Firewall
!>IMPORTANT This deploys an Azure Front Door (classic) resource which has been deprecated and will receive security updates only. Please migrate your existing Azure Front Door (classic) deployments to the new Azure Front Door (standard/premium) resources. For your convenience, the service team has exposed a Front Door Classic to Front Door Standard/Premium migration tool to allow you to migrate your existing Front Door Classic instances to the new Front Door Standard/Premium product tiers. Manages an Azure Front Door (classic) Web Application Firewall Policy instance. !>Be Aware: Azure is rolling out a breaking change on Friday 9th April 2021 which may cause issues with the CDN/FrontDoor resources. More information is available in this GitHub issue as the necessary changes are identified.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.frontdoor.FirewallPolicy;
import com.pulumi.azure.frontdoor.FirewallPolicyArgs;
import com.pulumi.azure.frontdoor.inputs.FirewallPolicyCustomRuleArgs;
import com.pulumi.azure.frontdoor.inputs.FirewallPolicyManagedRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-rg")
.location("West Europe")
.build());
var exampleFirewallPolicy = new FirewallPolicy("exampleFirewallPolicy", FirewallPolicyArgs.builder()
.name("examplefdwafpolicy")
.resourceGroupName(example.name())
.enabled(true)
.mode("Prevention")
.redirectUrl("https://www.contoso.com")
.customBlockResponseStatusCode(403)
.customBlockResponseBody("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==")
.customRules(
FirewallPolicyCustomRuleArgs.builder()
.name("Rule1")
.enabled(true)
.priority(1)
.rateLimitDurationInMinutes(1)
.rateLimitThreshold(10)
.type("MatchRule")
.action("Block")
.matchConditions(FirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RemoteAddr")
.operator("IPMatch")
.negationCondition(false)
.matchValues(
"192.168.1.0/24",
"10.0.0.0/24")
.build())
.build(),
FirewallPolicyCustomRuleArgs.builder()
.name("Rule2")
.enabled(true)
.priority(2)
.rateLimitDurationInMinutes(1)
.rateLimitThreshold(10)
.type("MatchRule")
.action("Block")
.matchConditions(
FirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RemoteAddr")
.operator("IPMatch")
.negationCondition(false)
.matchValues("192.168.1.0/24")
.build(),
FirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RequestHeader")
.selector("UserAgent")
.operator("Contains")
.negationCondition(false)
.matchValues("windows")
.transforms(
"Lowercase",
"Trim")
.build())
.build())
.managedRules(
FirewallPolicyManagedRuleArgs.builder()
.type("DefaultRuleSet")
.version("1.0")
.exclusions(FirewallPolicyManagedRuleExclusionArgs.builder()
.matchVariable("QueryStringArgNames")
.operator("Equals")
.selector("not_suspicious")
.build())
.overrides(
FirewallPolicyManagedRuleOverrideArgs.builder()
.ruleGroupName("PHP")
.rules(FirewallPolicyManagedRuleOverrideRuleArgs.builder()
.ruleId("933100")
.enabled(false)
.action("Block")
.build())
.build(),
FirewallPolicyManagedRuleOverrideArgs.builder()
.ruleGroupName("SQLI")
.exclusions(FirewallPolicyManagedRuleOverrideExclusionArgs.builder()
.matchVariable("QueryStringArgNames")
.operator("Equals")
.selector("really_not_suspicious")
.build())
.rules(FirewallPolicyManagedRuleOverrideRuleArgs.builder()
.ruleId("942200")
.action("Block")
.exclusions(FirewallPolicyManagedRuleOverrideRuleExclusionArgs.builder()
.matchVariable("QueryStringArgNames")
.operator("Equals")
.selector("innocent")
.build())
.build())
.build())
.build(),
FirewallPolicyManagedRuleArgs.builder()
.type("Microsoft_BotManagerRuleSet")
.version("1.0")
.build())
.build());
}
}Content copied to clipboard
Import
FrontDoor Web Application Firewall Policy can be imported using the resource id, e.g.
$ pulumi import azure:frontdoor/firewallPolicy:FirewallPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/examplefdwafpolicyContent copied to clipboard