Azure Network Firewall Policy
This page shows how to write Terraform and Azure Resource Manager for Network Firewall Policy and write them securely.
azurerm_frontdoor_firewall_policy (Terraform)
The Firewall Policy in Network can be configured in Terraform with the resource name azurerm_frontdoor_firewall_policy
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_frontdoor_firewall_policy" "fd_waf_policy" {
name = var.name
resource_group_name = data.azurerm_resource_group.main.name
enabled = var.enabled
mode = var.waf_mode
resource "azurerm_frontdoor_firewall_policy" "affp" {
name = var.name
resource_group_name = var.resource_group_name
enabled = var.enabled
mode = var.mode
redirect_url = var.redirect_url
resource "azurerm_frontdoor_firewall_policy" "firewall_policy_example" {
name = "Example"
resource_group_name = azurerm_resource_group.example.name
custom_rule {
name = "Rule1"
resource "azurerm_frontdoor_firewall_policy" "default" {
for_each = var.frontdoor_wafs
name = each.value.name
resource_group_name = var.resource_group_name
tags = var.tags
enabled = each.value.enabled
resource "azurerm_frontdoor_firewall_policy" "front-door-waf-policy" {
for_each = var.front-door-waf-object
name = each.value.name
resource_group_name = var.front-door-rg
tags = var.tags
enabled = each.value.enabled
resource "azurerm_frontdoor_firewall_policy" "this" {
custom_block_response_body = var.custom_block_response_body
custom_block_response_status_code = var.custom_block_response_status_code
enabled = var.enabled
mode = var.mode
name = var.name
resource "azurerm_frontdoor_firewall_policy" "front-door-waf-policy" {
for_each = var.front-door-waf-object
name = each.value.name
resource_group_name = var.front-door-rg
tags = var.tags
enabled = each.value.enabled
resource "azurerm_frontdoor_firewall_policy" "wafpolicy" {
name = var.settings.name
resource_group_name = var.resource_group_name
enabled = try(var.settings.enabled, true)
mode = try(var.settings.mode, null)
resource "azurerm_frontdoor_firewall_policy" "wafpolicy" {
name = var.settings.name
resource_group_name = var.resource_group_name
enabled = try(var.settings.enabled, true)
mode = try(var.settings.mode, null)
resource "azurerm_frontdoor_firewall_policy" "this" {
custom_block_response_body = var.custom_block_response_body
custom_block_response_status_code = var.custom_block_response_status_code
enabled = var.enabled
mode = var.mode
name = var.name
Parameters
-
custom_block_response_body
optional - string -
custom_block_response_status_code
optional - number -
enabled
optional - bool -
frontend_endpoint_ids
optional computed - list of string -
id
optional computed - string -
location
optional computed - string -
mode
optional - string -
name
required - string -
redirect_url
optional - string -
resource_group_name
required - string -
tags
optional - map from string to string -
custom_rule
list block-
action
required - string -
enabled
optional - bool -
name
required - string -
priority
optional - number -
rate_limit_duration_in_minutes
optional - number -
rate_limit_threshold
optional - number -
type
required - string -
match_condition
list block-
match_values
required - list of string -
match_variable
required - string -
negation_condition
optional - bool -
operator
required - string -
selector
optional - string -
transforms
optional - list of string
-
-
-
managed_rule
list block-
type
required - string -
version
required - string -
exclusion
list block-
match_variable
required - string -
operator
required - string -
selector
required - string
-
-
override
list block-
rule_group_name
required - string -
exclusion
list block-
match_variable
required - string -
operator
required - string -
selector
required - string
-
-
rule
list block
-
-
-
timeouts
single block
Explanation in Terraform Registry
Manages an Azure Front Door Web Application Firewall Policy instance. !> Be Aware: Azure is rolling out a breaking change on Friday 9th April which may cause issues with the CDN/FrontDoor resources. More information is available in this Github issue - however unfortunately this may necessitate a breaking change to the CDN and FrontDoor resources, more information will be posted in the Github issue as the necessary changes are identified.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/frontDoorWebApplicationFirewallPolicies (Azure Resource Manager)
The frontDoorWebApplicationFirewallPolicies in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/frontDoorWebApplicationFirewallPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"wafPolicyName": {
Frequently asked questions
What is Azure Network Firewall Policy?
Azure Network Firewall Policy is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Firewall Policy?
For Terraform, the JBC-LBP-LLC/Terraform, W2-Global-Data/azurerm_modules and infracost/infracost source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the JFolberth/HDCDevOps, CSA-DanielVillamizar/Azure and plzm/azure-deploy source code examples are useful. See the Azure Resource Manager Example section for further details.