Module firewall-policy

firewallPolicy

Property	Value	Description
naming	naming
deployAsDraft	bool	Deploy the policy as a firewall policy draft (default: false):

Do not use for creating new Rule Collection Groups
Do not use for initial deployment

dnsProxyServers | string[] | Enabled DNS proxy function and sets the servers to proxy the DNS requests towards basePolicyId | string | Inherit rules from another firewall policy as a baseline [ResourceId] userAssignedManagedIdentityId | string | Use an user assigned managed identity instead or together with a system assigned managed identity to retrieve certificates from keyvault. Only vault access policy supported! [ResourceId] InsightsLogAnalyticsWorkspaceId | string | Send firewall policy insights to log analytics [ResourceId] transportSecuritySettings | transportSecuritySettings | Reference to the certificate authoritity to enable TLS inspection intrusionDetection | intrusionDetection | The configuration for Intrusion detection. threatIntel | threatIntel | ruleCollectionGroups | firewallRuleCollectionGroup[] |

transportSecuritySettings

Property	Value	Description
keyvaultSecretId (required)	string	For transport security get a CA from a keyvault, requires vault access policies on the keyvault and managed identity permissions. The secret should be a base64 encoded unencrypted pfx [ResourceId]
keyvaultSecretName (required)	string	Certificate Authority name of the certificate stored in the keyvault

configuration

Property	Value	Description
privateRanges	string[]	IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property
bypassTrafficSettings	firewallPolicyIntrusionDetectionBypassTrafficSpecification[]	List of rules for traffic to bypass.
signatureOverrides	irewallPolicyIntrusionDetectionSignatureSpecification[]	List of specific signatures states.

intrusionDetection

Property	Value	Description
mode (required)	'Alert' 'Deny' 'Off'	Intrusion detection general state. When attached to a parent policy, the firewalls effective IDPS mode is the stricter mode of the two.
profile	'Advanced' 'Basic' 'Extended' 'Standard'	IDPS profile name. When attached to a parent policy, the firewalls effective profile is the profile name of the parent policy.
configuration	configuration	Intrusion detection configuration properties.

threatIntel

Property	Value	Description
Mode	'Alert' 'Deny' 'Off'	The operation mode for Threat Intelligence filtering (default: Deny)
fqdnsWhitelist	string[]	A list of FQDNs that will be skipped for threat detection [Array of FQDNS]
ipAddressesWhitelist	string[]	A list of IP addresses or CIDR ranges that will be skipped for threat detection [Array of CIDR notations]

firewallPolicyIntrusionDetectionBypassTrafficSpecification

Property	Value	Description
description (required)	string	Description of the bypass traffic rule.
destinationAddresses	string[]	List of destination IP addresses or ranges for this rule.
destinationIpGroups	string[]	List of destination IpGroups for this rule.
destinationPorts (required)	string[]	List of destination ports or ranges.
name (required)	string	Name of the bypass traffic rule.
protocol (required)	'ANY' 'ICMP' 'TCP' 'UDP'	The rule bypass protocol.
sourceAddresses	string[]	List of source IP addresses or ranges for this rule.
sourceIpGroups	string[]	List of source IpGroups for this rule.

irewallPolicyIntrusionDetectionSignatureSpecification

Property	Value	Description
id (required)	string	Signature id.
mode (required)	'Alert' 'Deny' 'Off'	The signature state.

firewallRuleCollectionGroup

Property	Value	Description
name (required)	string	Name of the firewall rule collection group
priority (required)	int	Firewall rule collection group priority, lower is processed earlier [integer 100-65000]
ruleCollections (required)	firewallRuleCollection[]	Firewall rule collections contained in the group

firewallRuleCollection

Property	Value	Description
name (required)	string	Name of the firewall rule collection
action (required)	'Allow' 'DNAT' 'Deny'	Firewall rule collection action can be Allow, Deny or DNAT depending on the type of rule collection
priority	int	Firewall rule collection priority, lower is processed earlier [integer 100-65000]
rules	firewallRule[]	Firewall rules contained in the collection

firewallRule

Set the kind property to specify the type of object.

For ApplicationRule, use:

Property	Value	Description

Set the kind property to specify the type of object.

For NetworkRule, use:

Property	Value	Description

Set the kind property to specify the type of object.

For NatRule, use:

Property	Value	Description

applicationRule

Property	Value	Description
kind (required)	'ApplicationRule'
name (required)	string	Name of the firewall rule
httpHeaders	httpHeader[]	List of HTTP/S headers to insert
sourceAddresses	string[]	List of source IP addresses for this rule, can be * for any
sourceIpGroups	string[]	List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses	string[]	List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
fqdnTags	string[]	List of FQDN Tags for this rule (found here: https://learn.microsoft.com/en-us/rest/api/firewall/azure-firewall-fqdn-tags/list-all?tabs=HTTP#code-try-0)
targetFqdns	string[]	List of FQDNs for this rule
targetUrls	string[]	List of Urls for this rule [Premium tier only]
protocols (required)	protocol[]	List of Application Protocols
terminateTLS	bool	Terminate TLS connections for this rule
webCategories	string[]	List of destination azure web categories (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/web-categories/list-by-subscription?tabs=HTTP#code-try-0)

networkRule

Property	Value	Description
kind (required)	'NetworkRule'
name (required)	string	Name of the firewall rule
sourceAddresses	string[]	List of source IP addresses for this rule, can be * for any
sourceIpGroups	string[]	List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses	string[]	List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
destinationIpGroups	string[]	List of destination IpGroups for this rule [Array of ResourceIds]
destinationPorts	string[]	List of destination ports
destinationFqdns	string[]	List of destination FQDNs [DNS Proxy enabled]
ipProtocols	ipProtocol[]	List of FirewallPolicyRuleNetworkProtocols (default: Any)

natRule

Property	Value	Description
kind (required)	'NatRule'
name (required)	string	Name of the firewall rule
sourceAddresses	string[]	List of source IP addresses for this rule, can be * for any
sourceIpGroups	string[]	List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses (required)	string[]	List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
destinationPorts (required)	string[]	List of destination ports
ipProtocols	ipProtocol[]	List of FirewallPolicyRuleNetworkProtocols (default: Any)
translatedAddress	string	The translated address for this NAT rule, which should be of the pool of the firewall / virtual wan
translatedFqdn	string	The translated FQDN for this NAT rule
translatedPort (required)	string	The translated port for this NAT rule

protocol

Property	Value	Description
port (required)	int	Port number for the protocol [integer 1-64000]
protocolType (required)	protocolType	IP protocol type

httpHeader

Property	Value	Description
headerName (required)	string	The name of the header which should be injected
headerValue (required)	string	The value of the header which should be injected

protocolType

ipProtocol

naming

Property	Value	Description
forceFunctionAsFullName	bool	Use the function value as the full name of the resource
abbreviation	string	Override the abbreviation of this resource with this parameter
environment	string	The resource environment (for example: dev, tst, acc, prd)
location	string	The resource location (for example: weu, we, westeurope)
customer	string	The name of the customer
delimiter	string	The delimiter between resources (default: -)
nameFormat	Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName'	The order of the array defines the order of elements in the naming scheme
param1	string	Extra parameter self defined
param2	string	Extra parameter self defined
param3	string	Extra parameter self defined
function (required)	string	Function of the resource [can be app, db, security,...]
useCaseName	string	Name of the use case [can be hub, spoke,...]
suffix	string	Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...]
forceDefaultNaming	bool	Force the CAF naming instead of default company naming

Bicep Module Documentation

Module firewall-policy

firewallPolicy

transportSecuritySettings

configuration

intrusionDetection

threatIntel

firewallPolicyIntrusionDetectionBypassTrafficSpecification

irewallPolicyIntrusionDetectionSignatureSpecification

firewallRuleCollectionGroup

firewallRuleCollection

firewallRule

applicationRule

networkRule

natRule

protocol

httpHeader

protocolType

ipProtocol

naming

Changelog

2.1.0 (2025-10-20)

Features

2.0.1 (2025-09-24)

Bug Fixes

2.0.0 (2025-09-24)

⚠ BREAKING CHANGES

Bug Fixes

1.2.0 (2025-03-26)

Features

1.1.0 (2025-03-20)

Features

1.0.0 (2025-03-19)

Features