Azure Network Firewall Policy
This page shows how to write Terraform and Azure Resource Manager for Network Firewall Policy and write them securely.
azurerm_web_application_firewall_policy (Terraform)
The Firewall Policy in Network can be configured in Terraform with the resource name azurerm_web_application_firewall_policy
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_web_application_firewall_policy" "global" {
name = "global-wafpolicy"
resource_group_name = var.resource_group_name
location = var.location
tags = var.tags
resource "azurerm_web_application_firewall_policy" "tfrg" {
name = "test-wafpolicy"
resource_group_name = azurerm_resource_group.tfrg.name
location = var.location
custom_rules {
resource "azurerm_web_application_firewall_policy" "this" {
location = var.location
name = var.name
resource_group_name = var.resource_group_name
tags = var.tags
resource "azurerm_web_application_firewall_policy" "example" {
name = var.wafpolicyname
resource_group_name = var.wafrg_name
location = var.wafrg_loc
custom_rules {
resource "azurerm_web_application_firewall_policy" "example" {
name = var.wafpolicyname
resource_group_name = var.wafrg_name
location = var.wafrg_loc
custom_rules {
resource "azurerm_web_application_firewall_policy" "example" {
name = var.wafpolicyname
resource_group_name = var.wafrg_name
location = var.wafrg_loc
custom_rules {
resource "azurerm_web_application_firewall_policy" "app-gw-policy" {
for_each = var.app-gw-waf-object
name = each.value.name
resource_group_name = var.app-gw-rg
location = var.location
tags = var.tags
resource "azurerm_web_application_firewall_policy" "wafpolicy" {
name = var.settings.name
resource_group_name = var.resource_group_name
location = var.location
tags = var.tags
resource "azurerm_web_application_firewall_policy" "waf" {
resource_group_name = local.resourcegroup_state_exists == true ? var.resource_group_name : data.azurerm_resource_group.rg_search.0.name
location = local.resourcegroup_state_exists == true ? var.resource_group_location : data.azurerm_resource_group.rg_search.0.location
for_each = var.waf_variable
name = each.value["waf_name"]
resource "azurerm_web_application_firewall_policy" "aagwaf" {
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
custom_rules {
Parameters
-
http_listener_ids
optional computed - list of string -
id
optional computed - string -
location
required - string -
name
required - string -
path_based_rule_ids
optional computed - list of string -
resource_group_name
required - string -
tags
optional - map from string to string -
custom_rules
list block-
action
required - string -
name
optional - string -
priority
required - number -
rule_type
required - string -
match_conditions
list block-
match_values
required - list of string -
negation_condition
optional - bool -
operator
required - string -
transforms
optional - set of string -
match_variables
list block-
selector
optional - string -
variable_name
required - string
-
-
-
-
managed_rules
list block-
exclusion
list block-
match_variable
required - string -
selector
required - string -
selector_match_operator
required - string
-
-
managed_rule_set
list block-
type
optional - string -
version
required - string -
rule_group_override
list block-
disabled_rules
required - list of string -
rule_group_name
required - string
-
-
-
-
policy_settings
list block-
enabled
optional - bool -
file_upload_limit_in_mb
optional - number -
max_request_body_size_in_kb
optional - number -
mode
optional - string -
request_body_check
optional - bool
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a Azure Web Application Firewall Policy instance.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies (Azure Resource Manager)
The ApplicationGatewayWebApplicationFirewallPolicies in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2020-05-01",
"name": "[variables('ApplicationGatewayWebApplicationFirewallPolicyPrimaryName')]",
"location": "[parameters('location')]",
"properties": {
"customRules": [
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2019-04-01",
"location": "string",
"tags": {},
"properties": {
"policySettings": {
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name": "[variables('policyName')]",
"location": "[resourceGroup().location]",
"properties": {
"customRules": [],
"managedRules": {
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name": "[variables('policyName')]",
"location": "[resourceGroup().location]",
"properties": {
"customRules": [],
"managedRules": {
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name": "[variables('policyName')]",
"location": "[resourceGroup().location]",
"properties": {
"customRules": [],
"managedRules": {
Parameters
name
required - stringtype
required - stringapiVersion
required - stringlocation
required - stringResource location.
tags
optional - stringResource tags.
properties
requiredpolicySettings
optionalstate
optional - stringThe state of the policy.
mode
optional - stringThe mode of the policy.
requestBodyCheck
optional - booleanWhether to allow WAF to check request Body.
maxRequestBodySizeInKb
optional - integerMaximum request body size in Kb for WAF.
fileUploadLimitInMb
optional - integerMaximum file upload size in Mb for WAF.
customRules
optional arrayname
optional - stringThe name of the resource that is unique within a policy. This name can be used to access the resource.
priority
required - integerPriority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleType
required - stringThe rule type.
matchConditions
required arraymatchVariables
required arrayvariableName
required - stringMatch Variable.
selector
optional - stringThe selector of match variable.
operator
required - stringThe operator to be matched.
negationConditon
optional - booleanWhether this is negate condition or not.
matchValues
required - arrayMatch value.
transforms
optional - arrayList of transforms.
action
required - stringType of Actions.
managedRules
requiredexclusions
optional arraymatchVariable
required - stringThe variable to be excluded.
selectorMatchOperator
required - stringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
selector
required - stringWhen matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.
managedRuleSets
required arrayruleSetType
required - stringDefines the rule set type to use.
ruleSetVersion
required - stringDefines the version of the rule set to use.
ruleGroupOverrides
optional arrayruleGroupName
required - stringThe managed rule group to override.
rules
optional arrayruleId
required - stringIdentifier for the managed rule.
state
optional - stringThe state of the managed rule. Defaults to Disabled if not specified.
Frequently asked questions
What is Azure Network Firewall Policy?
Azure Network Firewall Policy is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Firewall Policy?
For Terraform, the SGGIRBS/terraform-appgw-module, iljoong/azure-waf-automation and kevinhead/azurerm source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the briandenicola/cqrs, Azure/azure-resource-manager-schemas and Azure/azure-resource-manager-schemas source code examples are useful. See the Azure Resource Manager Example section for further details.