Bicep Module Documentation

← Back to Overview

Module virtual-wan

virtualWAN

Property Value Description
general (required) general
allowBranchToBranchTraffic bool Allow branch to branch traffic, a branch can be a remote site connected by S2S or ExpressRoute or a P2S VPN (default: true)
allowVnetToVnetTraffic bool Allow virtual network to virtual network traffic (default: true)
disableVpnEncryption bool Disable VPN Encryption (default: false)
vwanType 'Basic'
'Standard'		 The sku of the virtual WAN, use basic if you only need site to site VPNs (default: Standard)
virtualWANHubs (required) virtualWANHub[] List of virtual WAN hub objects [Array of virtual WAN hubs]
vpnSites vpnSite[] List of VPN Sites

virtualWANHub

Property Value Description
general (required) general
addressPrefix (required) string The address range of the hub
allowBranchToBranchTraffic bool Allow branch to branch traffic, a branch can be a remote site connected by S2S or ExpressRoute or a P2S VPN (default: same as virtual WAN)
expressRouteGatewayId string Associate a expressroute gateway with this virtual hub [ResourceId]
vpnGatewayId string Associate a VPN gateway with this virtual hub [ResourceId]
securityPartnerProviderId string Associate a security partner with this virtual hub [ResourceId]
securityProviderName string Name of the security provider
sku 'Basic'
'Standard'		 Sku of the virtual WAN hub (default: same as virtual WAN)
virtualRouterAsn int ASN associated with this virtual WAN hub (default: 65515)
virtualRouterIps string[] IPs associated with this virtual WAN hub router
hubRoutingPreference 'ASPath'
'ExpressRoute'
'VpnGateway'		 The preferred routing of the hub (default: ExpressRoute)
preferredRoutingGateway 'ExpressRoute'
'None'
'VpnGateway'		 The preffered routing gateway of the hub (default: ExpressRoute)
minRoutingInfrastructureUnit int Autoscale value for the virtual router in the hub (default: 2) [integer 2-...]
virtualNetworkConnections virtualWANHubConnection[] List of virtual WAN hub associations to virtual networks
routeTables virtualWANHubRouteTable[] List of virtual WAN hub route tables
vpnGateway vpnGateway VPN Gateway settings
routingIntentPolicies virtualWANHubRoutingIntentPolicy[] List of Routing intent policies
p2sGateway p2sGateway Deploy a P2S Gateway to this hub
firewall firewall Deploy a firewall to this hub

firewall

Property Value Description
general (required) general
sku 'Basic'
'Premium'
'Standard'		 Sku of the firewall (default: Standard)
zones string[] Zones where the firewall should be deployed [Array of strings]
autoscaleConfiguration autoscaleConfiguration Properties to provide a custom autoscale configuration to this azure firewall.
firewallPolicy firewallPolicy The firewall policy to be created
firewallPolicyId string Firewall policy id associated with the firewall
firewallSubnetId string Subnet to associate with the firewall must be called AzureFirewallSubnet which is atleast a /26 or bigger [ResourceId]
amountOfPublicIPAddresses int Amount of public IP addresses assigned to the firewall (default: 1) [integer]
ddosProtectionMode 'Disabled'
'Enabled'
'VirtualNetworkInherited'		 DDoS Protection plan for public IP, Enabled = configure per IP (default = VirtualNetworkInherited)
firewallManagementSubnetId string Subnet to associate with the firewall must be called AzureFirewallManagementSubnet which is atleast a /26 or bigger [ResourceId]
diagnosticSettings diagnosticSetting[] Dianostic Settings for the resource
virtualWANSettings virtualWANSettings The virtual WAN settings for this firewall, only possible when usecase is set to AZFW_Hub

virtualWANHubRoutingIntentPolicy

Property Value Description
name (required) string The unique name for the routing policy
destinations (required) string[] List of all destinations which this routing policy is applicable to, for example Internet, PrivateTraffic
nextHop (required) 'Firewall' The unique name for the routing policy

virtualWANHubRouteTable

Property Value Description
name (required) string Name of the virtual WAN hub route table
labels string[] List of labels associated with this route table
routes virtualWANHubRoute[] List of routes associated with this route table

virtualWANHubRoute

Property Value Description
name (required) string Unique name within the route table of the specific route
destinations (required) string[] List of destinations
destinationType (required) 'CIDR'
'ResourceId'
'Service'		 The type of destination
nextHop (required) string Resource id of the next hope
nextHopType (required) 'ResourceId' The type of the next hop

virtualWANHubConnection

Property Value Description
name (required) string Name of the virtual WAN hub connection
enableInternetSecurity bool Allow internet security, a secured hub
remoteVirtualNetworkId (required) string Reference the virtual network you want to connect to
associatedRouteTableId string RouteTable associated with this RoutingConfiguration [ResourceId]
inboundRouteMapId string The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes [ResourceId]
outboundRouteMapId string The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes [ResourceId]
propagatedRouteTables propagatedRouteTables
vnetRoutes vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection

propagatedRouteTables

Property Value Description
routeTableIds (required) string[] The list of RouteTables to advertise the routes to
labels (required) string[] The list of labels

staticRoutesConfig

Property Value Description
vnetLocalRouteOverrideCriteria (required) 'Contains'
'Equal'		 Parameter determining whether NVA in spoke vnet is bypassed for traffic with destination in spoke

vnetRoutes

Property Value Description
staticRoutes (required) virtualWANHubConnectionStaticRoute[] List of all Static Routes.
staticRoutesConfig staticRoutesConfig Configuration for static routes on this HubVnetConnection

virtualWANHubConnectionStaticRoute

Property Value Description
name (required) string
addressPrefixes (required) string[]
nextHopIpAddress (required) string

vpnGateway

Property Value Description
naming naming
isRoutingPreferenceInternet bool Enable Routing Preference property for the Public IP Interface of the VPN gateway
enableBgpRouteTranslationForNat bool Enable BGP route translation for NAT
bgpSettings bgpSettings Virtual network gateway BGP speaker settings
vpnGatewayScaleUnit int The scale unit for this VPN gateway (default: 1)
vpnconnections vpnConnection[] List of connections to be made from this gateway
keyVaultId string Insert the resource ID of the key vault in which the PSK of connections are located

bgpSettings

Property Value Description
asn (required) int The BGP speaker ASN
bgpPeeringAddress string The BGP peering address and BGP identifier of this BGP speaker
bgpPeeringAddresses localNetworkGatewayBGPPeeringAddress[] BGP peering address with IP configuration ID for virtual network gateway
peerWeight (required) int The weight added to routes learned from this BGP speaker

p2sGateway

Property Value Description
naming naming
aadAuthenticationParameters aadAuthenticationParameters The set of aad vpn authentication parameters
configurationPolicyGroups configurationPolicyGroups[] List of all VpnServerConfigurationPolicyGroups
name string The name of the VpnServerConfiguration that is unique within a resource group
radiusClientRootCertificates radiusClientRootCertificates[] Radius client root certificate of VpnServerConfiguration
radiusServerAddress string The radius server address property of the VpnServerConfiguration resource for point to site client connection
radiusServerRootCertificates radiusServerRootCertificates[] Radius Server root certificate of VpnServerConfiguration
radiusServers radiusServers[] Multiple Radius Server configuration for VpnServerConfiguration
radiusServerSecret securestring The radius secret property of the VpnServerConfiguration resource for point to site client connection
vpnAuthenticationTypes (required) Array containing any of:
'AAD'
'Certificate'
'Radius'		 VPN authentication types for the VpnServerConfiguration
vpnClientIpsecPolicies vpnClientIpsecPolicies[] VpnClientIpsecPolicies for VpnServerConfiguration
vpnClientRevokedCertificates vpnClientRevokedCertificates[] VPN client revoked certificate of VpnServerConfiguration
vpnClientRootCertificates vpnClientRootCertificates[] VPN client root certificate of VpnServerConfiguration
vpnProtocols (required) Array containing any of:
'IkeV2'
'OpenVPN'		 VPN protocols for the VpnServerConfiguration
customDnsServers string[] List of all customer specified DNS servers IP addresses
isRoutingPreferenceInternet bool Enable Routing Preference property for the Public IP Interface of the P2SVpnGateway
p2SConnectionConfigurations (required) p2SConnectionConfigurations[] List of all p2s connection configurations of the gateway
vpnGatewayScaleUnit int The scale unit for this p2s vpn gateway (default: 1)

aadAuthenticationParameters

Property Value Description
aadAudience (required) string AAD Vpn authentication parameter AAD audience
aadIssuer (required) string AAD Vpn authentication parameter AAD issuer
aadTenant (required) string AAD Vpn authentication parameter AAD tenant

policyMembers

Property Value Description
attributeType (required) 'AADGroupId'
'CertificateGroupId'
'RadiusAzureGroupId'		 The Vpn Policy member attribute type
attributeValue (required) string The value of Attribute used for this VpnServerConfigurationPolicyGroupMember
name (required) string Name of the VpnServerConfigurationPolicyGroupMember

configurationPolicyGroups

Property Value Description
name (required) string The name of the VpnServerConfiguration that is unique within a resource group
isDefault bool Shows if this is a Default VpnServerConfigurationPolicyGroup or not
policyMembers (required) policyMembers[] Multiple PolicyMembers for VpnServerConfigurationPolicyGroup
priority (required) int Priority for VpnServerConfigurationPolicyGroup

radiusClientRootCertificates

Property Value Description
name (required) string The certificate name
thumbprint (required) string The Radius client root certificate thumbprint

radiusServerRootCertificates

Property Value Description
name (required) string The certificate name
publicCertData (required) string The certificate public data

radiusServers

Property Value Description
radiusServerAddress (required) string The address of this radius server
radiusServerScore (required) int The initial score assigned to this radius server
radiusServerSecret (required) securestring The secret used for this radius server

vpnClientIpsecPolicies

Property Value Description
dhGroup (required) 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'		 The DH Group used in IKE Phase 1 for initial SA
ikeEncryption (required) 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256'		 The IKE encryption algorithm (IKE phase 2)
ikeIntegrity (required) 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384'		 The IKE integrity algorithm (IKE phase 2)
ipsecEncryption (required) 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'		 The IPSec encryption algorithm (IKE phase 1)
ipsecIntegrity (required) 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'		 The IPSec integrity algorithm (IKE phase 1)
pfsGroup (required) 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM'		 The Pfs Group used in IKE Phase 2 for new child SA
saDataSizeKilobytes (required) int The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel
saLifeTimeSeconds (required) int The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel

vpnClientRevokedCertificates

Property Value Description
name (required) string The certificate name
thumbprint (required) string The revoked VPN client certificate thumbprint.

vpnClientRootCertificates

Property Value Description
name (required) string The certificate name
publicCertData (required) string The certificate public data

p2SConnectionConfigurations

Property Value Description
name (required) string The name of the resource that is unique within a resource group. This name can be used to access the resource
enableInternetSecurity bool Flag indicating whether the enable internet security flag is turned on for the P2S Connections or not
associatedRouteTableId string The resource id RouteTable associated with this RoutingConfiguration
inboundRouteMapId string The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes
outboundRouteMapId string The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes
propagatedRouteTables propagatedRouteTables The list of RouteTables to advertise the routes to
vnetRoutes vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection
vpnClientAddressPoolAddressPrefixes (required) string[] The reference to the address space resource which represents Address space for P2S VpnClient

vpnConnection

Property Value Description
naming (required) naming
connectionBandwidth int Expected bandwidth in MBPS
enableBgp bool Enable BGP
enableInternetSecurity bool Enable internet security
enableRateLimiting bool Enable rate limiting
ipsecPolicies ipsecPolicy[] The IPSec Policies to be considered by this connection
routingConfiguration routingConfiguration
routingWeight int Weight of the VPN connection
keyVaultSecretName (required) string Name of the key vault secret in the key vault
trafficSelectorPolicies trafficSelectorPolicy[] The Traffic Selector Policies to be considered by this connection
useLocalAzureIpAddress bool Use local azure ip to initiate connection
usePolicyBasedTrafficSelectors bool Enable policy-based traffic selectors
vpnConnectionProtocolType 'IKEv1'
'IKEv2'		 Connection protocol used for this connection
vpnSiteLinkConnections (required) vpnSiteLinkConnection[] List of VPN site link connections, you can use up to 4, per ISP for example
vpnSiteName (required) string Reference the existing VPN site using the function

routingConfiguration

Property Value Description
associatedRouteTableId string RouteTable associated with this RoutingConfiguration [ResourceId]
inboundRouteMapId string The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes [ResourceId]
outboundRouteMapId string The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes [ResourceId]
propagatedRouteTables propagatedRouteTables
vnetRoutes vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection

vpnSiteLinkConnection

Property Value Description
vpnSiteLinkName (required) string Name of the VPN site link connection
connectionBandwidth int Expected bandwidth in MBPS
egressNatRulesIds string[] List of egress NatRules
enableBgp bool Enable BGP
enableRateLimiting bool Enable rate limiting
ingressNatRulesIds string[] List of ingress NatRules
ipsecPolicies ipsecPolicy[] The IPSec Policies to be considered by this connection
routingWeight int Weight of the VPN connection
useLocalAzureIpAddress bool Use local azure ip to initiate connection
usePolicyBasedTrafficSelectors bool Enable policy-based traffic selectors
vpnConnectionProtocolType 'IKEv1'
'IKEv2'		 Connection protocol used for this connection
vpnGatewayCustomBgpAddresses customBGPIPAddressConfiguration[] Custom BGP addresses from the gateway used by this connection
vpnLinkConnectionMode 'Default'
'InitiatorOnly'
'ResponderOnly'		 VPN link connection mode

vpnSite

Property Value Description
naming (required) naming
addressPrefixes string[] The AddressSpace that contains an array of IP address ranges
deviceProperties deviceProperties
isSecuritySite bool Is it a security site
o365Policy o365Policy
siteKey string The key for vpn-site that can be used for connections
bgpSettings bgpSettings Virtual network gateway BGP speaker settings
vpnSiteLinks (required) vpnSiteLink[] List of VPN site link connections, you can use up to 4, per ISP for example

deviceProperties

Property Value Description
deviceModel string Model of the device
deviceVendor string Name of the device Vendor
linkSpeedInMbps int Link speed of the device

breakOutCategories

Property Value Description
allow (required) bool Flag to control allow category
default (required) bool Flag to control default category
optimize (required) bool Flag to control optimize category

o365Policy

Property Value Description
breakOutCategories (required) breakOutCategories
Property Value Description
vpnSiteLinkName (required) string Name of the VPN site link
bgpProperties bgpProperties BGP settings of the VPN Site link
fqdn string FQDN of the VPN Site link
ipAddress string IP address of the VPN Site link
linkProperties linkProperties Link properties of the VPN Site link

bgpProperties

Property Value Description
asn (required) int
bgpPeeringAddress (required) string

linkProperties

Property Value Description
linkProviderName (required) string Name of the provider (can be brand of the firewall)
linkSpeedInMbps (required) int Link speed of the provider (can be provider bandwith)

diagnosticLogSettings

Set the resourceType property to specify the type of object.

For Custom, use:

Property Value Description
resourceType (required) 'Custom'
category string Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

Set the resourceType property to specify the type of object.

For App Service Plan, use:

Property Value Description
resourceType (required) 'App Service Plan'

Set the resourceType property to specify the type of object.

For Azure Firewall, use:

Property Value Description
resourceType (required) 'Azure Firewall'
category 'AZFWApplicationRule'
'AZFWApplicationRuleAggregation'
'AZFWDnsQuery'
'AZFWFatFlow'
'AZFWFlowTrace'
'AZFWFqdnResolveFailure'
'AZFWIdpsSignature'
'AZFWNatRule'
'AZFWNatRuleAggregation'
'AZFWNetworkRule'
'AZFWNetworkRuleAggregation'
'AZFWThreatIntel'
'AzureFirewallApplicationRule'
'AzureFirewallDnsProxy'
'AzureFirewallNetworkRule'		 Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

Set the resourceType property to specify the type of object.

For Application Gateway, use:

Property Value Description
resourceType (required) 'Application Gateway'
category 'ApplicationGatewayAccessLog'
'ApplicationGatewayFirewallLog'
'ApplicationGatewayPerformanceLog'		 Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

retentionPolicy

Property Value Description
days (required) int the number of days for the retention in days. A value of 0 will retain the events indefinitely.
enabled (required) bool a value indicating whether the retention policy is enabled.

diagnosticMetricSettings

Set the resourceType property to specify the type of object.

For Custom, use:

Property Value Description
resourceType (required) 'Custom'
category string Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled (required) bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For App Service Plan, use:

Property Value Description
resourceType (required) 'App Service Plan'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For Azure Firewall, use:

Property Value Description
resourceType (required) 'Azure Firewall'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For Application Gateway, use:

Property Value Description
resourceType (required) 'Application Gateway'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

diagnosticSetting

Property Value Description
name (required) string The resource name
eventHubAuthorizationRuleId string The resource Id for the event hub authorization rule.
eventHubName string The name of the event hub. If none is specified, the default event hub will be selected.
logAnalyticsDestinationType string A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type constructed as follows: {normalized service identity}_{normalized category name}. Possible values are: Dedicated and null (null is default.)
logs diagnosticLogSettings[] The list of logs settings.
marketplacePartnerId string The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
metrics diagnosticMetricSettings[] The list of metric settings.
serviceBusRuleId string The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility.
storageAccountId string The resource ID of the storage account to which you would like to send Diagnostic Logs.
workspaceId string The full ARM resource ID of the Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2

applicationRule

Property Value Description
kind (required) 'ApplicationRule'
name (required) string Name of the firewall rule
httpHeaders httpHeader[] List of HTTP/S headers to insert
sourceAddresses string[] List of source IP addresses for this rule, can be * for any
sourceIpGroups string[] List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses string[] List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
fqdnTags string[] List of FQDN Tags for this rule (found here: https://learn.microsoft.com/en-us/rest/api/firewall/azure-firewall-fqdn-tags/list-all?tabs=HTTP#code-try-0)
targetFqdns string[] List of FQDNs for this rule
targetUrls string[] List of Urls for this rule [Premium tier only]
protocols (required) protocol[] List of Application Protocols
terminateTLS bool Terminate TLS connections for this rule
webCategories string[] List of destination azure web categories (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/web-categories/list-by-subscription?tabs=HTTP#code-try-0)

firewallPolicyIntrusionDetectionBypassTrafficSpecification

Property Value Description
description (required) string Description of the bypass traffic rule.
destinationAddresses string[] List of destination IP addresses or ranges for this rule.
destinationIpGroups string[] List of destination IpGroups for this rule.
destinationPorts (required) string[] List of destination ports or ranges.
name (required) string Name of the bypass traffic rule.
protocol (required) 'ANY'
'ICMP'
'TCP'
'UDP'		 The rule bypass protocol.
sourceAddresses string[] List of source IP addresses or ranges for this rule.
sourceIpGroups string[] List of source IpGroups for this rule.

firewallRule

Set the kind property to specify the type of object.

For ApplicationRule, use:

Property Value Description

Set the kind property to specify the type of object.

For NetworkRule, use:

Property Value Description

Set the kind property to specify the type of object.

For NatRule, use:

Property Value Description

firewallRuleCollection

Property Value Description
name (required) string Name of the firewall rule collection
action (required) 'Allow'
'DNAT'
'Deny'		 Firewall rule collection action can be Allow, Deny or DNAT depending on the type of rule collection
priority int Firewall rule collection priority, lower is processed earlier [integer 100-65000]
rules firewallRule[] Firewall rules contained in the collection

firewallRuleCollectionGroup

Property Value Description
name (required) string Name of the firewall rule collection group
priority (required) int Firewall rule collection group priority, lower is processed earlier [integer 100-65000]
ruleCollections (required) firewallRuleCollection[] Firewall rule collections contained in the group

httpHeader

Property Value Description
headerName (required) string The name of the header which should be injected
headerValue (required) string The value of the header which should be injected

ipProtocol

irewallPolicyIntrusionDetectionSignatureSpecification

Property Value Description
id (required) string Signature id.
mode (required) 'Alert'
'Deny'
'Off'		 The signature state.

natRule

Property Value Description
kind (required) 'NatRule'
name (required) string Name of the firewall rule
sourceAddresses string[] List of source IP addresses for this rule, can be * for any
sourceIpGroups string[] List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses (required) string[] List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
destinationPorts (required) string[] List of destination ports
ipProtocols ipProtocol[] List of FirewallPolicyRuleNetworkProtocols (default: Any)
translatedAddress string The translated address for this NAT rule, which should be of the pool of the firewall / virtual wan
translatedFqdn string The translated FQDN for this NAT rule
translatedPort (required) string The translated port for this NAT rule

networkRule

Property Value Description
kind (required) 'NetworkRule'
name (required) string Name of the firewall rule
sourceAddresses string[] List of source IP addresses for this rule, can be * for any
sourceIpGroups string[] List of source IpGroups for this rule [Array of ResourceIds]
destinationAddresses string[] List of destination IP addresse or service tags, can be * for any (found here: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?tabs=HTTP#code-try-0) for this rule
destinationIpGroups string[] List of destination IpGroups for this rule [Array of ResourceIds]
destinationPorts string[] List of destination ports
destinationFqdns string[] List of destination FQDNs [DNS Proxy enabled]
ipProtocols ipProtocol[] List of FirewallPolicyRuleNetworkProtocols (default: Any)

protocol

Property Value Description
port (required) int Port number for the protocol [integer 1-64000]
protocolType (required) protocolType IP protocol type

protocolType

resourceLock

Property Value Description
name string Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period.
level (required) 'CanNotDelete'
'ReadOnly'		 The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again
notes string Notes about the lock. Maximum of 512 characters.
owners resourceLockOwner[] The owners of the lock

resourceLockOwner

Property Value Description
applicationId (required) string The application ID of the lock owner.

roleAssignment

Property Value Description
principalId (required) string The principal ID
roleDefinitionId (required) string The role definition ID, data file can be used for this
condition string Condition on the role assignment
conditionVersion string Version of the condition. Currently the only accepted value is "2.0"
delegatedManagedIdentityResourceId string Id of the delegated managed identity resource
description string Description of role assignment

customBGPIPAddressConfiguration

Property Value Description
customBgpIpAddress (required) string The custom BgpPeeringAddress which belongs to IpconfigurationId.
ipConfigurationId (required) string The IpconfigurationId of ipconfiguration which belongs to gateway.

autoscaleConfiguration

Property Value Description
minCapacity (required) int The minimum number of firewall instances to be configured.
maxCapacity (required) int The maximum number of firewall instances to be configured.

virtualWANSettings

Property Value Description
privateIP string Private IP of the firewall inside the VWAN Hub [IP Address]
amountOfPublicIPAddresses int Amount of public IP addresses assigned to the firewall (default: 1) [integer]
publicIPAddresses string[] The list of Public IP addresses associated with azure firewall or IP addresses to be retained [Array of IP Addresses]

firewallPolicy

Property Value Description
naming naming
deployAsDraft bool Deploy the policy as a firewall policy draft (default: false):
  • Do not use for creating new Rule Collection Groups
  • Do not use for initial deployment

dnsProxyServers | string[] | Enabled DNS proxy function and sets the servers to proxy the DNS requests towards basePolicyId | string | Inherit rules from another firewall policy as a baseline [ResourceId] userAssignedManagedIdentityId | string | Use an user assigned managed identity instead or together with a system assigned managed identity to retrieve certificates from keyvault. Only vault access policy supported! [ResourceId] InsightsLogAnalyticsWorkspaceId | string | Send firewall policy insights to log analytics [ResourceId] transportSecuritySettings | transportSecuritySettings | Reference to the certificate authoritity to enable TLS inspection intrusionDetection | intrusionDetection | The configuration for Intrusion detection. threatIntel | threatIntel | ruleCollectionGroups | firewallRuleCollectionGroup[] |

transportSecuritySettings

Property Value Description
keyvaultSecretId (required) string For transport security get a CA from a keyvault, requires vault access policies on the keyvault and managed identity permissions. The secret should be a base64 encoded unencrypted pfx [ResourceId]
keyvaultSecretName (required) string Certificate Authority name of the certificate stored in the keyvault

configuration

Property Value Description
privateRanges string[] IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property
bypassTrafficSettings firewallPolicyIntrusionDetectionBypassTrafficSpecification[] List of rules for traffic to bypass.
signatureOverrides irewallPolicyIntrusionDetectionSignatureSpecification[] List of specific signatures states.

intrusionDetection

Property Value Description
mode (required) 'Alert'
'Deny'
'Off'		 Intrusion detection general state. When attached to a parent policy, the firewalls effective IDPS mode is the stricter mode of the two.
profile 'Advanced'
'Basic'
'Extended'
'Standard'		 IDPS profile name. When attached to a parent policy, the firewalls effective profile is the profile name of the parent policy.
configuration configuration Intrusion detection configuration properties.

threatIntel

Property Value Description
Mode 'Alert'
'Deny'
'Off'		 The operation mode for Threat Intelligence filtering (default: Deny)
fqdnsWhitelist string[] A list of FQDNs that will be skipped for threat detection [Array of FQDNS]
ipAddressesWhitelist string[] A list of IP addresses or CIDR ranges that will be skipped for threat detection [Array of CIDR notations]

general

Property Value Description
tags object Tags of the resource [hashtable]
location (required) string Location of the resource
naming (required) naming Naming module of the resource
resourceGroupName (required) string Name of the resource group where the resource should be located
sharedNaming (required) naming Reference to the default naming
roleAssignments roleAssignment[] Role assignments on the resource
resourceLocks resourceLock[] Resource Locks on the resource

ipsecPolicy

Property Value Description
dhGroup (required) 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None'		 The DH Group used in IKE Phase 1 for initial SA.
ikeEncryption (required) 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256'		 The IKE encryption algorithm (IKE phase 2).
ikeIntegrity (required) 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384'		 The IKE integrity algorithm (IKE phase 2).
ipsecEncryption (required) 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None'		 The IPSec encryption algorithm (IKE phase 1).
ipsecIntegrity (required) 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'		 The IPSec integrity algorithm (IKE phase 1).
pfsGroup (required) 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM'		 The Pfs Group used in IKE Phase 2 for new child SA.
saDataSizeKilobytes (required) int The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel.
saLifeTimeSeconds (required) int The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel.

localNetworkGatewayBGPPeeringAddress

Property Value Description
customBgpIpAddresses (required) string[] The list of custom BGP peering addresses which belong to IP configuration
ipconfigurationId (required) string The ID of IP configuration which belongs to gateway

naming

Property Value Description
forceFunctionAsFullName bool Use the function value as the full name of the resource
abbreviation string Override the abbreviation of this resource with this parameter
environment string The resource environment (for example: dev, tst, acc, prd)
location string The resource location (for example: weu, we, westeurope)
customer string The name of the customer
delimiter string The delimiter between resources (default: -)
nameFormat Array containing any of:
'abbreviation'
'customer'
'environment'
'function'
'location'
'param1'
'param2'
'param3'
'useCaseName'		 The order of the array defines the order of elements in the naming scheme
param1 string Extra parameter self defined
param2 string Extra parameter self defined
param3 string Extra parameter self defined
function (required) string Function of the resource [can be app, db, security,...]
useCaseName string Name of the use case [can be hub, spoke,...]
suffix string Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...]
forceDefaultNaming bool Force the CAF naming instead of default company naming

trafficSelectorPolicy

Property Value Description
localAddressRanges (required) string[] A collection of local address spaces in CIDR format.
remoteAddressRanges (required) string[] A collection of remote address spaces in CIDR format.

virtualNetworkGatewayBGPPeeringAddress

Property Value Description
customBgpIpAddresses (required) string[] The list of custom BGP peering addresses which belong to IP configuration.
ipconfigurationId (required) string The ID of IP configuration which belongs to gateway.

Changelog

3.1.1 (2025-11-17)

Bug Fixes

  • bgpPeeringAddress type optional

3.1.0 (2025-10-20)

Features

  • update resource api versions

3.0.0 (2025-09-25)

⚠ BREAKING CHANGES

  • change resource abbreviation vpngw

Bug Fixes

  • change resource abbreviation vpngw

2.5.1 (2025-09-24)

Bug Fixes

  • remove deployment name + cleanup

2.5.0 (2025-03-26)

Features

  • add resourceName output

2.4.0 (2025-03-20)

Features

  • add firewall policy draft creation

2.3.0 (2025-03-19)

Features

  • add the possibility to define the Firewall policy in a separate module

2.2.3 (2025-02-04)

Bug Fixes

  • set p2sConnection / vnetRoutes / staticRoutesConfig optional

2.2.2 (2025-01-20)

Bug Fixes

  • passing through variables to firewall module from virtual-wan