Bicep Module Documentation

← Back to Overview

Module firewall

firewall

Property Value Description
general (required) general
sku 'Basic'
'Premium'
'Standard'		 Sku of the firewall (default: Standard)
zones string[] Zones where the firewall should be deployed [Array of strings]
firewallPolicy firewallPolicy The firewall policy to be created
firewallPolicyId string Firewall policy id associated with the firewall
firewallSubnetId string Subnet to associate with the firewall must be called AzureFirewallSubnet which is atleast a /26 or bigger [ResourceId]
amountOfPublicIPAddresses int Amount of public IP addresses assigned to the firewall (default: 1) [integer]
ddosProtectionMode 'Disabled'
'Enabled'
'VirtualNetworkInherited'		 DDoS Protection plan for public IP, Enabled = configure per IP (default = VirtualNetworkInherited)
firewallManagementSubnetId string Subnet to associate with the firewall must be called AzureFirewallManagementSubnet which is atleast a /26 or bigger [ResourceId]
diagnosticSettings diagnosticSetting[] Dianostic Settings for the resource
virtualWANSettings virtualWANSettings The virtual WAN settings for this firewall, only possible when usecase is set to AZFW_Hub

virtualWANSettings

Property Value Description
privateIP string Private IP of the firewall inside the VWAN Hub [IP Address]
amountOfPublicIPAddresses int Amount of public IP addresses assigned to the firewall (default: 1) [integer]
publicIPAddresses string[] The list of Public IP addresses associated with azure firewall or IP addresses to be retained [Array of IP Addresses]

diagnosticLogSettings

Set the resourceType property to specify the type of object.

For Custom, use:

Property Value Description
resourceType (required) 'Custom'
category string Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

Set the resourceType property to specify the type of object.

For App Service Plan, use:

Property Value Description
resourceType (required) 'App Service Plan'

Set the resourceType property to specify the type of object.

For Azure Firewall, use:

Property Value Description
resourceType (required) 'Azure Firewall'
category 'AZFWApplicationRule'
'AZFWApplicationRuleAggregation'
'AZFWDnsQuery'
'AZFWFatFlow'
'AZFWFlowTrace'
'AZFWFqdnResolveFailure'
'AZFWIdpsSignature'
'AZFWNatRule'
'AZFWNatRuleAggregation'
'AZFWNetworkRule'
'AZFWNetworkRuleAggregation'
'AZFWThreatIntel'
'AzureFirewallApplicationRule'
'AzureFirewallDnsProxy'
'AzureFirewallNetworkRule'		 Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

Set the resourceType property to specify the type of object.

For Application Gateway, use:

Property Value Description
resourceType (required) 'Application Gateway'
category 'ApplicationGatewayAccessLog'
'ApplicationGatewayFirewallLog'
'ApplicationGatewayPerformanceLog'		 Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

retentionPolicy

Property Value Description
days (required) int the number of days for the retention in days. A value of 0 will retain the events indefinitely.
enabled (required) bool a value indicating whether the retention policy is enabled.

diagnosticMetricSettings

Set the resourceType property to specify the type of object.

For Custom, use:

Property Value Description
resourceType (required) 'Custom'
category string Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled (required) bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For App Service Plan, use:

Property Value Description
resourceType (required) 'App Service Plan'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For Azure Firewall, use:

Property Value Description
resourceType (required) 'Azure Firewall'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For Application Gateway, use:

Property Value Description
resourceType (required) 'Application Gateway'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

applicationRule

Property Value Description
kind (required) 'ApplicationRule'
name (required) string Name of the firewall rule
httpHeaders httpHeader[] List of HTTP/S headers to insert
sourceAddresses string[] List of source IP addresses for this rule, can be * for any
sourceIpGroups string[] List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses string[] List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
fqdnTags string[] List of FQDN Tags for this rule (found here: https://learn.microsoft.com/en-us/rest/api/firewall/azure-firewall-fqdn-tags/list-all?tabs=HTTP#code-try-0)
targetFqdns string[] List of FQDNs for this rule
targetUrls string[] List of Urls for this rule [Premium tier only]
protocols (required) protocol[] List of Application Protocols
terminateTLS bool Terminate TLS connections for this rule
webCategories string[] List of destination azure web categories (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/web-categories/list-by-subscription?tabs=HTTP#code-try-0)

firewallPolicyIntrusionDetectionBypassTrafficSpecification

Property Value Description
description (required) string Description of the bypass traffic rule.
destinationAddresses string[] List of destination IP addresses or ranges for this rule.
destinationIpGroups string[] List of destination IpGroups for this rule.
destinationPorts (required) string[] List of destination ports or ranges.
name (required) string Name of the bypass traffic rule.
protocol (required) 'ANY'
'ICMP'
'TCP'
'UDP'		 The rule bypass protocol.
sourceAddresses string[] List of source IP addresses or ranges for this rule.
sourceIpGroups string[] List of source IpGroups for this rule.

firewallRule

Set the kind property to specify the type of object.

For ApplicationRule, use:

Property Value Description

Set the kind property to specify the type of object.

For NetworkRule, use:

Property Value Description

Set the kind property to specify the type of object.

For NatRule, use:

Property Value Description

firewallRuleCollection

Property Value Description
name (required) string Name of the firewall rule collection
action (required) 'Allow'
'DNAT'
'Deny'		 Firewall rule collection action can be Allow, Deny or DNAT depending on the type of rule collection
priority int Firewall rule collection priority, lower is processed earlier [integer 100-65000]
rules firewallRule[] Firewall rules contained in the collection

firewallRuleCollectionGroup

Property Value Description
name (required) string Name of the firewall rule collection group
priority (required) int Firewall rule collection group priority, lower is processed earlier [integer 100-65000]
ruleCollections (required) firewallRuleCollection[] Firewall rule collections contained in the group

httpHeader

Property Value Description
headerName (required) string The name of the header which should be injected
headerValue (required) string The value of the header which should be injected

ipProtocol

irewallPolicyIntrusionDetectionSignatureSpecification

Property Value Description
id (required) string Signature id.
mode (required) 'Alert'
'Deny'
'Off'		 The signature state.

natRule

Property Value Description
kind (required) 'NatRule'
name (required) string Name of the firewall rule
sourceAddresses string[] List of source IP addresses for this rule, can be * for any
sourceIpGroups string[] List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses (required) string[] List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
destinationPorts (required) string[] List of destination ports
ipProtocols ipProtocol[] List of FirewallPolicyRuleNetworkProtocols (default: Any)
translatedAddress string The translated address for this NAT rule, which should be of the pool of the firewall / virtual wan
translatedFqdn string The translated FQDN for this NAT rule
translatedPort (required) string The translated port for this NAT rule

networkRule

Property Value Description
kind (required) 'NetworkRule'
name (required) string Name of the firewall rule
sourceAddresses string[] List of source IP addresses for this rule, can be * for any
sourceIpGroups string[] List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses string[] List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
destinationIpGroups string[] List of destination IpGroups for this rule [Array of ResourceIds]
destinationPorts string[] List of destination ports
destinationFqdns string[] List of destination FQDNs [DNS Proxy enabled]
ipProtocols ipProtocol[] List of FirewallPolicyRuleNetworkProtocols (default: Any)

protocol

Property Value Description
port (required) int Port number for the protocol [integer 1-64000]
protocolType (required) protocolType IP protocol type

protocolType

resourceLock

Property Value Description
name string Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period.
level (required) 'CanNotDelete'
'ReadOnly'		 The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again
notes string Notes about the lock. Maximum of 512 characters.
owners resourceLockOwner[] The owners of the lock

resourceLockOwner

Property Value Description
applicationId (required) string The application ID of the lock owner.

roleAssignment

Property Value Description
principalId (required) string The principal ID
roleDefinitionId (required) string The role definition ID, data file can be used for this
condition string Condition on the role assignment
conditionVersion string Version of the condition. Currently the only accepted value is "2.0"
delegatedManagedIdentityResourceId string Id of the delegated managed identity resource
description string Description of role assignment

diagnosticSetting

Property Value Description
name (required) string The resource name
eventHubAuthorizationRuleId string The resource Id for the event hub authorization rule.
eventHubName string The name of the event hub. If none is specified, the default event hub will be selected.
logAnalyticsDestinationType string A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type constructed as follows: {normalized service identity}_{normalized category name}. Possible values are: Dedicated and null (null is default.)
logs diagnosticLogSettings[] The list of logs settings.
marketplacePartnerId string The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
metrics diagnosticMetricSettings[] The list of metric settings.
serviceBusRuleId string The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility.
storageAccountId string The resource ID of the storage account to which you would like to send Diagnostic Logs.
workspaceId string The full ARM resource ID of the Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2

firewallPolicy

Property Value Description
naming naming
deployAsDraft bool Deploy the policy as a firewall policy draft (default: false):
  • Do not use for creating new Rule Collection Groups
  • Do not use for initial deployment

dnsProxyServers | string[] | Enabled DNS proxy function and sets the servers to proxy the DNS requests towards basePolicyId | string | Inherit rules from another firewall policy as a baseline [ResourceId] userAssignedManagedIdentityId | string | Use an user assigned managed identity instead or together with a system assigned managed identity to retrieve certificates from keyvault. Only vault access policy supported! [ResourceId] InsightsLogAnalyticsWorkspaceId | string | Send firewall policy insights to log analytics [ResourceId] transportSecuritySettings | transportSecuritySettings | Reference to the certificate authoritity to enable TLS inspection intrusionDetection | intrusionDetection | The configuration for Intrusion detection. threatIntel | threatIntel | ruleCollectionGroups | firewallRuleCollectionGroup[] |

transportSecuritySettings

Property Value Description
keyvaultSecretId (required) string For transport security get a CA from a keyvault, requires vault access policies on the keyvault and managed identity permissions. The secret should be a base64 encoded unencrypted pfx [ResourceId]
keyvaultSecretName (required) string Certificate Authority name of the certificate stored in the keyvault

configuration

Property Value Description
privateRanges string[] IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property
bypassTrafficSettings firewallPolicyIntrusionDetectionBypassTrafficSpecification[] List of rules for traffic to bypass.
signatureOverrides irewallPolicyIntrusionDetectionSignatureSpecification[] List of specific signatures states.

intrusionDetection

Property Value Description
mode (required) 'Alert'
'Deny'
'Off'		 Intrusion detection general state. When attached to a parent policy, the firewalls effective IDPS mode is the stricter mode of the two.
profile 'Advanced'
'Basic'
'Extended'
'Standard'		 IDPS profile name. When attached to a parent policy, the firewalls effective profile is the profile name of the parent policy.
configuration configuration Intrusion detection configuration properties.

threatIntel

Property Value Description
Mode 'Alert'
'Deny'
'Off'		 The operation mode for Threat Intelligence filtering (default: Deny)
fqdnsWhitelist string[] A list of FQDNs that will be skipped for threat detection [Array of FQDNS]
ipAddressesWhitelist string[] A list of IP addresses or CIDR ranges that will be skipped for threat detection [Array of CIDR notations]

general

Property Value Description
tags object Tags of the resource [hashtable]
location (required) string Location of the resource
naming (required) naming Naming module of the resource
resourceGroupName (required) string Name of the resource group where the resource should be located
sharedNaming (required) naming Reference to the default naming
roleAssignments roleAssignment[] Role assignments on the resource
resourceLocks resourceLock[] Resource Locks on the resource

naming

Property Value Description
forceFunctionAsFullName bool Use the function value as the full name of the resource
abbreviation string Override the abbreviation of this resource with this parameter
environment string The resource environment (for example: dev, tst, acc, prd)
location string The resource location (for example: weu, we, westeurope)
customer string The name of the customer
delimiter string The delimiter between resources (default: -)
nameFormat Array containing any of:
'abbreviation'
'customer'
'environment'
'function'
'location'
'param1'
'param2'
'param3'
'useCaseName'		 The order of the array defines the order of elements in the naming scheme
param1 string Extra parameter self defined
param2 string Extra parameter self defined
param3 string Extra parameter self defined
function (required) string Function of the resource [can be app, db, security,...]
useCaseName string Name of the use case [can be hub, spoke,...]
suffix string Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...]
forceDefaultNaming bool Force the CAF naming instead of default company naming

Changelog

6.2.0 (2025-10-20)

Features

  • add firewall scaling options

6.1.0 (2025-10-20)

Features

  • update api version

6.0.1 (2025-09-24)

Bug Fixes

  • remove deployment name + cleanup

6.0.0 (2025-09-24)

⚠ BREAKING CHANGES

  • remove deprecated outputs

Bug Fixes

  • remove deprecated outputs

5.5.0 (2025-03-26)

Features

  • add resourceName output

5.4.0 (2025-03-20)

Features

  • add firewall policy draft creation

5.3.0 (2025-03-19)

Features

  • add the possibility to define the Firewall policy in a separate module

5.2.3 (2025-01-20)

Bug Fixes

  • passing through variables to firewall module from virtual-wan

5.2.2 (2025-01-02)

Bug Fixes

  • remove unsupported property from application rule