Firewall
FirewallPolicy Resource. Uses Azure REST API version 2023-02-01. In version 1.x of the Azure Native provider, it used API version 2020-11-01. Other available API versions: 2020-04-01, 2021-08-01, 2023-04-01, 2023-05-01, 2023-06-01, 2023-09-01, 2023-11-01, 2024-01-01, 2024-03-01, 2024-05-01.
Example Usage
Create FirewallPolicy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var firewallPolicy = new AzureNative.Network.FirewallPolicy("firewallPolicy", new()
{
DnsSettings = new AzureNative.Network.Inputs.DnsSettingsArgs
{
EnableProxy = true,
RequireProxyForNetworkRules = false,
Servers = new[]
{
"30.3.4.5",
},
},
ExplicitProxy = new AzureNative.Network.Inputs.ExplicitProxyArgs
{
EnableExplicitProxy = true,
EnablePacFile = true,
HttpPort = 8087,
HttpsPort = 8087,
PacFile = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D",
PacFilePort = 8087,
},
FirewallPolicyName = "firewallPolicy",
Insights = new AzureNative.Network.Inputs.FirewallPolicyInsightsArgs
{
IsEnabled = true,
LogAnalyticsResources = new AzureNative.Network.Inputs.FirewallPolicyLogAnalyticsResourcesArgs
{
DefaultWorkspaceId = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace",
},
Workspaces = new[]
{
new AzureNative.Network.Inputs.FirewallPolicyLogAnalyticsWorkspaceArgs
{
Region = "westus",
WorkspaceId = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1",
},
},
new AzureNative.Network.Inputs.FirewallPolicyLogAnalyticsWorkspaceArgs
{
Region = "eastus",
WorkspaceId = new AzureNative.Network.Inputs.SubResourceArgs
{
Id = "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2",
},
},
},
},
RetentionDays = 100,
},
IntrusionDetection = new AzureNative.Network.Inputs.FirewallPolicyIntrusionDetectionArgs
{
Configuration = new AzureNative.Network.Inputs.FirewallPolicyIntrusionDetectionConfigurationArgs
{
BypassTrafficSettings = new[]
{
new AzureNative.Network.Inputs.FirewallPolicyIntrusionDetectionBypassTrafficSpecificationsArgs
{
Description = "Rule 1",
DestinationAddresses = new[]
{
"5.6.7.8",
},
DestinationPorts = new[]
{
"*",
},
Name = "bypassRule1",
Protocol = AzureNative.Network.FirewallPolicyIntrusionDetectionProtocol.TCP,
SourceAddresses = new[]
{
"1.2.3.4",
},
},
},
SignatureOverrides = new[]
{
new AzureNative.Network.Inputs.FirewallPolicyIntrusionDetectionSignatureSpecificationArgs
{
Id = "2525004",
Mode = AzureNative.Network.FirewallPolicyIntrusionDetectionStateType.Deny,
},
},
},
Mode = AzureNative.Network.FirewallPolicyIntrusionDetectionStateType.Alert,
},
Location = "West US",
ResourceGroupName = "rg1",
Sku = new AzureNative.Network.Inputs.FirewallPolicySkuArgs
{
Tier = AzureNative.Network.FirewallPolicySkuTier.Premium,
},
Snat = new AzureNative.Network.Inputs.FirewallPolicySNATArgs
{
PrivateRanges = new[]
{
"IANAPrivateRanges",
},
},
Sql = new AzureNative.Network.Inputs.FirewallPolicySQLArgs
{
AllowSqlRedirect = true,
},
Tags =
{
{ "key1", "value1" },
},
ThreatIntelMode = AzureNative.Network.AzureFirewallThreatIntelMode.Alert,
ThreatIntelWhitelist = new AzureNative.Network.Inputs.FirewallPolicyThreatIntelWhitelistArgs
{
Fqdns = new[]
{
"*.microsoft.com",
},
IpAddresses = new[]
{
"20.3.4.5",
},
},
TransportSecurity = new AzureNative.Network.Inputs.FirewallPolicyTransportSecurityArgs
{
CertificateAuthority = new AzureNative.Network.Inputs.FirewallPolicyCertificateAuthorityArgs
{
KeyVaultSecretId = "https://kv/secret",
Name = "clientcert",
},
},
});
});Content copied to clipboard
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewFirewallPolicy(ctx, "firewallPolicy", &network.FirewallPolicyArgs{
DnsSettings: &network.DnsSettingsArgs{
EnableProxy: pulumi.Bool(true),
RequireProxyForNetworkRules: pulumi.Bool(false),
Servers: pulumi.StringArray{
pulumi.String("30.3.4.5"),
},
},
ExplicitProxy: &network.ExplicitProxyArgs{
EnableExplicitProxy: pulumi.Bool(true),
EnablePacFile: pulumi.Bool(true),
HttpPort: pulumi.Int(8087),
HttpsPort: pulumi.Int(8087),
PacFile: pulumi.String("https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"),
PacFilePort: pulumi.Int(8087),
},
FirewallPolicyName: pulumi.String("firewallPolicy"),
Insights: &network.FirewallPolicyInsightsArgs{
IsEnabled: pulumi.Bool(true),
LogAnalyticsResources: &network.FirewallPolicyLogAnalyticsResourcesArgs{
DefaultWorkspaceId: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"),
},
Workspaces: network.FirewallPolicyLogAnalyticsWorkspaceArray{
&network.FirewallPolicyLogAnalyticsWorkspaceArgs{
Region: pulumi.String("westus"),
WorkspaceId: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"),
},
},
&network.FirewallPolicyLogAnalyticsWorkspaceArgs{
Region: pulumi.String("eastus"),
WorkspaceId: &network.SubResourceArgs{
Id: pulumi.String("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"),
},
},
},
},
RetentionDays: pulumi.Int(100),
},
IntrusionDetection: &network.FirewallPolicyIntrusionDetectionArgs{
Configuration: &network.FirewallPolicyIntrusionDetectionConfigurationArgs{
BypassTrafficSettings: network.FirewallPolicyIntrusionDetectionBypassTrafficSpecificationsArray{
&network.FirewallPolicyIntrusionDetectionBypassTrafficSpecificationsArgs{
Description: pulumi.String("Rule 1"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("5.6.7.8"),
},
DestinationPorts: pulumi.StringArray{
pulumi.String("*"),
},
Name: pulumi.String("bypassRule1"),
Protocol: pulumi.String(network.FirewallPolicyIntrusionDetectionProtocolTCP),
SourceAddresses: pulumi.StringArray{
pulumi.String("1.2.3.4"),
},
},
},
SignatureOverrides: network.FirewallPolicyIntrusionDetectionSignatureSpecificationArray{
&network.FirewallPolicyIntrusionDetectionSignatureSpecificationArgs{
Id: pulumi.String("2525004"),
Mode: pulumi.String(network.FirewallPolicyIntrusionDetectionStateTypeDeny),
},
},
},
Mode: pulumi.String(network.FirewallPolicyIntrusionDetectionStateTypeAlert),
},
Location: pulumi.String("West US"),
ResourceGroupName: pulumi.String("rg1"),
Sku: &network.FirewallPolicySkuArgs{
Tier: pulumi.String(network.FirewallPolicySkuTierPremium),
},
Snat: &network.FirewallPolicySNATArgs{
PrivateRanges: pulumi.StringArray{
pulumi.String("IANAPrivateRanges"),
},
},
Sql: &network.FirewallPolicySQLArgs{
AllowSqlRedirect: pulumi.Bool(true),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("value1"),
},
ThreatIntelMode: pulumi.String(network.AzureFirewallThreatIntelModeAlert),
ThreatIntelWhitelist: &network.FirewallPolicyThreatIntelWhitelistArgs{
Fqdns: pulumi.StringArray{
pulumi.String("*.microsoft.com"),
},
IpAddresses: pulumi.StringArray{
pulumi.String("20.3.4.5"),
},
},
TransportSecurity: &network.FirewallPolicyTransportSecurityArgs{
CertificateAuthority: &network.FirewallPolicyCertificateAuthorityArgs{
KeyVaultSecretId: pulumi.String("https://kv/secret"),
Name: pulumi.String("clientcert"),
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.FirewallPolicy;
import com.pulumi.azurenative.network.FirewallPolicyArgs;
import com.pulumi.azurenative.network.inputs.DnsSettingsArgs;
import com.pulumi.azurenative.network.inputs.ExplicitProxyArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyInsightsArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyLogAnalyticsResourcesArgs;
import com.pulumi.azurenative.network.inputs.SubResourceArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyIntrusionDetectionArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyIntrusionDetectionConfigurationArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicySkuArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicySNATArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicySQLArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyThreatIntelWhitelistArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyTransportSecurityArgs;
import com.pulumi.azurenative.network.inputs.FirewallPolicyCertificateAuthorityArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var firewallPolicy = new FirewallPolicy("firewallPolicy", FirewallPolicyArgs.builder()
.dnsSettings(DnsSettingsArgs.builder()
.enableProxy(true)
.requireProxyForNetworkRules(false)
.servers("30.3.4.5")
.build())
.explicitProxy(ExplicitProxyArgs.builder()
.enableExplicitProxy(true)
.enablePacFile(true)
.httpPort(8087)
.httpsPort(8087)
.pacFile("https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D")
.pacFilePort(8087)
.build())
.firewallPolicyName("firewallPolicy")
.insights(FirewallPolicyInsightsArgs.builder()
.isEnabled(true)
.logAnalyticsResources(FirewallPolicyLogAnalyticsResourcesArgs.builder()
.defaultWorkspaceId(SubResourceArgs.builder()
.id("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace")
.build())
.workspaces(
FirewallPolicyLogAnalyticsWorkspaceArgs.builder()
.region("westus")
.workspaceId(SubResourceArgs.builder()
.id("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1")
.build())
.build(),
FirewallPolicyLogAnalyticsWorkspaceArgs.builder()
.region("eastus")
.workspaceId(SubResourceArgs.builder()
.id("/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2")
.build())
.build())
.build())
.retentionDays(100)
.build())
.intrusionDetection(FirewallPolicyIntrusionDetectionArgs.builder()
.configuration(FirewallPolicyIntrusionDetectionConfigurationArgs.builder()
.bypassTrafficSettings(FirewallPolicyIntrusionDetectionBypassTrafficSpecificationsArgs.builder()
.description("Rule 1")
.destinationAddresses("5.6.7.8")
.destinationPorts("*")
.name("bypassRule1")
.protocol("TCP")
.sourceAddresses("1.2.3.4")
.build())
.signatureOverrides(FirewallPolicyIntrusionDetectionSignatureSpecificationArgs.builder()
.id("2525004")
.mode("Deny")
.build())
.build())
.mode("Alert")
.build())
.location("West US")
.resourceGroupName("rg1")
.sku(FirewallPolicySkuArgs.builder()
.tier("Premium")
.build())
.snat(FirewallPolicySNATArgs.builder()
.privateRanges("IANAPrivateRanges")
.build())
.sql(FirewallPolicySQLArgs.builder()
.allowSqlRedirect(true)
.build())
.tags(Map.of("key1", "value1"))
.threatIntelMode("Alert")
.threatIntelWhitelist(FirewallPolicyThreatIntelWhitelistArgs.builder()
.fqdns("*.microsoft.com")
.ipAddresses("20.3.4.5")
.build())
.transportSecurity(FirewallPolicyTransportSecurityArgs.builder()
.certificateAuthority(FirewallPolicyCertificateAuthorityArgs.builder()
.keyVaultSecretId("https://kv/secret")
.name("clientcert")
.build())
.build())
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:network:FirewallPolicy firewallPolicy /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}Content copied to clipboard
Properties
Link copied to clipboard
The parent firewall policy from which rules are inherited.
Link copied to clipboard
List of references to Child Firewall Policies.
Link copied to clipboard
DNS Proxy Settings definition.
Link copied to clipboard
Explicit Proxy Settings definition.
Link copied to clipboard
List of references to Azure Firewalls that this Firewall Policy is associated with.
Link copied to clipboard
The identity of the firewall policy.
Link copied to clipboard
Insights on Firewall Policy.
Link copied to clipboard
The configuration for Intrusion detection.
Link copied to clipboard
The provisioning state of the firewall policy resource.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
List of references to FirewallPolicyRuleCollectionGroups.
Link copied to clipboard
The Firewall Policy SKU.
Link copied to clipboard
The private IP addresses/IP ranges to which traffic will not be SNAT.
Link copied to clipboard
SQL Settings definition.
Link copied to clipboard
The operation mode for Threat Intelligence.
Link copied to clipboard
ThreatIntel Whitelist for Firewall Policy.
Link copied to clipboard
TLS Configuration definition.