
      },
      mode: "Alert",
      profile: "Balanced",
    },
    location: "West US",
    sku: { tier: "Premium" },
    snat: { privateRanges: ["IANAPrivateRanges"] },
    sql: { allowSqlRedirect: true },
    tags: { key1: "value1" },
    threatIntelMode: "Alert",
    threatIntelWhitelist: {
      fqdns: ["*.microsoft.com"],
      ipAddresses: ["20.3.4.5"],
    },
    transportSecurity: {
      certificateAuthority: {
        name: "clientcert",
        keyVaultSecretId: "https://kv/secret",
      },
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new NetworkManagementClient(credential, subscriptionId);
  const result = await client.firewallPolicies.beginCreateOrUpdateAndWait(
    resourceGroupName,
    firewallPolicyName,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.Network;

// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2024-03-01/examples/FirewallPolicyPut.json
// this example is just showing the usage of "FirewallPolicies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);

// get the collection of this FirewallPolicyResource
FirewallPolicyCollection collection = resourceGroupResource.GetFirewallPolicies();

// invoke the operation
string firewallPolicyName = "firewallPolicy";
FirewallPolicyData data = new FirewallPolicyData()
{
    ThreatIntelMode = AzureFirewallThreatIntelMode.Alert,
    ThreatIntelWhitelist = new FirewallPolicyThreatIntelWhitelist()
    {
        IPAddresses =
        {
        "20.3.4.5"
        },
        Fqdns =
        {
        "*.microsoft.com"
        },
    },
    Insights = new FirewallPolicyInsights()
    {
        IsEnabled = true,
        RetentionDays = 100,
        LogAnalyticsResources = new FirewallPolicyLogAnalyticsResources()
        {
            Workspaces =
            {
            new FirewallPolicyLogAnalyticsWorkspace()
            {
            Region = "westus",
            WorkspaceIdId = new ResourceIdentifier("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"),
            },new FirewallPolicyLogAnalyticsWorkspace()
            {
            Region = "eastus",
            WorkspaceIdId = new ResourceIdentifier("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"),
            }
            },
            DefaultWorkspaceIdId = new ResourceIdentifier("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"),
        },
    },
    Snat = new FirewallPolicySnat()
    {
        PrivateRanges =
        {
        "IANAPrivateRanges"
        },
    },
    AllowSqlRedirect = true,
    DnsSettings = new DnsSettings()
    {
        Servers =
        {
        "30.3.4.5"
        },
        EnableProxy = true,
        RequireProxyForNetworkRules = false,
    },
    ExplicitProxy = new FirewallPolicyExplicitProxy()
    {
        EnableExplicitProxy = true,
        HttpPort = 8087,
        HttpsPort = 8087,
        EnablePacFile = true,
        PacFilePort = 8087,
        PacFile = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D",
    },
    IntrusionDetection = new FirewallPolicyIntrusionDetection()
    {
        Mode = FirewallPolicyIntrusionDetectionStateType.Alert,
        Profile = new FirewallPolicyIntrusionDetectionProfileType("Balanced"),
        Configuration = new FirewallPolicyIntrusionDetectionConfiguration()
        {
            SignatureOverrides =
            {
            new FirewallPolicyIntrusionDetectionSignatureSpecification()
            {
            Id = "2525004",
            Mode = FirewallPolicyIntrusionDetectionStateType.Deny,
            }
            },
            BypassTrafficSettings =
            {
            new FirewallPolicyIntrusionDetectionBypassTrafficSpecifications()
            {
            Name = "bypassRule1",
            Description = "Rule 1",
            Protocol = FirewallPolicyIntrusionDetectionProtocol.Tcp,
            SourceAddresses =
            {
            "1.2.3.4"
            },
            DestinationAddresses =
            {
            "5.6.7.8"
            },
            DestinationPorts =
            {
            "*"
            },
            }
            },
        },
    },
    TransportSecurityCertificateAuthority = new FirewallPolicyCertificateAuthority()
    {
        KeyVaultSecretId = "https://kv/secret",
        Name = "clientcert",
    },
    SkuTier = FirewallPolicySkuTier.Premium,
    Location = new AzureLocation("West US"),
    Tags =
    {
    ["key1"] = "value1",
    },
};
ArmOperation<FirewallPolicyResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, firewallPolicyName, data);
FirewallPolicyResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
FirewallPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "name": "firewallPolicy",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy",
  "type": "Microsoft.Network/firewallPolicies",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "size": "0.5MB",
    "provisioningState": "Succeeded",
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "ruleCollectionGroups": [
      {
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup1"
      },
      {
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup2"
      }
    ],
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "firewalls": [],
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "sku": {
      "tier": "Premium"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "profile": "Balanced",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    },
    "transportSecurity": {
      "certificateAuthority": {
        "name": "clientcert",
        "keyVaultSecretId": "https://kv/secret"
      }
    }
  }
}

Status code:: 201

{
  "name": "firewallPolicy",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy",
  "type": "Microsoft.Network/firewallPolicies",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "size": "0.5MB",
    "provisioningState": "Succeeded",
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "ruleCollectionGroups": [
      {
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup1"
      },
      {
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup2"
      }
    ],
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "firewalls": [],
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "sku": {
      "tier": "Premium"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "profile": "Balanced",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    },
    "transportSecurity": {
      "certificateAuthority": {
        "name": "clientcert",
        "keyVaultSecretId": "https://kv/secret"
      }
    }
  }
}

Definitions

Name	Description
AutoLearnPrivateRangesMode	The operation mode for automatically learning private ranges to not be SNAT
AzureFirewallThreatIntelMode	The operation mode for Threat Intel.
CloudError	An error response from the service.
CloudErrorBody	An error response from the service.
DnsSettings	DNS Proxy Settings in Firewall Policy.
ExplicitProxy	Explicit Proxy Settings in Firewall Policy.
FirewallPolicy	FirewallPolicy Resource.
FirewallPolicyCertificateAuthority	Trusted Root certificates properties for tls.
FirewallPolicyInsights	Firewall Policy Insights.
FirewallPolicyIntrusionDetection	Configuration for intrusion detection mode and rules.
FirewallPolicyIntrusionDetectionBypassTrafficSpecifications	Intrusion detection bypass traffic specification.
FirewallPolicyIntrusionDetectionConfiguration	The operation for configuring intrusion detection.
FirewallPolicyIntrusionDetectionProfileType	IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.
FirewallPolicyIntrusionDetectionProtocol	The rule bypass protocol.
FirewallPolicyIntrusionDetectionSignatureSpecification	Intrusion detection signatures specification states.
FirewallPolicyIntrusionDetectionStateType	Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.
FirewallPolicyLogAnalyticsResources	Log Analytics Resources for Firewall Policy Insights.
FirewallPolicyLogAnalyticsWorkspace	Log Analytics Workspace for Firewall Policy Insights.
FirewallPolicySku	SKU of Firewall policy.
FirewallPolicySkuTier	Tier of Firewall Policy.
FirewallPolicySNAT	The private IP addresses/IP ranges to which traffic will not be SNAT.
FirewallPolicySQL	SQL Settings in Firewall Policy.
FirewallPolicyThreatIntelWhitelist	ThreatIntel Whitelist for Firewall Policy.
FirewallPolicyTransportSecurity	Configuration needed to perform TLS termination & initiation.
ManagedServiceIdentity	Identity for the resource.
ProvisioningState	The current provisioning state.
ResourceIdentityType	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
SubResource	Reference to another subresource.
UserAssignedIdentities	The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

Name	Type	Description
Disabled	string
Enabled	string

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

Name	Type	Description
Alert	string
Deny	string
Off	string

CloudError

An error response from the service.

Name	Type	Description
error	CloudErrorBody	Cloud error body.

CloudErrorBody

An error response from the service.

Name	Type	Description
code	string	An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
details	CloudErrorBody[]	A list of additional details about the error.
message	string	A message describing the error, intended to be suitable for display in a user interface.
target	string	The target of the particular error. For example, the name of the property in error.

DnsSettings

DNS Proxy Settings in Firewall Policy.

Name	Type	Description
enableProxy	boolean	Enable DNS Proxy on Firewalls attached to the Firewall Policy.
requireProxyForNetworkRules	boolean	FQDNs in Network Rules are supported when set to true.
servers	string[]	List of Custom DNS Servers.

ExplicitProxy

Explicit Proxy Settings in Firewall Policy.

Name	Type	Description
enableExplicitProxy	boolean	When set to true, explicit proxy mode is enabled.
enablePacFile	boolean	When set to true, pac file port and url needs to be provided.
httpPort	integer	Port number for explicit proxy http protocol, cannot be greater than 64000.
httpsPort	integer	Port number for explicit proxy https protocol, cannot be greater than 64000.
pacFile	string	SAS URL for PAC file.
pacFilePort	integer	Port number for firewall to serve PAC file.

FirewallPolicy

FirewallPolicy Resource.

Name	Type	Description
etag	string	A unique read-only string that changes whenever the resource is updated.
id	string	Resource ID.
identity	ManagedServiceIdentity	The identity of the firewall policy.
location	string	Resource location.
name	string	Resource name.
properties.basePolicy	SubResource	The parent firewall policy from which rules are inherited.
properties.childPolicies	SubResource[]	List of references to Child Firewall Policies.
properties.dnsSettings	DnsSettings	DNS Proxy Settings definition.
properties.explicitProxy	ExplicitProxy	Explicit Proxy Settings definition.
properties.firewalls	SubResource[]	List of references to Azure Firewalls that this Firewall Policy is associated with.
properties.insights	FirewallPolicyInsights	Insights on Firewall Policy.
properties.intrusionDetection	FirewallPolicyIntrusionDetection	The configuration for Intrusion detection.
properties.provisioningState	ProvisioningState	The provisioning state of the firewall policy resource.
properties.ruleCollectionGroups	SubResource[]	List of references to FirewallPolicyRuleCollectionGroups.
properties.size	string	A read-only string that represents the size of the FirewallPolicyPropertiesFormat in MB. (ex 0.5MB)
properties.sku	FirewallPolicySku	The Firewall Policy SKU.
properties.snat	FirewallPolicySNAT	The private IP addresses/IP ranges to which traffic will not be SNAT.
properties.sql	FirewallPolicySQL	SQL Settings definition.
properties.threatIntelMode	AzureFirewallThreatIntelMode	The operation mode for Threat Intelligence.
properties.threatIntelWhitelist	FirewallPolicyThreatIntelWhitelist	ThreatIntel Whitelist for Firewall Policy.
properties.transportSecurity	FirewallPolicyTransportSecurity	TLS Configuration definition.
tags	object	Resource tags.
type	string	Resource type.

FirewallPolicyCertificateAuthority

Trusted Root certificates properties for tls.

Name	Type	Description
keyVaultSecretId	string	Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
name	string	Name of the CA certificate.

FirewallPolicyInsights

Firewall Policy Insights.

Name	Type	Description
isEnabled	boolean	A flag to indicate if the insights are enabled on the policy.
logAnalyticsResources	FirewallPolicyLogAnalyticsResources	Workspaces needed to configure the Firewall Policy Insights.
retentionDays	integer	Number of days the insights should be enabled on the policy.

FirewallPolicyIntrusionDetection

Configuration for intrusion detection mode and rules.

Name	Type	Description
configuration	FirewallPolicyIntrusionDetectionConfiguration	Intrusion detection configuration properties.
mode	FirewallPolicyIntrusionDetectionStateType	Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.
profile	FirewallPolicyIntrusionDetectionProfileType	IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Intrusion detection bypass traffic specification.

Name	Type	Description
description	string	Description of the bypass traffic rule.
destinationAddresses	string[]	List of destination IP addresses or ranges for this rule.
destinationIpGroups	string[]	List of destination IpGroups for this rule.
destinationPorts	string[]	List of destination ports or ranges.
name	string	Name of the bypass traffic rule.
protocol	FirewallPolicyIntrusionDetectionProtocol	The rule bypass protocol.
sourceAddresses	string[]	List of source IP addresses or ranges for this rule.
sourceIpGroups	string[]	List of source IpGroups for this rule.

FirewallPolicyIntrusionDetectionConfiguration

The operation for configuring intrusion detection.

Name	Type	Description
bypassTrafficSettings	FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]	List of rules for traffic to bypass.
privateRanges	string[]	IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property
signatureOverrides	FirewallPolicyIntrusionDetectionSignatureSpecification[]	List of specific signatures states.

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

Name	Type	Description
Advanced	string
Basic	string
Extended	string
Standard	string

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

Name	Type	Description
ANY	string
ICMP	string
TCP	string
UDP	string

FirewallPolicyIntrusionDetectionSignatureSpecification

Intrusion detection signatures specification states.

Name	Type	Description
id	string	Signature id.
mode	FirewallPolicyIntrusionDetectionStateType	The signature state.

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

Name	Type	Description
Alert	string
Deny	string
Off	string

FirewallPolicyLogAnalyticsResources

Log Analytics Resources for Firewall Policy Insights.

Name	Type	Description
defaultWorkspaceId	SubResource	The default workspace Id for Firewall Policy Insights.
workspaces	FirewallPolicyLogAnalyticsWorkspace[]	List of workspaces for Firewall Policy Insights.

FirewallPolicyLogAnalyticsWorkspace

Log Analytics Workspace for Firewall Policy Insights.

Name	Type	Description
region	string	Region to configure the Workspace.
workspaceId	SubResource	The workspace Id for Firewall Policy Insights.

FirewallPolicySku

SKU of Firewall policy.

Name	Type	Description
tier	FirewallPolicySkuTier	Tier of Firewall Policy.

FirewallPolicySkuTier

Tier of Firewall Policy.

Name	Type	Description
Basic	string
Premium	string
Standard	string

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

Name	Type	Description
autoLearnPrivateRanges	AutoLearnPrivateRangesMode	The operation mode for automatically learning private ranges to not be SNAT
privateRanges	string[]	List of private IP addresses/IP address ranges to not be SNAT.

FirewallPolicySQL

SQL Settings in Firewall Policy.

Name	Type	Description
allowSqlRedirect	boolean	A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

Name	Type	Description
fqdns	string[]	List of FQDNs for the ThreatIntel Whitelist.
ipAddresses	string[]	List of IP addresses for the ThreatIntel Whitelist.

FirewallPolicyTransportSecurity

Configuration needed to perform TLS termination & initiation.

Name	Type	Description
certificateAuthority	FirewallPolicyCertificateAuthority	The CA used for intermediate CA generation.

ManagedServiceIdentity

Identity for the resource.

Name	Type	Description
principalId	string	The principal id of the system assigned identity. This property will only be provided for a system assigned identity.
tenantId	string	The tenant id of the system assigned identity. This property will only be provided for a system assigned identity.
type	ResourceIdentityType	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
userAssignedIdentities	UserAssignedIdentities	The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

ProvisioningState

The current provisioning state.

Name	Type	Description
Deleting	string
Failed	string
Succeeded	string
Updating	string

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

Name	Type	Description
None	string
SystemAssigned	string
SystemAssigned, UserAssigned	string
UserAssigned	string

SubResource

Reference to another subresource.

Name	Type	Description
id	string	Resource ID.

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Name	Type	Description