Azure Network Firewall Policy
This page shows how to write Terraform and Azure Resource Manager for Network Firewall Policy and write them securely.
azurerm_frontdoor_firewall_policy (Terraform)
The Firewall Policy in Network can be configured in Terraform with the resource name azurerm_frontdoor_firewall_policy. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_frontdoor_firewall_policy" "fd_waf_policy" {
name = var.name
resource_group_name = data.azurerm_resource_group.main.name
enabled = var.enabled
mode = var.waf_mode
resource "azurerm_frontdoor_firewall_policy" "affp" {
name = var.name
resource_group_name = var.resource_group_name
enabled = var.enabled
mode = var.mode
redirect_url = var.redirect_url
resource "azurerm_frontdoor_firewall_policy" "firewall_policy_example" {
name = "Example"
resource_group_name = azurerm_resource_group.example.name
custom_rule {
name = "Rule1"
resource "azurerm_frontdoor_firewall_policy" "default" {
for_each = var.frontdoor_wafs
name = each.value.name
resource_group_name = var.resource_group_name
tags = var.tags
enabled = each.value.enabled
resource "azurerm_frontdoor_firewall_policy" "front-door-waf-policy" {
for_each = var.front-door-waf-object
name = each.value.name
resource_group_name = var.front-door-rg
tags = var.tags
enabled = each.value.enabled
resource "azurerm_frontdoor_firewall_policy" "this" {
custom_block_response_body = var.custom_block_response_body
custom_block_response_status_code = var.custom_block_response_status_code
enabled = var.enabled
mode = var.mode
name = var.name
resource "azurerm_frontdoor_firewall_policy" "front-door-waf-policy" {
for_each = var.front-door-waf-object
name = each.value.name
resource_group_name = var.front-door-rg
tags = var.tags
enabled = each.value.enabled
resource "azurerm_frontdoor_firewall_policy" "wafpolicy" {
name = var.settings.name
resource_group_name = var.resource_group_name
enabled = try(var.settings.enabled, true)
mode = try(var.settings.mode, null)
resource "azurerm_frontdoor_firewall_policy" "wafpolicy" {
name = var.settings.name
resource_group_name = var.resource_group_name
enabled = try(var.settings.enabled, true)
mode = try(var.settings.mode, null)
resource "azurerm_frontdoor_firewall_policy" "this" {
custom_block_response_body = var.custom_block_response_body
custom_block_response_status_code = var.custom_block_response_status_code
enabled = var.enabled
mode = var.mode
name = var.name
Parameters
-
custom_block_response_bodyoptional - string -
custom_block_response_status_codeoptional - number -
enabledoptional - bool -
frontend_endpoint_idsoptional computed - list of string -
idoptional computed - string -
locationoptional computed - string -
modeoptional - string -
namerequired - string -
redirect_urloptional - string -
resource_group_namerequired - string -
tagsoptional - map from string to string -
custom_rulelist block-
actionrequired - string -
enabledoptional - bool -
namerequired - string -
priorityoptional - number -
rate_limit_duration_in_minutesoptional - number -
rate_limit_thresholdoptional - number -
typerequired - string -
match_conditionlist block-
match_valuesrequired - list of string -
match_variablerequired - string -
negation_conditionoptional - bool -
operatorrequired - string -
selectoroptional - string -
transformsoptional - list of string
-
-
-
managed_rulelist block-
typerequired - string -
versionrequired - string -
exclusionlist block-
match_variablerequired - string -
operatorrequired - string -
selectorrequired - string
-
-
overridelist block-
rule_group_namerequired - string -
exclusionlist block-
match_variablerequired - string -
operatorrequired - string -
selectorrequired - string
-
-
rulelist block
-
-
-
timeoutssingle block
Explanation in Terraform Registry
Manages an Azure Front Door Web Application Firewall Policy instance. !> Be Aware: Azure is rolling out a breaking change on Friday 9th April which may cause issues with the CDN/FrontDoor resources. More information is available in this Github issue - however unfortunately this may necessitate a breaking change to the CDN and FrontDoor resources, more information will be posted in the Github issue as the necessary changes are identified.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/frontDoorWebApplicationFirewallPolicies (Azure Resource Manager)
The frontDoorWebApplicationFirewallPolicies in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/frontDoorWebApplicationFirewallPolicies. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
Frequently asked questions
What is Azure Network Firewall Policy?
Azure Network Firewall Policy is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Firewall Policy?
For Terraform, the JBC-LBP-LLC/Terraform, W2-Global-Data/azurerm_modules and infracost/infracost source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the JFolberth/HDCDevOps, CSA-DanielVillamizar/Azure and plzm/azure-deploy source code examples are useful. See the Azure Resource Manager Example section for further details.
