Azure Network Firewall Policy
This page shows how to write Terraform and Azure Resource Manager for Network Firewall Policy and write them securely.
azurerm_web_application_firewall_policy (Terraform)
The Firewall Policy in Network can be configured in Terraform with the resource name azurerm_web_application_firewall_policy. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_web_application_firewall_policy" "global" {
name = "global-wafpolicy"
resource_group_name = var.resource_group_name
location = var.location
tags = var.tags
resource "azurerm_web_application_firewall_policy" "tfrg" {
name = "test-wafpolicy"
resource_group_name = azurerm_resource_group.tfrg.name
location = var.location
custom_rules {
resource "azurerm_web_application_firewall_policy" "this" {
location = var.location
name = var.name
resource_group_name = var.resource_group_name
tags = var.tags
resource "azurerm_web_application_firewall_policy" "example" {
name = var.wafpolicyname
resource_group_name = var.wafrg_name
location = var.wafrg_loc
custom_rules {
resource "azurerm_web_application_firewall_policy" "example" {
name = var.wafpolicyname
resource_group_name = var.wafrg_name
location = var.wafrg_loc
custom_rules {
resource "azurerm_web_application_firewall_policy" "example" {
name = var.wafpolicyname
resource_group_name = var.wafrg_name
location = var.wafrg_loc
custom_rules {
resource "azurerm_web_application_firewall_policy" "app-gw-policy" {
for_each = var.app-gw-waf-object
name = each.value.name
resource_group_name = var.app-gw-rg
location = var.location
tags = var.tags
resource "azurerm_web_application_firewall_policy" "wafpolicy" {
name = var.settings.name
resource_group_name = var.resource_group_name
location = var.location
tags = var.tags
resource "azurerm_web_application_firewall_policy" "waf" {
resource_group_name = local.resourcegroup_state_exists == true ? var.resource_group_name : data.azurerm_resource_group.rg_search.0.name
location = local.resourcegroup_state_exists == true ? var.resource_group_location : data.azurerm_resource_group.rg_search.0.location
for_each = var.waf_variable
name = each.value["waf_name"]
resource "azurerm_web_application_firewall_policy" "aagwaf" {
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
custom_rules {
Parameters
-
http_listener_idsoptional computed - list of string -
idoptional computed - string -
locationrequired - string -
namerequired - string -
path_based_rule_idsoptional computed - list of string -
resource_group_namerequired - string -
tagsoptional - map from string to string -
custom_ruleslist block-
actionrequired - string -
nameoptional - string -
priorityrequired - number -
rule_typerequired - string -
match_conditionslist block-
match_valuesrequired - list of string -
negation_conditionoptional - bool -
operatorrequired - string -
transformsoptional - set of string -
match_variableslist block-
selectoroptional - string -
variable_namerequired - string
-
-
-
-
managed_ruleslist block-
exclusionlist block-
match_variablerequired - string -
selectorrequired - string -
selector_match_operatorrequired - string
-
-
managed_rule_setlist block-
typeoptional - string -
versionrequired - string -
rule_group_overridelist block-
disabled_rulesrequired - list of string -
rule_group_namerequired - string
-
-
-
-
policy_settingslist block-
enabledoptional - bool -
file_upload_limit_in_mboptional - number -
max_request_body_size_in_kboptional - number -
modeoptional - string -
request_body_checkoptional - bool
-
-
timeoutssingle block
Explanation in Terraform Registry
Manages a Azure Web Application Firewall Policy instance.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies (Azure Resource Manager)
The ApplicationGatewayWebApplicationFirewallPolicies in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2020-05-01",
"name": "[variables('ApplicationGatewayWebApplicationFirewallPolicyPrimaryName')]",
"location": "[parameters('location')]",
"properties": {
"customRules": [
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name":"[variables('policyName')]",
"location":"[resourceGroup().location]",
"properties":{
"customRules": []
}
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2019-04-01",
"location": "string",
"tags": {},
"properties": {
"policySettings": {
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name": "[variables('policyName')]",
"location": "[resourceGroup().location]",
"properties": {
"customRules": [],
"managedRules": {
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name": "[variables('policyName')]",
"location": "[resourceGroup().location]",
"properties": {
"customRules": [],
"managedRules": {
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"name": "[variables('policyName')]",
"location": "[resourceGroup().location]",
"properties": {
"customRules": [],
"managedRules": {
Parameters
namerequired - stringtyperequired - stringapiVersionrequired - stringlocationrequired - stringResource location.
tagsoptional - stringResource tags.
propertiesrequiredpolicySettingsoptionalstateoptional - stringThe state of the policy.
modeoptional - stringThe mode of the policy.
requestBodyCheckoptional - booleanWhether to allow WAF to check request Body.
maxRequestBodySizeInKboptional - integerMaximum request body size in Kb for WAF.
fileUploadLimitInMboptional - integerMaximum file upload size in Mb for WAF.
customRulesoptional arraynameoptional - stringThe name of the resource that is unique within a policy. This name can be used to access the resource.
priorityrequired - integerPriority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleTyperequired - stringThe rule type.
matchConditionsrequired arraymatchVariablesrequired arrayvariableNamerequired - stringMatch Variable.
selectoroptional - stringThe selector of match variable.
operatorrequired - stringThe operator to be matched.
negationConditonoptional - booleanWhether this is negate condition or not.
matchValuesrequired - arrayMatch value.
transformsoptional - arrayList of transforms.
actionrequired - stringType of Actions.
managedRulesrequiredexclusionsoptional arraymatchVariablerequired - stringThe variable to be excluded.
selectorMatchOperatorrequired - stringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
selectorrequired - stringWhen matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.
managedRuleSetsrequired arrayruleSetTyperequired - stringDefines the rule set type to use.
ruleSetVersionrequired - stringDefines the version of the rule set to use.
ruleGroupOverridesoptional arrayruleGroupNamerequired - stringThe managed rule group to override.
rulesoptional arrayruleIdrequired - stringIdentifier for the managed rule.
stateoptional - stringThe state of the managed rule. Defaults to Disabled if not specified.
Frequently asked questions
What is Azure Network Firewall Policy?
Azure Network Firewall Policy is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Firewall Policy?
For Terraform, the SGGIRBS/terraform-appgw-module, iljoong/azure-waf-automation and kevinhead/azurerm source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the briandenicola/cqrs, Azure/azure-resource-manager-schemas and Azure/azure-resource-manager-schemas source code examples are useful. See the Azure Resource Manager Example section for further details.
