Partager via


Microsoft.Network FrontDoorWebApplicationFirewallPolicies 2024-02-01

Bicep resource definition

The FrontDoorWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01' = {
  etag: 'string'
  location: 'string'
  name: 'string'
  properties: {
    customRules: {
      rules: [
        {
          action: 'string'
          enabledState: 'string'
          groupBy: [
            {
              variableName: 'string'
            }
          ]
          matchConditions: [
            {
              matchValue: [
                'string'
              ]
              matchVariable: 'string'
              negateCondition: bool
              operator: 'string'
              selector: 'string'
              transforms: [
                'string'
              ]
            }
          ]
          name: 'string'
          priority: int
          rateLimitDurationInMinutes: int
          rateLimitThreshold: int
          ruleType: 'string'
        }
      ]
    }
    managedRules: {
      managedRuleSets: [
        {
          exclusions: [
            {
              matchVariable: 'string'
              selector: 'string'
              selectorMatchOperator: 'string'
            }
          ]
          ruleGroupOverrides: [
            {
              exclusions: [
                {
                  matchVariable: 'string'
                  selector: 'string'
                  selectorMatchOperator: 'string'
                }
              ]
              ruleGroupName: 'string'
              rules: [
                {
                  action: 'string'
                  enabledState: 'string'
                  exclusions: [
                    {
                      matchVariable: 'string'
                      selector: 'string'
                      selectorMatchOperator: 'string'
                    }
                  ]
                  ruleId: 'string'
                }
              ]
            }
          ]
          ruleSetAction: 'string'
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      customBlockResponseBody: 'string'
      customBlockResponseStatusCode: int
      enabledState: 'string'
      javascriptChallengeExpirationInMinutes: int
      logScrubbing: {
        scrubbingRules: [
          {
            matchVariable: 'string'
            selector: 'string'
            selectorMatchOperator: 'string'
            state: 'string'
          }
        ]
        state: 'string'
      }
      mode: 'string'
      redirectUrl: 'string'
      requestBodyCheck: 'string'
    }
  }
  sku: {
    name: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

CustomRule

Name Description Value
action Describes what action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
'Redirect' (required)
enabledState Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
groupBy Describes the list of variables to group the rate limit requests GroupByVariable[]
matchConditions List of match conditions. MatchCondition[] (required)
name Describes the name of the rule. string

Constraints:
Max length =
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDurationInMinutes Time window for resetting the rate limit count. Default is 1 minute. int

Constraints:
Min value = 0
Max value = 5
rateLimitThreshold Number of allowed requests per client within the time window. int

Constraints:
Min value = 0
ruleType Describes type of rule. 'MatchRule'
'RateLimitRule' (required)

CustomRuleList

Name Description Value
rules List of rules CustomRule[]

GroupByVariable

Name Description Value
variableName Describes the supported variable for group by 'GeoLocation'
'None'
'SocketAddr' (required)

ManagedRuleExclusion

Name Description Value
matchVariable The variable type to be excluded. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames' (required)
selector Selector value for which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

ManagedRuleGroupOverride

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the group. ManagedRuleExclusion[]
ruleGroupName Describes the managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Describes the override action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
'Redirect'
enabledState Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. 'Disabled'
'Enabled'
exclusions Describes the exclusions that are applied to this specific rule. ManagedRuleExclusion[]
ruleId Identifier for the managed rule. string (required)

ManagedRuleSet

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the set. ManagedRuleExclusion[]
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetAction Defines the rule set action. 'Block'
'Log'
'Redirect'
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

ManagedRuleSetList

Name Description Value
managedRuleSets List of rule sets. ManagedRuleSet[]

MatchCondition

Name Description Value
matchValue List of possible match values. string[] (required)
matchVariable Request variable to compare with. 'Cookies'
'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestHeader'
'RequestMethod'
'RequestUri'
'SocketAddr' (required)
negateCondition Describes if the result of this condition should be negated. bool
operator Comparison type to use for matching with the variable value. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'RegEx' (required)
selector Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. string
transforms List of transforms. String array containing any of:
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

Microsoft.Network/FrontDoorWebApplicationFirewallPolicies

Name Description Value
etag Gets a unique read-only string that changes whenever the resource is updated. string
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyProperties
sku The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string

Constraints:
Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int
enabledState Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
javascriptChallengeExpirationInMinutes Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. int

Constraints:
Min value = 5
Max value = 1440
logScrubbing Defines rules that scrub sensitive fields in the Web Application Firewall logs. PolicySettingsLogScrubbing
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'
redirectUrl If action type is redirect, this field represents redirect URL for the client. string
requestBodyCheck Describes if policy managed rules will inspect the request body content. 'Disabled'
'Enabled'

PolicySettingsLogScrubbing

Name Description Value
scrubbingRules List of log scrubbing rules applied to the Web Application Firewall logs. WebApplicationFirewallScrubbingRules[]
state State of the log scrubbing config. Default value is Enabled. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

Sku

Name Description Value
name Name of the pricing tier. 'Classic_AzureFrontDoor'
'Premium_AzureFrontDoor'
'Standard_AzureFrontDoor'

WebApplicationFirewallPolicyProperties

Name Description Value
customRules Describes custom rules inside the policy. CustomRuleList
managedRules Describes managed rules inside the policy. ManagedRuleSetList
policySettings Describes settings for the policy. PolicySettings

WebApplicationFirewallScrubbingRules

Name Description Value
matchVariable The variable to be scrubbed from the logs. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames'
'RequestIPAddress'
'RequestUri' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. string
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. 'Equals'
'EqualsAny' (required)
state Defines the state of a log scrubbing rule. Default value is enabled. 'Disabled'
'Enabled'

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Configure WAF managed defaultRuleSet for Azure Front Door This template configures WAF managed defaultRuleSet for Azure Front Door
Front Door Premium with blob origin and Private Link This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account.
Front Door Premium with WAF and Microsoft-managed rule sets This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets.
Front Door Standard/Premium with geo-filtering This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule.
Front Door Standard/Premium with rate limit This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule.
Front Door Standard/Premium with WAF and custom rule This template creates a Front Door Standard/Premium including a web application firewall with a custom rule.
Front Door with blob origins for blobs upload This template creates a Front Door with origins, routes and ruleSets, and an Azure Storage accounts with blob containers. Front Door sends traffic to the storage accounts when uploading files.
FrontDoor CDN with WAF, Domains and Logs to EventHub This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub.
Function App secured by Azure Frontdoor This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link.

ARM template resource definition

The FrontDoorWebApplicationFirewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
  "apiVersion": "2024-02-01",
  "name": "string",
  "etag": "string",
  "location": "string",
  "properties": {
    "customRules": {
      "rules": [
        {
          "action": "string",
          "enabledState": "string",
          "groupBy": [
            {
              "variableName": "string"
            }
          ],
          "matchConditions": [
            {
              "matchValue": [ "string" ],
              "matchVariable": "string",
              "negateCondition": "bool",
              "operator": "string",
              "selector": "string",
              "transforms": [ "string" ]
            }
          ],
          "name": "string",
          "priority": "int",
          "rateLimitDurationInMinutes": "int",
          "rateLimitThreshold": "int",
          "ruleType": "string"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "exclusions": [
            {
              "matchVariable": "string",
              "selector": "string",
              "selectorMatchOperator": "string"
            }
          ],
          "ruleGroupOverrides": [
            {
              "exclusions": [
                {
                  "matchVariable": "string",
                  "selector": "string",
                  "selectorMatchOperator": "string"
                }
              ],
              "ruleGroupName": "string",
              "rules": [
                {
                  "action": "string",
                  "enabledState": "string",
                  "exclusions": [
                    {
                      "matchVariable": "string",
                      "selector": "string",
                      "selectorMatchOperator": "string"
                    }
                  ],
                  "ruleId": "string"
                }
              ]
            }
          ],
          "ruleSetAction": "string",
          "ruleSetType": "string",
          "ruleSetVersion": "string"
        }
      ]
    },
    "policySettings": {
      "customBlockResponseBody": "string",
      "customBlockResponseStatusCode": "int",
      "enabledState": "string",
      "javascriptChallengeExpirationInMinutes": "int",
      "logScrubbing": {
        "scrubbingRules": [
          {
            "matchVariable": "string",
            "selector": "string",
            "selectorMatchOperator": "string",
            "state": "string"
          }
        ],
        "state": "string"
      },
      "mode": "string",
      "redirectUrl": "string",
      "requestBodyCheck": "string"
    }
  },
  "sku": {
    "name": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

CustomRule

Name Description Value
action Describes what action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
'Redirect' (required)
enabledState Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
groupBy Describes the list of variables to group the rate limit requests GroupByVariable[]
matchConditions List of match conditions. MatchCondition[] (required)
name Describes the name of the rule. string

Constraints:
Max length =
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDurationInMinutes Time window for resetting the rate limit count. Default is 1 minute. int

Constraints:
Min value = 0
Max value = 5
rateLimitThreshold Number of allowed requests per client within the time window. int

Constraints:
Min value = 0
ruleType Describes type of rule. 'MatchRule'
'RateLimitRule' (required)

CustomRuleList

Name Description Value
rules List of rules CustomRule[]

GroupByVariable

Name Description Value
variableName Describes the supported variable for group by 'GeoLocation'
'None'
'SocketAddr' (required)

ManagedRuleExclusion

Name Description Value
matchVariable The variable type to be excluded. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames' (required)
selector Selector value for which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

ManagedRuleGroupOverride

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the group. ManagedRuleExclusion[]
ruleGroupName Describes the managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Describes the override action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
'Redirect'
enabledState Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. 'Disabled'
'Enabled'
exclusions Describes the exclusions that are applied to this specific rule. ManagedRuleExclusion[]
ruleId Identifier for the managed rule. string (required)

ManagedRuleSet

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the set. ManagedRuleExclusion[]
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetAction Defines the rule set action. 'Block'
'Log'
'Redirect'
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

ManagedRuleSetList

Name Description Value
managedRuleSets List of rule sets. ManagedRuleSet[]

MatchCondition

Name Description Value
matchValue List of possible match values. string[] (required)
matchVariable Request variable to compare with. 'Cookies'
'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestHeader'
'RequestMethod'
'RequestUri'
'SocketAddr' (required)
negateCondition Describes if the result of this condition should be negated. bool
operator Comparison type to use for matching with the variable value. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'RegEx' (required)
selector Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. string
transforms List of transforms. String array containing any of:
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

Microsoft.Network/FrontDoorWebApplicationFirewallPolicies

Name Description Value
apiVersion The api version '2024-02-01'
etag Gets a unique read-only string that changes whenever the resource is updated. string
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyProperties
sku The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies'

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string

Constraints:
Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int
enabledState Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
javascriptChallengeExpirationInMinutes Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. int

Constraints:
Min value = 5
Max value = 1440
logScrubbing Defines rules that scrub sensitive fields in the Web Application Firewall logs. PolicySettingsLogScrubbing
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'
redirectUrl If action type is redirect, this field represents redirect URL for the client. string
requestBodyCheck Describes if policy managed rules will inspect the request body content. 'Disabled'
'Enabled'

PolicySettingsLogScrubbing

Name Description Value
scrubbingRules List of log scrubbing rules applied to the Web Application Firewall logs. WebApplicationFirewallScrubbingRules[]
state State of the log scrubbing config. Default value is Enabled. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

Sku

Name Description Value
name Name of the pricing tier. 'Classic_AzureFrontDoor'
'Premium_AzureFrontDoor'
'Standard_AzureFrontDoor'

WebApplicationFirewallPolicyProperties

Name Description Value
customRules Describes custom rules inside the policy. CustomRuleList
managedRules Describes managed rules inside the policy. ManagedRuleSetList
policySettings Describes settings for the policy. PolicySettings

WebApplicationFirewallScrubbingRules

Name Description Value
matchVariable The variable to be scrubbed from the logs. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames'
'RequestIPAddress'
'RequestUri' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. string
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. 'Equals'
'EqualsAny' (required)
state Defines the state of a log scrubbing rule. Default value is enabled. 'Disabled'
'Enabled'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Configure WAF client IP restriction for Azure Front Door

Deploy to Azure
This template configures WAF client IP restriction for Azure Front Door endpoint
Configure WAF managed defaultRuleSet for Azure Front Door

Deploy to Azure
This template configures WAF managed defaultRuleSet for Azure Front Door
Configure WAF rate liming rule for Azure Front Door endpoint

Deploy to Azure
This template configures a WAF rule for Azure Front Door to rate limit incoming traffic for a given frontend host.
Configure WAF rules with http parameters for Front Door

Deploy to Azure
This template configures WAF custom rules based on specific http parameters for Azure Front Door endpoint.
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Create WAF Geo Filtering rule for Azure Front Door endpoint

Deploy to Azure
This template creates a WAF geo filtering rule for Azure Front Door that allows/blocks traffic from certain countries.
Front Door Premium with blob origin and Private Link

Deploy to Azure
This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account.
Front Door Premium with WAF and Microsoft-managed rule sets

Deploy to Azure
This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets.
Front Door Standard/Premium with geo-filtering

Deploy to Azure
This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule.
Front Door Standard/Premium with rate limit

Deploy to Azure
This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule.
Front Door Standard/Premium with WAF and custom rule

Deploy to Azure
This template creates a Front Door Standard/Premium including a web application firewall with a custom rule.
Front Door with blob origins for blobs upload

Deploy to Azure
This template creates a Front Door with origins, routes and ruleSets, and an Azure Storage accounts with blob containers. Front Door sends traffic to the storage accounts when uploading files.
FrontDoor CDN with WAF, Domains and Logs to EventHub

Deploy to Azure
This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub.
Function App secured by Azure Frontdoor

Deploy to Azure
This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link.

Terraform (AzAPI provider) resource definition

The FrontDoorWebApplicationFirewallPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01"
  name = "string"
  etag = "string"
  location = "string"
  sku = {
    name = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      customRules = {
        rules = [
          {
            action = "string"
            enabledState = "string"
            groupBy = [
              {
                variableName = "string"
              }
            ]
            matchConditions = [
              {
                matchValue = [
                  "string"
                ]
                matchVariable = "string"
                negateCondition = bool
                operator = "string"
                selector = "string"
                transforms = [
                  "string"
                ]
              }
            ]
            name = "string"
            priority = int
            rateLimitDurationInMinutes = int
            rateLimitThreshold = int
            ruleType = "string"
          }
        ]
      }
      managedRules = {
        managedRuleSets = [
          {
            exclusions = [
              {
                matchVariable = "string"
                selector = "string"
                selectorMatchOperator = "string"
              }
            ]
            ruleGroupOverrides = [
              {
                exclusions = [
                  {
                    matchVariable = "string"
                    selector = "string"
                    selectorMatchOperator = "string"
                  }
                ]
                ruleGroupName = "string"
                rules = [
                  {
                    action = "string"
                    enabledState = "string"
                    exclusions = [
                      {
                        matchVariable = "string"
                        selector = "string"
                        selectorMatchOperator = "string"
                      }
                    ]
                    ruleId = "string"
                  }
                ]
              }
            ]
            ruleSetAction = "string"
            ruleSetType = "string"
            ruleSetVersion = "string"
          }
        ]
      }
      policySettings = {
        customBlockResponseBody = "string"
        customBlockResponseStatusCode = int
        enabledState = "string"
        javascriptChallengeExpirationInMinutes = int
        logScrubbing = {
          scrubbingRules = [
            {
              matchVariable = "string"
              selector = "string"
              selectorMatchOperator = "string"
              state = "string"
            }
          ]
          state = "string"
        }
        mode = "string"
        redirectUrl = "string"
        requestBodyCheck = "string"
      }
    }
  })
}

Property values

CustomRule

Name Description Value
action Describes what action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
'Redirect' (required)
enabledState Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
groupBy Describes the list of variables to group the rate limit requests GroupByVariable[]
matchConditions List of match conditions. MatchCondition[] (required)
name Describes the name of the rule. string

Constraints:
Max length =
priority Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. int (required)
rateLimitDurationInMinutes Time window for resetting the rate limit count. Default is 1 minute. int

Constraints:
Min value = 0
Max value = 5
rateLimitThreshold Number of allowed requests per client within the time window. int

Constraints:
Min value = 0
ruleType Describes type of rule. 'MatchRule'
'RateLimitRule' (required)

CustomRuleList

Name Description Value
rules List of rules CustomRule[]

GroupByVariable

Name Description Value
variableName Describes the supported variable for group by 'GeoLocation'
'None'
'SocketAddr' (required)

ManagedRuleExclusion

Name Description Value
matchVariable The variable type to be excluded. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames' (required)
selector Selector value for which elements in the collection this exclusion applies to. string (required)
selectorMatchOperator Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. 'Contains'
'EndsWith'
'Equals'
'EqualsAny'
'StartsWith' (required)

ManagedRuleGroupOverride

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the group. ManagedRuleExclusion[]
ruleGroupName Describes the managed rule group to override. string (required)
rules List of rules that will be disabled. If none specified, all rules in the group will be disabled. ManagedRuleOverride[]

ManagedRuleOverride

Name Description Value
action Describes the override action to be applied when rule matches. 'Allow'
'AnomalyScoring'
'Block'
'JSChallenge'
'Log'
'Redirect'
enabledState Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. 'Disabled'
'Enabled'
exclusions Describes the exclusions that are applied to this specific rule. ManagedRuleExclusion[]
ruleId Identifier for the managed rule. string (required)

ManagedRuleSet

Name Description Value
exclusions Describes the exclusions that are applied to all rules in the set. ManagedRuleExclusion[]
ruleGroupOverrides Defines the rule group overrides to apply to the rule set. ManagedRuleGroupOverride[]
ruleSetAction Defines the rule set action. 'Block'
'Log'
'Redirect'
ruleSetType Defines the rule set type to use. string (required)
ruleSetVersion Defines the version of the rule set to use. string (required)

ManagedRuleSetList

Name Description Value
managedRuleSets List of rule sets. ManagedRuleSet[]

MatchCondition

Name Description Value
matchValue List of possible match values. string[] (required)
matchVariable Request variable to compare with. 'Cookies'
'PostArgs'
'QueryString'
'RemoteAddr'
'RequestBody'
'RequestHeader'
'RequestMethod'
'RequestUri'
'SocketAddr' (required)
negateCondition Describes if the result of this condition should be negated. bool
operator Comparison type to use for matching with the variable value. 'Any'
'BeginsWith'
'Contains'
'EndsWith'
'Equal'
'GeoMatch'
'GreaterThan'
'GreaterThanOrEqual'
'IPMatch'
'LessThan'
'LessThanOrEqual'
'RegEx' (required)
selector Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. string
transforms List of transforms. String array containing any of:
'Lowercase'
'RemoveNulls'
'Trim'
'Uppercase'
'UrlDecode'
'UrlEncode'

Microsoft.Network/FrontDoorWebApplicationFirewallPolicies

Name Description Value
etag Gets a unique read-only string that changes whenever the resource is updated. string
location Resource location. string
name The resource name string

Constraints:
Max length = (required)
properties Properties of the web application firewall policy. WebApplicationFirewallPolicyProperties
sku The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. Sku
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01"

PolicySettings

Name Description Value
customBlockResponseBody If the action type is block, customer can override the response body. The body must be specified in base64 encoding. string

Constraints:
Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
customBlockResponseStatusCode If the action type is block, customer can override the response status code. int
enabledState Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. 'Disabled'
'Enabled'
javascriptChallengeExpirationInMinutes Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. int

Constraints:
Min value = 5
Max value = 1440
logScrubbing Defines rules that scrub sensitive fields in the Web Application Firewall logs. PolicySettingsLogScrubbing
mode Describes if it is in detection mode or prevention mode at policy level. 'Detection'
'Prevention'
redirectUrl If action type is redirect, this field represents redirect URL for the client. string
requestBodyCheck Describes if policy managed rules will inspect the request body content. 'Disabled'
'Enabled'

PolicySettingsLogScrubbing

Name Description Value
scrubbingRules List of log scrubbing rules applied to the Web Application Firewall logs. WebApplicationFirewallScrubbingRules[]
state State of the log scrubbing config. Default value is Enabled. 'Disabled'
'Enabled'

ResourceTags

Name Description Value

Sku

Name Description Value
name Name of the pricing tier. 'Classic_AzureFrontDoor'
'Premium_AzureFrontDoor'
'Standard_AzureFrontDoor'

WebApplicationFirewallPolicyProperties

Name Description Value
customRules Describes custom rules inside the policy. CustomRuleList
managedRules Describes managed rules inside the policy. ManagedRuleSetList
policySettings Describes settings for the policy. PolicySettings

WebApplicationFirewallScrubbingRules

Name Description Value
matchVariable The variable to be scrubbed from the logs. 'QueryStringArgNames'
'RequestBodyJsonArgNames'
'RequestBodyPostArgNames'
'RequestCookieNames'
'RequestHeaderNames'
'RequestIPAddress'
'RequestUri' (required)
selector When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. string
selectorMatchOperator When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. 'Equals'
'EqualsAny' (required)
state Defines the state of a log scrubbing rule. Default value is enabled. 'Disabled'
'Enabled'