Bicep Module Documentation
← Back to Overview
Module signalr
signalR
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| kind (required) | 'RawWebSockets' 'SignalR' |
|
| sku (required) | sku | |
| applicationFirewall | applicationFirewall | |
| cors | cors | |
| disableAadAuth | bool | When set as true, connection with AuthType=aad won't work. |
| disableLocalAuth | bool | When set as true, connection with AccessKey=xxx won't work. |
| features | features[] | List of the feature flags. Feature flags that are not included in the parameters for the update operation will not be modified. When a feature flag is not explicitly set, its globally default value will be used. |
| liveTraceCategoriesToEnable | Array containing any of: 'ConnectivityLogs' 'MessagingLogs' |
Live trace configuration categories to enable |
| networkACLs | networkACLs | |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Enable or disable public network access to the SignalR service (default: Enabled). When it's Disabled, public network access is always disabled no matter what you set in network ACLs. |
| regionEndpointEnabled | 'Disabled' 'Enabled' |
Enable or disable the regional endpoint (default: Enabled). When it's Disabled, new connections will not be routed to this endpoint, however existing connections will not be affected. This property is replica specific. Disabling the regional endpoint without replica is not allowed. |
| resourceLogConfigurationsToEnable | Array containing any of: 'ConnectivityLogs' 'MessagingLogs' |
Resource log configuration to enable |
| routeSettings | routeSettings | |
| serverless | serverless | |
| tls | tls | |
| upstream | upstream | |
| privateLink | privateLink |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
sku
| Property | Value | Description |
|---|---|---|
| name (required) | 'Free_F1' 'Premium_P1' 'Premium_P2' 'Premium_P3' 'Standard_S1' 'Standard_S2' 'Standard_S3' |
|
| capacity | int | The unit count of the resource. |
applicationFirewall
| Property | Value | Description |
|---|---|---|
| clientConnectionCountRules | clientConnectionCountRules[] | Rules to control the client connection count |
| clientTrafficControlRules | clientTrafficControlRules[] | Rules to control the client traffic |
| maxClientConnectionLifetimeInSeconds | int | Config to control the client connection lifetime in seconds, can be set to 0 to disable the config |
cors
| Property | Value | Description |
|---|---|---|
| allowedOrigins (required) | string[] | Gets or sets the list of origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). Use '*' to allow all. If omitted, allow all by default. |
features
| Property | Value | Description |
|---|---|---|
| flag (required) | 'EnableConnectivityLogs' 'EnableLiveTrace' 'EnableMessagingLogs' 'ServiceMode' |
* ServiceMode: Flag for backend server for SignalR service. Values allowed: "Default": have your own backend server; "Serverless": your application doesn't have a backend server; "Classic": for backward compatibility. Support both Default and Serverless mode but not recommended; "PredefinedOnly": for future use. |
- EnableConnectivityLogs: "true"/"false", to enable/disable the connectivity log category respectively.
- EnableMessagingLogs: "true"/"false", to enable/disable the connectivity log category respectively.
- EnableLiveTrace: Live Trace allows you to know what's happening inside Azure SignalR service, it will give you live traces in real time, it will be helpful when you developing your own Azure SignalR based web application or self-troubleshooting some issues. Please note that live traces are counted as outbound messages that will be charged. Values allowed: "true"/"false", to enable/disable live trace feature.
properties | object | Optional properties related to this feature. value (required) | string | Value of the feature flag. See Azure SignalR service documentation for possible values of each feature flag.
ipRules
| Property | Value | Description |
|---|---|---|
| action (required) | 'Allow' 'Deny' |
|
| value (required) | string | An IP or CIDR or ServiceTag |
privateEndpoints
| Property | Value | Description |
|---|---|---|
| name (required) | string | Name of the private endpoint connection |
| allow | Array containing any of: 'ClientConnection' 'RESTAPI' 'ServerConnection' 'Trace' |
Allowed request types |
| deny | Array containing any of: 'ClientConnection' 'RESTAPI' 'ServerConnection' 'Trace' |
Denied request types |
publicNetwork
| Property | Value | Description |
|---|---|---|
| allow | Array containing any of: 'ClientConnection' 'RESTAPI' 'ServerConnection' 'Trace' |
Allowed request types |
| deny | Array containing any of: 'ClientConnection' 'RESTAPI' 'ServerConnection' 'Trace' |
Denied request types |
networkACLs
| Property | Value | Description |
|---|---|---|
| defaultAction | 'Allow' 'Deny' |
|
| ipRules | ipRules[] | IP rules for filtering public traffic |
| privateEndpoints (required) | privateEndpoints[] | ACLs for requests from private endpoints |
| publicNetwork (required) | publicNetwork |
routeSettings
| Property | Value | Description |
|---|---|---|
| connectionBalanceWeight | int | Sets the connection balance weight (default: 255). |
| A higher value means a greater balance of client connections across different server connections. | ||
| A value of 0 distributes connections randomly, while a value of 255 ensures maximum balancing. | ||
| Recommended 255 for all of the cases. |
latencyWeight | int | Sets the weight for latency-based routing (default: 0). A higher value increases the influence of latency-based routing. A value of 0 disables latency-based routing entirely, while a value of 255 enables it fully. Recommended 255 for replicas or app servers in different regions for disaster recovery.
serverBalanceWeight | int | Sets the server balance weight (default: 255). A higher value means a greater balance of client connections across different app server instances. A value of 0 distributes connections randomly, while a value of 255 ensures maximum balancing. Recommended 255 for multiple app servers in same size.
serverless
| Property | Value | Description |
|---|---|---|
| connectionTimeoutInSeconds | int | Sets Client Connection Timeout in seconds (default: 30). |
| Set the timeout to a shorter period if messages are expected to be sent in shorter intervals, | ||
| and want the client to disconnect more quickly after the last message is sent. | ||
| The service considers the client disconnected if it hasn't received a message (including keep-alive) in this interval. |
keepAliveIntervalInSeconds | int | Sets the Keep-Alive Interval in seconds (default: 15). Set this value to a shorter period if they want the service to send keep-alive messages more frequently, ensuring timely checks of the connection status. This interval ensures that the connection is maintained by sending periodic keep-alive messages to the client.
tls
| Property | Value | Description |
|---|---|---|
| clientCertEnabled (required) | bool | Request client certificate during TLS handshake if enabled. Not supported for free tier. Any input will be ignored for free tier. |
managedIdentity
| Property | Value | Description |
|---|---|---|
| resource (required) | string | The Resource indicating the App ID URI of the target resource. It also appears in the aud (audience) claim of the issued token. |
auth
| Property | Value | Description |
|---|---|---|
| managedIdentity | managedIdentity | |
| type (required) | 'ManagedIdentity' 'None' |
templates
| Property | Value | Description |
|---|---|---|
| auth | auth | Upstream auth settings. If not set, no auth is used for upstream messages. |
| categoryPattern | string | Sets the matching pattern for category names. If not set, it matches any category. |
| There are 3 kind of patterns supported: |
- "*", it to matches any category name.
- Combine multiple categories with ",", for example "connections,messages", it matches category "connections" and "messages".
- The single category name, for example, "connections", it matches the category "connections".
eventPattern | string | Sets the matching pattern for event names. If not set, it matches any event. There are 3 kind of patterns supported:
- "*", it to matches any event name.
- Combine multiple events with ",", for example "connect,disconnect", it matches event "connect" and "disconnect".
- The single event name, for example, "connect", it matches "connect".
hubPattern | string | Sets the matching pattern for hub names. If not set, it matches any hub. There are 3 kind of patterns supported:
- "*", it to matches any hub name.
- Combine multiple hubs with ",", for example "hub1,hub2", it matches "hub1" and "hub2".
- The single hub name, for example, "hub1", it matches "hub1".
urlTemplate (required) | string | Sets the Upstream URL template. You can use 3 predefined parameters {hub}, {category} {event} inside the template, the value of the Upstream URL is dynamically calculated when the client request comes in. For example, if the urlTemplate is http://example.com/{hub}/api/{event}, with a client request from hub chat connects, it will first POST to this URL: http://example.com/chat/api/connect.
upstream
| Property | Value | Description |
|---|---|---|
| templates (required) | templates[] | Sets the list of Upstream URL templates. Order matters, and the first matching template takes effects. |
clientConnectionCountRules
Set the type property to specify the type of object.
For TrafficThrottleByJwtCustomClaimRule, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'TrafficThrottleByJwtCustomClaimRule' | |
| claimName (required) | string | The name of the claim in the JWT token. The client connection with the same claim value will be aggregated. If the claim is not found in the token, the connection will be allowed. |
| maxCount | int | Maximum connection count allowed for the same Jwt claim value. Clients with the same Jwt claim will get rejected if the connection count exceeds this value (default: 20). |
Set the type property to specify the type of object.
For ThrottleByJwtSignatureRule, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'ThrottleByJwtSignatureRule' | |
| maxCount | int | Maximum connection count allowed for the same Jwt claim value. Clients with the same Jwt claim will get rejected if the connection count exceeds this value (default: 20). |
Set the type property to specify the type of object.
For ThrottleByUserIdRule, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'ThrottleByUserIdRule' | |
| maxCount | int | Maximum connection count allowed for the same Jwt claim value. Clients with the same Jwt claim will get rejected if the connection count exceeds this value (default: 20). |
clientTrafficControlRules
Set the type property to specify the type of object.
For TrafficThrottleByJwtCustomClaimRule, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'TrafficThrottleByJwtCustomClaimRule' | |
| aggregationWindowInSeconds | int | The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window (default: 60). |
| claimName (required) | string | The name of the claim in the JWT token. The message bytes with the same claim value will be aggregated. If the claim is not found in the token, the rule will be skipped. |
| maxInboundMessageBytes | int | Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT claim will get disconnected if the message bytes exceeds this value (default: 1GB). |
Set the type property to specify the type of object.
For TrafficThrottleByJwtSignatureRule, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'TrafficThrottleByJwtSignatureRule' | |
| aggregationWindowInSeconds | int | The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window (default: 60). |
| maxInboundMessageBytes | int | Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT claim will get disconnected if the message bytes exceeds this value (default: 1GB). |
Set the type property to specify the type of object.
For TrafficThrottleByUserIdRule, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'TrafficThrottleByUserIdRule' | |
| aggregationWindowInSeconds | int | The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window (default: 60). |
| maxInboundMessageBytes | int | Maximum accumulated inbound message bytes allowed for the same user ID within a time window. Clients with the same user ID will get disconnected if the message bytes exceeds this value (default: 1GB). |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
1.0.0 (2026-02-03)
⚠ BREAKING CHANGES
- add initial version
Features
- add initial version