Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-01-01
- 2024-10-01
- 2024-07-01
- 2024-05-01
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-12-01
Bicep resource definition
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2025-01-01' = {
  scope: resourceSymbolicName or scope
  location: 'string'
  name: 'string'
  properties: {
    customRules: [
      {
        action: 'string'
        groupByUserSession: [
          {
            groupByVariables: [
              {
                variableName: 'string'
              }
            ]
          }
        ]
        matchConditions: [
          {
            matchValues: [
              'string'
            ]
            matchVariables: [
              {
                selector: 'string'
                variableName: 'string'
              }
            ]
            negationConditon: bool
            operator: 'string'
            transforms: [
              'string'
            ]
          }
        ]
        name: 'string'
        priority: int
        rateLimitDuration: 'string'
        rateLimitThreshold: int
        ruleType: 'string'
        state: 'string'
      }
    ]
    managedRules: {
      exceptions: [
        {
          exceptionManagedRuleSets: [
            {
              ruleGroups: [
                {
                  ruleGroupName: 'string'
                  rules: [
                    {
                      ruleId: 'string'
                    }
                  ]
                }
              ]
              ruleSetType: 'string'
              ruleSetVersion: 'string'
            }
          ]
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
          valueMatchOperator: 'string'
          values: [
            'string'
          ]
        }
      ]
      exclusions: [
        {
          exclusionManagedRuleSets: [
            {
              ruleGroups: [
                {
                  ruleGroupName: 'string'
                  rules: [
                    {
                      ruleId: 'string'
                    }
                  ]
                }
              ]
              ruleSetType: 'string'
              ruleSetVersion: 'string'
            }
          ]
          matchVariable: 'string'
          selector: 'string'
          selectorMatchOperator: 'string'
        }
      ]
      managedRuleSets: [
        {
          ruleGroupOverrides: [
            {
              ruleGroupName: 'string'
              rules: [
                {
                  action: 'string'
                  ruleId: 'string'
                  sensitivity: 'string'
                  state: 'string'
                }
              ]
            }
          ]
          ruleSetType: 'string'
          ruleSetVersion: 'string'
        }
      ]
    }
    policySettings: {
      customBlockResponseBody: 'string'
      customBlockResponseStatusCode: int
      fileUploadEnforcement: bool
      fileUploadLimitInMb: int
      jsChallengeCookieExpirationInMins: int
      logScrubbing: {
        scrubbingRules: [
          {
            matchVariable: 'string'
            selector: 'string'
            selectorMatchOperator: 'string'
            state: 'string'
          }
        ]
        state: 'string'
      }
      maxRequestBodySizeInKb: int
      mode: 'string'
      requestBodyCheck: bool
      requestBodyEnforcement: bool
      requestBodyInspectLimitInKB: int
      state: 'string'
    }
  }
  tags: {
    {customized property}: 'string'
  }
}
Property Values
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
| Name | Description | Value | 
|---|---|---|
| location | Resource location. | string | 
| name | The resource name | string Constraints: Max length = 128 (required) | 
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat | 
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
ExceptionEntry
| Name | Description | Value | 
|---|---|---|
| exceptionManagedRuleSets | The managed rule sets that are associated with the exception. | ExclusionManagedRuleSet[] | 
| matchVariable | The variable on which we evaluate the exception condition | 'RemoteAddr' 'RequestHeader' 'RequestURI' (required) | 
| selector | When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. | string | 
| selectorMatchOperator | When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector | 'Contains' 'EndsWith' 'Equals' 'StartsWith' | 
| valueMatchOperator | Operates on the allowed values for the matchVariable | 'Contains' 'EndsWith' 'Equals' 'IPMatch' 'StartsWith' (required) | 
| values | Allowed values for the matchVariable | string[] | 
ExclusionManagedRule
| Name | Description | Value | 
|---|---|---|
| ruleId | Identifier for the managed rule. | string (required) | 
ExclusionManagedRuleGroup
| Name | Description | Value | 
|---|---|---|
| ruleGroupName | The managed rule group for exclusion. | string (required) | 
| rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] | 
ExclusionManagedRuleSet
| Name | Description | Value | 
|---|---|---|
| ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] | 
| ruleSetType | Defines the rule set type to use. | string (required) | 
| ruleSetVersion | Defines the version of the rule set to use. | string (required) | 
GroupByUserSession
| Name | Description | Value | 
|---|---|---|
| groupByVariables | List of group by clause variables. | GroupByVariable[] (required) | 
GroupByVariable
| Name | Description | Value | 
|---|---|---|
| variableName | User Session clause variable. | 'ClientAddr' 'ClientAddrXFFHeader' 'GeoLocation' 'GeoLocationXFFHeader' 'None' (required) | 
ManagedRuleGroupOverride
| Name | Description | Value | 
|---|---|---|
| ruleGroupName | The managed rule group to override. | string (required) | 
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] | 
ManagedRuleOverride
| Name | Description | Value | 
|---|---|---|
| action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'JSChallenge' 'Log' | 
| ruleId | Identifier for the managed rule. | string (required) | 
| sensitivity | Describes the override sensitivity to be applied when rule matches. | 'High' 'Low' 'Medium' 'None' | 
| state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' | 
ManagedRulesDefinition
| Name | Description | Value | 
|---|---|---|
| exceptions | The exceptions that are applied on the policy. | ExceptionEntry[] | 
| exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] | 
| managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) | 
ManagedRuleSet
| Name | Description | Value | 
|---|---|---|
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] | 
| ruleSetType | Defines the rule set type to use. | string (required) | 
| ruleSetVersion | Defines the version of the rule set to use. | string (required) | 
MatchCondition
| Name | Description | Value | 
|---|---|---|
| matchValues | Match value. | string[] (required) | 
| matchVariables | List of match variables. | MatchVariable[] (required) | 
| negationConditon | Whether this is negate condition or not. | bool | 
| operator | The operator to be matched. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required) | 
| transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' | 
MatchVariable
| Name | Description | Value | 
|---|---|---|
| selector | The selector of match variable. | string | 
| variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required) | 
OwaspCrsExclusionEntry
| Name | Description | Value | 
|---|---|---|
| exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] | 
| matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required) | 
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) | 
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) | 
PolicySettings
| Name | Description | Value | 
|---|---|---|
| customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Max length = 32768 Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ | 
| customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int Constraints: Min value = 0 | 
| fileUploadEnforcement | Whether allow WAF to enforce file upload limits. | bool | 
| fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int Constraints: Min value = 0 | 
| jsChallengeCookieExpirationInMins | Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. | int Constraints: Min value = 5 Max value = 1440 | 
| logScrubbing | To scrub sensitive log fields | PolicySettingsLogScrubbing | 
| maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int Constraints: Min value = 8 | 
| mode | The mode of the policy. | 'Detection' 'Prevention' | 
| requestBodyCheck | Whether to allow WAF to check request Body. | bool | 
| requestBodyEnforcement | Whether allow WAF to enforce request body limits. | bool | 
| requestBodyInspectLimitInKB | Max inspection limit in KB for request body inspection for WAF. | int | 
| state | The state of the policy. | 'Disabled' 'Enabled' | 
PolicySettingsLogScrubbing
| Name | Description | Value | 
|---|---|---|
| scrubbingRules | The rules that are applied to the logs for scrubbing. | WebApplicationFirewallScrubbingRules[] | 
| state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' | 
ResourceTags
| Name | Description | Value | 
|---|
WebApplicationFirewallCustomRule
| Name | Description | Value | 
|---|---|---|
| action | Type of Actions. | 'Allow' 'Block' 'JSChallenge' 'Log' (required) | 
| groupByUserSession | List of user session identifier group by clauses. | GroupByUserSession[] | 
| matchConditions | List of match conditions. | MatchCondition[] (required) | 
| name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = 128 | 
| priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) | 
| rateLimitDuration | Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. | 'FiveMins' 'OneMin' | 
| rateLimitThreshold | Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 | int | 
| ruleType | The rule type. | 'Invalid' 'MatchRule' 'RateLimitRule' (required) | 
| state | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' | 
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] | 
| managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) | 
| policySettings | The PolicySettings for policy. | PolicySettings | 
WebApplicationFirewallScrubbingRules
| Name | Description | Value | 
|---|---|---|
| matchVariable | The variable to be scrubbed from the logs. | 'RequestArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestJSONArgNames' 'RequestPostArgNames' (required) | 
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string | 
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) | 
| state | Defines the state of log scrubbing rule. Default value is Enabled. | 'Disabled' 'Enabled' | 
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Application Gateway Web Application Firewall (WAF) Policy | AVM Resource Module for Application Gateway Web Application Firewall (WAF) Policy | 
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Application Gateway for Url Path Based Routing | This template creates an Application Gateway and configures it for URL Path Based Routing. | 
| Application Gateway with WAF and firewall policy | This template creates an Application Gateway with WAF configured along with a firewall policy | 
| Create an Azure WAF v2 on Azure Application Gateway | This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool | 
| Front Door Standard/Premium with Application Gateway origin | This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin. | 
| Front Door with Container Instances and Application Gateway | This template creates a Front Door Standard/Premium with a container group and Application Gateway. | 
ARM template resource definition
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following JSON to your template.
{
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2025-01-01",
  "name": "string",
  "location": "string",
  "properties": {
    "customRules": [
      {
        "action": "string",
        "groupByUserSession": [
          {
            "groupByVariables": [
              {
                "variableName": "string"
              }
            ]
          }
        ],
        "matchConditions": [
          {
            "matchValues": [ "string" ],
            "matchVariables": [
              {
                "selector": "string",
                "variableName": "string"
              }
            ],
            "negationConditon": "bool",
            "operator": "string",
            "transforms": [ "string" ]
          }
        ],
        "name": "string",
        "priority": "int",
        "rateLimitDuration": "string",
        "rateLimitThreshold": "int",
        "ruleType": "string",
        "state": "string"
      }
    ],
    "managedRules": {
      "exceptions": [
        {
          "exceptionManagedRuleSets": [
            {
              "ruleGroups": [
                {
                  "ruleGroupName": "string",
                  "rules": [
                    {
                      "ruleId": "string"
                    }
                  ]
                }
              ],
              "ruleSetType": "string",
              "ruleSetVersion": "string"
            }
          ],
          "matchVariable": "string",
          "selector": "string",
          "selectorMatchOperator": "string",
          "valueMatchOperator": "string",
          "values": [ "string" ]
        }
      ],
      "exclusions": [
        {
          "exclusionManagedRuleSets": [
            {
              "ruleGroups": [
                {
                  "ruleGroupName": "string",
                  "rules": [
                    {
                      "ruleId": "string"
                    }
                  ]
                }
              ],
              "ruleSetType": "string",
              "ruleSetVersion": "string"
            }
          ],
          "matchVariable": "string",
          "selector": "string",
          "selectorMatchOperator": "string"
        }
      ],
      "managedRuleSets": [
        {
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "string",
              "rules": [
                {
                  "action": "string",
                  "ruleId": "string",
                  "sensitivity": "string",
                  "state": "string"
                }
              ]
            }
          ],
          "ruleSetType": "string",
          "ruleSetVersion": "string"
        }
      ]
    },
    "policySettings": {
      "customBlockResponseBody": "string",
      "customBlockResponseStatusCode": "int",
      "fileUploadEnforcement": "bool",
      "fileUploadLimitInMb": "int",
      "jsChallengeCookieExpirationInMins": "int",
      "logScrubbing": {
        "scrubbingRules": [
          {
            "matchVariable": "string",
            "selector": "string",
            "selectorMatchOperator": "string",
            "state": "string"
          }
        ],
        "state": "string"
      },
      "maxRequestBodySizeInKb": "int",
      "mode": "string",
      "requestBodyCheck": "bool",
      "requestBodyEnforcement": "bool",
      "requestBodyInspectLimitInKB": "int",
      "state": "string"
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}
Property Values
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2025-01-01' | 
| location | Resource location. | string | 
| name | The resource name | string Constraints: Max length = 128 (required) | 
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
| type | The resource type | 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies' | 
ExceptionEntry
| Name | Description | Value | 
|---|---|---|
| exceptionManagedRuleSets | The managed rule sets that are associated with the exception. | ExclusionManagedRuleSet[] | 
| matchVariable | The variable on which we evaluate the exception condition | 'RemoteAddr' 'RequestHeader' 'RequestURI' (required) | 
| selector | When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. | string | 
| selectorMatchOperator | When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector | 'Contains' 'EndsWith' 'Equals' 'StartsWith' | 
| valueMatchOperator | Operates on the allowed values for the matchVariable | 'Contains' 'EndsWith' 'Equals' 'IPMatch' 'StartsWith' (required) | 
| values | Allowed values for the matchVariable | string[] | 
ExclusionManagedRule
| Name | Description | Value | 
|---|---|---|
| ruleId | Identifier for the managed rule. | string (required) | 
ExclusionManagedRuleGroup
| Name | Description | Value | 
|---|---|---|
| ruleGroupName | The managed rule group for exclusion. | string (required) | 
| rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] | 
ExclusionManagedRuleSet
| Name | Description | Value | 
|---|---|---|
| ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] | 
| ruleSetType | Defines the rule set type to use. | string (required) | 
| ruleSetVersion | Defines the version of the rule set to use. | string (required) | 
GroupByUserSession
| Name | Description | Value | 
|---|---|---|
| groupByVariables | List of group by clause variables. | GroupByVariable[] (required) | 
GroupByVariable
| Name | Description | Value | 
|---|---|---|
| variableName | User Session clause variable. | 'ClientAddr' 'ClientAddrXFFHeader' 'GeoLocation' 'GeoLocationXFFHeader' 'None' (required) | 
ManagedRuleGroupOverride
| Name | Description | Value | 
|---|---|---|
| ruleGroupName | The managed rule group to override. | string (required) | 
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] | 
ManagedRuleOverride
| Name | Description | Value | 
|---|---|---|
| action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'JSChallenge' 'Log' | 
| ruleId | Identifier for the managed rule. | string (required) | 
| sensitivity | Describes the override sensitivity to be applied when rule matches. | 'High' 'Low' 'Medium' 'None' | 
| state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' | 
ManagedRulesDefinition
| Name | Description | Value | 
|---|---|---|
| exceptions | The exceptions that are applied on the policy. | ExceptionEntry[] | 
| exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] | 
| managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) | 
ManagedRuleSet
| Name | Description | Value | 
|---|---|---|
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] | 
| ruleSetType | Defines the rule set type to use. | string (required) | 
| ruleSetVersion | Defines the version of the rule set to use. | string (required) | 
MatchCondition
| Name | Description | Value | 
|---|---|---|
| matchValues | Match value. | string[] (required) | 
| matchVariables | List of match variables. | MatchVariable[] (required) | 
| negationConditon | Whether this is negate condition or not. | bool | 
| operator | The operator to be matched. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required) | 
| transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' | 
MatchVariable
| Name | Description | Value | 
|---|---|---|
| selector | The selector of match variable. | string | 
| variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required) | 
OwaspCrsExclusionEntry
| Name | Description | Value | 
|---|---|---|
| exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] | 
| matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required) | 
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) | 
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) | 
PolicySettings
| Name | Description | Value | 
|---|---|---|
| customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Max length = 32768 Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ | 
| customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int Constraints: Min value = 0 | 
| fileUploadEnforcement | Whether allow WAF to enforce file upload limits. | bool | 
| fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int Constraints: Min value = 0 | 
| jsChallengeCookieExpirationInMins | Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. | int Constraints: Min value = 5 Max value = 1440 | 
| logScrubbing | To scrub sensitive log fields | PolicySettingsLogScrubbing | 
| maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int Constraints: Min value = 8 | 
| mode | The mode of the policy. | 'Detection' 'Prevention' | 
| requestBodyCheck | Whether to allow WAF to check request Body. | bool | 
| requestBodyEnforcement | Whether allow WAF to enforce request body limits. | bool | 
| requestBodyInspectLimitInKB | Max inspection limit in KB for request body inspection for WAF. | int | 
| state | The state of the policy. | 'Disabled' 'Enabled' | 
PolicySettingsLogScrubbing
| Name | Description | Value | 
|---|---|---|
| scrubbingRules | The rules that are applied to the logs for scrubbing. | WebApplicationFirewallScrubbingRules[] | 
| state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' | 
ResourceTags
| Name | Description | Value | 
|---|
WebApplicationFirewallCustomRule
| Name | Description | Value | 
|---|---|---|
| action | Type of Actions. | 'Allow' 'Block' 'JSChallenge' 'Log' (required) | 
| groupByUserSession | List of user session identifier group by clauses. | GroupByUserSession[] | 
| matchConditions | List of match conditions. | MatchCondition[] (required) | 
| name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = 128 | 
| priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) | 
| rateLimitDuration | Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. | 'FiveMins' 'OneMin' | 
| rateLimitThreshold | Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 | int | 
| ruleType | The rule type. | 'Invalid' 'MatchRule' 'RateLimitRule' (required) | 
| state | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' | 
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] | 
| managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) | 
| policySettings | The PolicySettings for policy. | PolicySettings | 
WebApplicationFirewallScrubbingRules
| Name | Description | Value | 
|---|---|---|
| matchVariable | The variable to be scrubbed from the logs. | 'RequestArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestJSONArgNames' 'RequestPostArgNames' (required) | 
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string | 
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) | 
| state | Defines the state of log scrubbing rule. Default value is Enabled. | 'Disabled' 'Enabled' | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Application Gateway for Url Path Based Routing | This template creates an Application Gateway and configures it for URL Path Based Routing. | 
| Application Gateway with WAF and firewall policy | This template creates an Application Gateway with WAF configured along with a firewall policy | 
| Create an Azure WAF v2 on Azure Application Gateway | This template creates an Azure Web Application Firewall v2 on Azure Application Gateway with two Windows Server 2016 servers in the backend pool | 
| Front Door Standard/Premium with Application Gateway origin | This template creates a Front Door Standard/Premium and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin. | 
| Front Door with Container Instances and Application Gateway | This template creates a Front Door Standard/Premium with a container group and Application Gateway. | 
Terraform (AzAPI provider) resource definition
The ApplicationGatewayWebApplicationFirewallPolicies resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2025-01-01"
  name = "string"
  parent_id = "string"
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      customRules = [
        {
          action = "string"
          groupByUserSession = [
            {
              groupByVariables = [
                {
                  variableName = "string"
                }
              ]
            }
          ]
          matchConditions = [
            {
              matchValues = [
                "string"
              ]
              matchVariables = [
                {
                  selector = "string"
                  variableName = "string"
                }
              ]
              negationConditon = bool
              operator = "string"
              transforms = [
                "string"
              ]
            }
          ]
          name = "string"
          priority = int
          rateLimitDuration = "string"
          rateLimitThreshold = int
          ruleType = "string"
          state = "string"
        }
      ]
      managedRules = {
        exceptions = [
          {
            exceptionManagedRuleSets = [
              {
                ruleGroups = [
                  {
                    ruleGroupName = "string"
                    rules = [
                      {
                        ruleId = "string"
                      }
                    ]
                  }
                ]
                ruleSetType = "string"
                ruleSetVersion = "string"
              }
            ]
            matchVariable = "string"
            selector = "string"
            selectorMatchOperator = "string"
            valueMatchOperator = "string"
            values = [
              "string"
            ]
          }
        ]
        exclusions = [
          {
            exclusionManagedRuleSets = [
              {
                ruleGroups = [
                  {
                    ruleGroupName = "string"
                    rules = [
                      {
                        ruleId = "string"
                      }
                    ]
                  }
                ]
                ruleSetType = "string"
                ruleSetVersion = "string"
              }
            ]
            matchVariable = "string"
            selector = "string"
            selectorMatchOperator = "string"
          }
        ]
        managedRuleSets = [
          {
            ruleGroupOverrides = [
              {
                ruleGroupName = "string"
                rules = [
                  {
                    action = "string"
                    ruleId = "string"
                    sensitivity = "string"
                    state = "string"
                  }
                ]
              }
            ]
            ruleSetType = "string"
            ruleSetVersion = "string"
          }
        ]
      }
      policySettings = {
        customBlockResponseBody = "string"
        customBlockResponseStatusCode = int
        fileUploadEnforcement = bool
        fileUploadLimitInMb = int
        jsChallengeCookieExpirationInMins = int
        logScrubbing = {
          scrubbingRules = [
            {
              matchVariable = "string"
              selector = "string"
              selectorMatchOperator = "string"
              state = "string"
            }
          ]
          state = "string"
        }
        maxRequestBodySizeInKb = int
        mode = "string"
        requestBodyCheck = bool
        requestBodyEnforcement = bool
        requestBodyInspectLimitInKB = int
        state = "string"
      }
    }
  }
}
Property Values
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
| Name | Description | Value | 
|---|---|---|
| location | Resource location. | string | 
| name | The resource name | string Constraints: Max length = 128 (required) | 
| parent_id | The ID of the resource to apply this extension resource to. | string (required) | 
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyPropertiesFormat | 
| tags | Resource tags | Dictionary of tag names and values. | 
| type | The resource type | "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2025-01-01" | 
ExceptionEntry
| Name | Description | Value | 
|---|---|---|
| exceptionManagedRuleSets | The managed rule sets that are associated with the exception. | ExclusionManagedRuleSet[] | 
| matchVariable | The variable on which we evaluate the exception condition | 'RemoteAddr' 'RequestHeader' 'RequestURI' (required) | 
| selector | When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key. | string | 
| selectorMatchOperator | When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector | 'Contains' 'EndsWith' 'Equals' 'StartsWith' | 
| valueMatchOperator | Operates on the allowed values for the matchVariable | 'Contains' 'EndsWith' 'Equals' 'IPMatch' 'StartsWith' (required) | 
| values | Allowed values for the matchVariable | string[] | 
ExclusionManagedRule
| Name | Description | Value | 
|---|---|---|
| ruleId | Identifier for the managed rule. | string (required) | 
ExclusionManagedRuleGroup
| Name | Description | Value | 
|---|---|---|
| ruleGroupName | The managed rule group for exclusion. | string (required) | 
| rules | List of rules that will be excluded. If none specified, all rules in the group will be excluded. | ExclusionManagedRule[] | 
ExclusionManagedRuleSet
| Name | Description | Value | 
|---|---|---|
| ruleGroups | Defines the rule groups to apply to the rule set. | ExclusionManagedRuleGroup[] | 
| ruleSetType | Defines the rule set type to use. | string (required) | 
| ruleSetVersion | Defines the version of the rule set to use. | string (required) | 
GroupByUserSession
| Name | Description | Value | 
|---|---|---|
| groupByVariables | List of group by clause variables. | GroupByVariable[] (required) | 
GroupByVariable
| Name | Description | Value | 
|---|---|---|
| variableName | User Session clause variable. | 'ClientAddr' 'ClientAddrXFFHeader' 'GeoLocation' 'GeoLocationXFFHeader' 'None' (required) | 
ManagedRuleGroupOverride
| Name | Description | Value | 
|---|---|---|
| ruleGroupName | The managed rule group to override. | string (required) | 
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverride[] | 
ManagedRuleOverride
| Name | Description | Value | 
|---|---|---|
| action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'JSChallenge' 'Log' | 
| ruleId | Identifier for the managed rule. | string (required) | 
| sensitivity | Describes the override sensitivity to be applied when rule matches. | 'High' 'Low' 'Medium' 'None' | 
| state | The state of the managed rule. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' | 
ManagedRulesDefinition
| Name | Description | Value | 
|---|---|---|
| exceptions | The exceptions that are applied on the policy. | ExceptionEntry[] | 
| exclusions | The Exclusions that are applied on the policy. | OwaspCrsExclusionEntry[] | 
| managedRuleSets | The managed rule sets that are associated with the policy. | ManagedRuleSet[] (required) | 
ManagedRuleSet
| Name | Description | Value | 
|---|---|---|
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverride[] | 
| ruleSetType | Defines the rule set type to use. | string (required) | 
| ruleSetVersion | Defines the version of the rule set to use. | string (required) | 
MatchCondition
| Name | Description | Value | 
|---|---|---|
| matchValues | Match value. | string[] (required) | 
| matchVariables | List of match variables. | MatchVariable[] (required) | 
| negationConditon | Whether this is negate condition or not. | bool | 
| operator | The operator to be matched. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'Regex' (required) | 
| transforms | List of transforms. | String array containing any of: 'HtmlEntityDecode' 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' | 
MatchVariable
| Name | Description | Value | 
|---|---|---|
| selector | The selector of match variable. | string | 
| variableName | Match Variable. | 'PostArgs' 'QueryString' 'RemoteAddr' 'RequestBody' 'RequestCookies' 'RequestHeaders' 'RequestMethod' 'RequestUri' (required) | 
OwaspCrsExclusionEntry
| Name | Description | Value | 
|---|---|---|
| exclusionManagedRuleSets | The managed rule sets that are associated with the exclusion. | ExclusionManagedRuleSet[] | 
| matchVariable | The variable to be excluded. | 'RequestArgKeys' 'RequestArgNames' 'RequestArgValues' 'RequestCookieKeys' 'RequestCookieNames' 'RequestCookieValues' 'RequestHeaderKeys' 'RequestHeaderNames' 'RequestHeaderValues' (required) | 
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to. | string (required) | 
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) | 
PolicySettings
| Name | Description | Value | 
|---|---|---|
| customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Max length = 32768 Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ | 
| customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int Constraints: Min value = 0 | 
| fileUploadEnforcement | Whether allow WAF to enforce file upload limits. | bool | 
| fileUploadLimitInMb | Maximum file upload size in Mb for WAF. | int Constraints: Min value = 0 | 
| jsChallengeCookieExpirationInMins | Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes. | int Constraints: Min value = 5 Max value = 1440 | 
| logScrubbing | To scrub sensitive log fields | PolicySettingsLogScrubbing | 
| maxRequestBodySizeInKb | Maximum request body size in Kb for WAF. | int Constraints: Min value = 8 | 
| mode | The mode of the policy. | 'Detection' 'Prevention' | 
| requestBodyCheck | Whether to allow WAF to check request Body. | bool | 
| requestBodyEnforcement | Whether allow WAF to enforce request body limits. | bool | 
| requestBodyInspectLimitInKB | Max inspection limit in KB for request body inspection for WAF. | int | 
| state | The state of the policy. | 'Disabled' 'Enabled' | 
PolicySettingsLogScrubbing
| Name | Description | Value | 
|---|---|---|
| scrubbingRules | The rules that are applied to the logs for scrubbing. | WebApplicationFirewallScrubbingRules[] | 
| state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' | 
ResourceTags
| Name | Description | Value | 
|---|
WebApplicationFirewallCustomRule
| Name | Description | Value | 
|---|---|---|
| action | Type of Actions. | 'Allow' 'Block' 'JSChallenge' 'Log' (required) | 
| groupByUserSession | List of user session identifier group by clauses. | GroupByUserSession[] | 
| matchConditions | List of match conditions. | MatchCondition[] (required) | 
| name | The name of the resource that is unique within a policy. This name can be used to access the resource. | string Constraints: Max length = 128 | 
| priority | Priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) | 
| rateLimitDuration | Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule. | 'FiveMins' 'OneMin' | 
| rateLimitThreshold | Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1 | int | 
| ruleType | The rule type. | 'Invalid' 'MatchRule' 'RateLimitRule' (required) | 
| state | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' | 
WebApplicationFirewallPolicyPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| customRules | The custom rules inside the policy. | WebApplicationFirewallCustomRule[] | 
| managedRules | Describes the managedRules structure. | ManagedRulesDefinition (required) | 
| policySettings | The PolicySettings for policy. | PolicySettings | 
WebApplicationFirewallScrubbingRules
| Name | Description | Value | 
|---|---|---|
| matchVariable | The variable to be scrubbed from the logs. | 'RequestArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestJSONArgNames' 'RequestPostArgNames' (required) | 
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string | 
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) | 
| state | Defines the state of log scrubbing rule. Default value is Enabled. | 'Disabled' 'Enabled' | 
Usage Examples
Terraform Samples
A basic example of deploying Azure Web Application Firewall Policy instance.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}
resource "azapi_resource" "ApplicationGatewayWebApplicationFirewallPolicy" {
  type      = "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      customRules = [
      ]
      managedRules = {
        exclusions = [
        ]
        managedRuleSets = [
          {
            ruleGroupOverrides = [
            ]
            ruleSetType    = "OWASP"
            ruleSetVersion = "3.1"
          },
        ]
      }
      policySettings = {
        fileUploadLimitInMb    = 100
        maxRequestBodySizeInKb = 128
        mode                   = "Detection"
        requestBodyCheck       = true
        state                  = "Enabled"
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Application Gateway Web Application Firewall (WAF) Policy | AVM Resource Module for Application Gateway Web Application Firewall (WAF) Policy |