Microsoft Azure CDN Web Application Firewall Management is a powerful tool designed to enhance the security of web applications hosted on Azure CDN. This tool provides advanced protection against various cyber threats, such as DDoS attacks, SQL injection, and cross-site scripting.
swagger: '2.0'
info:
version: 2023-07-01-preview
title: Microsoft Azure Azure CDN WebApplicationFirewallManagement
description: APIs to manage web application firewall rules for Azure CDN
host: management.azure.com
schemes:
- https
consumes:
- application/json
produces:
- application/json
security:
- azure_auth:
- user_impersonation
securityDefinitions:
azure_auth:
type: oauth2
authorizationUrl: https://login.microsoftonline.com/common/oauth2/authorize
flow: implicit
description: Azure Active Directory OAuth2 Flow.
scopes:
user_impersonation: impersonate your user account
paths:
? /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/cdnWebApplicationFirewallPolicies
: get:
tags:
- WebApplicationFirewallPolicies
description: Lists all of the protection policies within a resource group.
operationId: microsoftAzurePoliciesList
parameters:
- $ref: '#/parameters/ResourceGroupNameParameter'
- $ref: '#/parameters/subscriptionIdParameter'
- $ref: '#/parameters/apiVersionParameter'
responses:
'200':
description: OK. The request has succeeded.
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicyList'
default:
description: Error response describing why the operation failed.
schema:
$ref: ./cdn.json#/definitions/ErrorResponse
x-ms-pageable:
nextLinkName: nextLink
x-ms-examples:
List Policies in a Resource Group:
$ref: ./examples/WafListPolicies.json
summary: >-
Microsoft Azure Get Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies
? /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/cdnWebApplicationFirewallPolicies/{policyName}
: get:
tags:
- WebApplicationFirewallPolicies
description: Retrieve protection policy with specified name within a resource group.
operationId: microsoftAzurePoliciesGet
parameters:
- $ref: '#/parameters/ResourceGroupNameParameter'
- $ref: '#/parameters/PolicyNameParameter'
- $ref: '#/parameters/subscriptionIdParameter'
- $ref: '#/parameters/apiVersionParameter'
responses:
'200':
description: OK. The request has succeeded.
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
default:
description: Error response describing why the operation failed.
schema:
$ref: ./cdn.json#/definitions/ErrorResponse
x-ms-examples:
Get Policy:
$ref: ./examples/WafPolicyGet.json
summary: >-
Microsoft Azure Get Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname
put:
tags:
- WebApplicationFirewallPolicies
description: >-
Create or update policy with specified rule set name within a resource
group.
operationId: microsoftAzurePoliciesCreateorupdate
parameters:
- $ref: '#/parameters/ResourceGroupNameParameter'
- $ref: '#/parameters/PolicyNameParameter'
- $ref: '#/parameters/subscriptionIdParameter'
- $ref: '#/parameters/apiVersionParameter'
- description: Policy to be created.
in: body
name: cdnWebApplicationFirewallPolicy
required: true
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
responses:
'200':
description: OK. The request has succeeded.
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
'201':
description: >-
Created. The request has been fulfilled and a new protection policy
has been created.
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
'202':
description: >-
Accepted. The request has been accepted for processing and the
operation will complete asynchronously.
headers:
location:
type: string
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
default:
description: Error response describing why the operation failed.
schema:
$ref: ./cdn.json#/definitions/ErrorResponse
x-ms-examples:
Creates specific policy:
$ref: ./examples/WafPolicyCreateOrUpdate.json
x-ms-long-running-operation: true
summary: >-
Microsoft Azure Put Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname
patch:
tags:
- WebApplicationFirewallPolicies
description: >-
Update an existing CdnWebApplicationFirewallPolicy with the specified
policy name under the specified subscription and resource group
operationId: microsoftAzurePoliciesUpdate
parameters:
- $ref: '#/parameters/ResourceGroupNameParameter'
- $ref: '#/parameters/PolicyNameParameter'
- $ref: '#/parameters/subscriptionIdParameter'
- $ref: '#/parameters/apiVersionParameter'
- description: CdnWebApplicationFirewallPolicy parameters to be patched.
in: body
name: cdnWebApplicationFirewallPolicyPatchParameters
required: true
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicyPatchParameters'
responses:
'200':
description: OK. The request has succeeded.
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
'202':
description: >-
Accepted. The request has been accepted for processing and the
operation will complete asynchronously.
headers:
location:
type: string
schema:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
default:
description: Error response describing why the operation failed.
schema:
$ref: ./cdn.json#/definitions/ErrorResponse
x-ms-examples:
Creates specific policy:
$ref: ./examples/WafPatchPolicy.json
x-ms-long-running-operation: true
summary: >-
Microsoft Azure Patch Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname
delete:
tags:
- WebApplicationFirewallPolicies
description: Deletes Policy
operationId: microsoftAzurePoliciesDelete
parameters:
- $ref: '#/parameters/ResourceGroupNameParameter'
- $ref: '#/parameters/PolicyNameParameter'
- $ref: '#/parameters/subscriptionIdParameter'
- $ref: '#/parameters/apiVersionParameter'
responses:
'200':
description: Delete successful.
'204':
description: >-
No Content. The request has been accepted but the policy was not
found.
default:
description: Error response describing why the operation failed.
schema:
$ref: ./cdn.json#/definitions/ErrorResponse
x-ms-examples:
Delete protection policy:
$ref: ./examples/WafPolicyDelete.json
x-ms-long-running-operation: false
summary: >-
Microsoft Azure Delete Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname
/subscriptions/{subscriptionId}/providers/Microsoft.Cdn/cdnWebApplicationFirewallManagedRuleSets:
get:
tags:
- WebApplicationFirewallManagedRuleSets
description: Lists all available managed rule sets.
operationId: microsoftAzureManagedrulesetsList
parameters:
- $ref: '#/parameters/subscriptionIdParameter'
- $ref: '#/parameters/apiVersionParameter'
responses:
'200':
description: >-
Success. The operation returns a list of all available web
application firewall managed rule sets.
schema:
$ref: '#/definitions/ManagedRuleSetDefinitionList'
default:
description: Error response describing why the operation failed.
schema:
$ref: ./cdn.json#/definitions/ErrorResponse
x-ms-pageable:
nextLinkName: nextLink
x-ms-examples:
List Policies in a Resource Group:
$ref: ./examples/WafListManagedRuleSets.json
summary: >-
Microsoft Azure Get Subscriptions Subscriptionid Providers Microsoft Cdn Cdnwebapplicationfirewallmanagedrulesets
definitions:
CdnWebApplicationFirewallPolicyList:
description: >-
Defines a list of WebApplicationFirewallPolicies for Azure CDN. It
contains a list of WebApplicationFirewallPolicy objects and a URL link to
get the next set of results.
properties:
value:
type: array
readOnly: true
items:
$ref: '#/definitions/CdnWebApplicationFirewallPolicy'
description: >-
List of Azure CDN WebApplicationFirewallPolicies within a resource
group.
nextLink:
type: string
description: >-
URL to get the next set of WebApplicationFirewallPolicy objects if
there are any.
CdnWebApplicationFirewallPolicy:
description: Defines web application firewall policy for Azure CDN.
properties:
properties:
x-ms-client-flatten: true
description: Properties of the web application firewall policy.
$ref: '#/definitions/CdnWebApplicationFirewallPolicyProperties'
etag:
type: string
description: >-
Gets a unique read-only string that changes whenever the resource is
updated.
sku:
description: >-
The pricing tier (defines a CDN provider, feature list and rate) of
the CdnWebApplicationFirewallPolicy.
$ref: ./cdn.json#/definitions/Sku
required:
- sku
allOf:
- $ref: ./cdn.json#/definitions/TrackedResource
CdnWebApplicationFirewallPolicyPatchParameters:
type: object
description: Properties required to update a CdnWebApplicationFirewallPolicy.
properties:
tags:
description: CdnWebApplicationFirewallPolicy tags
type: object
additionalProperties:
type: string
x-ms-azure-resource: true
CdnWebApplicationFirewallPolicyProperties:
description: Defines CDN web application firewall policy properties.
properties:
policySettings:
description: Describes policySettings for policy
$ref: '#/definitions/policySettings'
rateLimitRules:
description: Describes rate limit rules inside the policy.
$ref: '#/definitions/RateLimitRuleList'
customRules:
description: Describes custom rules inside the policy.
$ref: '#/definitions/CustomRuleList'
managedRules:
description: Describes managed rules inside the policy.
$ref: '#/definitions/ManagedRuleSetList'
endpointLinks:
description: >-
Describes Azure CDN endpoints associated with this Web Application
Firewall policy.
type: array
readOnly: true
items:
$ref: '#/definitions/CdnEndpoint'
extendedProperties:
description: >-
Key-Value pair representing additional properties for Web Application
Firewall policy.
type: object
additionalProperties:
type: string
provisioningState:
readOnly: true
type: string
description: Provisioning state of the WebApplicationFirewallPolicy.
enum:
- Creating
- Succeeded
- Failed
x-ms-enum:
name: ProvisioningState
modelAsString: true
resourceState:
title: Resource status of the policy.
readOnly: true
enum:
- Creating
- Enabling
- Enabled
- Disabling
- Disabled
- Deleting
type: string
x-ms-enum:
name: PolicyResourceState
modelAsString: true
policySettings:
description: Defines contents of a web application firewall global configuration
properties:
enabledState:
description: describes if the policy is in enabled state or disabled state
type: string
enum:
- Disabled
- Enabled
x-ms-enum:
name: PolicyEnabledState
modelAsString: true
mode:
description: >-
Describes if it is in detection mode or prevention mode at policy
level.
type: string
enum:
- Prevention
- Detection
x-ms-enum:
name: PolicyMode
modelAsString: true
defaultRedirectUrl:
description: >-
If action type is redirect, this field represents the default redirect
URL for the client.
type: string
defaultCustomBlockResponseStatusCode:
description: >-
If the action type is block, this field defines the default customer
overridable http response status code.
type: integer
format: int32
enum:
- 200
- 403
- 405
- 406
- 429
defaultCustomBlockResponseBody:
description: >-
If the action type is block, customer can override the response body.
The body must be specified in base64 encoding.
type: string
pattern: >-
^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
CdnEndpoint:
description: Defines the ARM Resource ID for the linked endpoints
type: object
readOnly: true
properties:
id:
type: string
description: ARM Resource ID string.
CustomRuleList:
description: Defines contents of custom rules
properties:
rules:
description: List of rules
type: array
items:
$ref: '#/definitions/CustomRule'
x-ms-identifiers:
- name
CustomRule:
description: >-
Defines the common attributes for a custom rule that can be included in a
waf policy
type: object
required:
- name
- priority
- matchConditions
- action
properties:
name:
description: Defines the name of the custom rule
type: string
enabledState:
description: >-
Describes if the custom rule is in enabled or disabled state. Defaults
to Enabled if not specified.
type: string
enum:
- Disabled
- Enabled
x-ms-enum:
name: CustomRuleEnabledState
modelAsString: true
priority:
description: >-
Defines in what order this rule be evaluated in the overall list of
custom rules
type: integer
format: int32
maximum: 1000
exclusiveMaximum: false
minimum: 0
exclusiveMinimum: false
matchConditions:
description: List of match conditions.
type: array
items:
$ref: '#/definitions/MatchCondition'
x-ms-identifiers: []
action:
description: Describes what action to be applied when rule matches
$ref: '#/definitions/ActionType'
RateLimitRuleList:
description: Defines contents of rate limit rules
properties:
rules:
description: List of rules
type: array
items:
$ref: '#/definitions/RateLimitRule'
x-ms-identifiers:
- name
RateLimitRule:
description: Defines a rate limiting rule that can be included in a waf policy
type: object
required:
- rateLimitThreshold
- rateLimitDurationInMinutes
properties:
rateLimitThreshold:
description: Defines rate limit threshold.
type: integer
format: int32
minimum: 0
exclusiveMinimum: false
rateLimitDurationInMinutes:
description: Defines rate limit duration. Default is 1 minute.
type: integer
format: int32
maximum: 60
exclusiveMaximum: false
minimum: 0
exclusiveMinimum: false
allOf:
- $ref: '#/definitions/CustomRule'
MatchCondition:
description: Define match conditions
required:
- matchVariable
- operator
- matchValue
properties:
matchVariable:
description: Match variable to compare against.
type: string
enum:
- RemoteAddr
- SocketAddr
- RequestMethod
- RequestHeader
- RequestUri
- QueryString
- RequestBody
- Cookies
- PostArgs
x-ms-enum:
name: WafMatchVariable
modelAsString: true
selector:
description: >-
Selector can used to match a specific key for QueryString, Cookies,
RequestHeader or PostArgs.
type: string
operator:
description: Describes operator to be matched
type: string
enum:
- Any
- IPMatch
- GeoMatch
- Equal
- Contains
- LessThan
- GreaterThan
- LessThanOrEqual
- GreaterThanOrEqual
- BeginsWith
- EndsWith
- RegEx
x-ms-enum:
name: operator
modelAsString: true
negateCondition:
description: Describes if the result of this condition should be negated.
type: boolean
matchValue:
description: List of possible match values.
type: array
items:
type: string
transforms:
description: List of transforms.
type: array
items:
$ref: '#/definitions/TransformType'
TransformType:
description: Describes what transforms were applied before matching.
type: string
enum:
- Lowercase
- Uppercase
- Trim
- UrlDecode
- UrlEncode
- RemoveNulls
x-ms-enum:
name: TransformType
modelAsString: true
ManagedRuleSetList:
description: Defines the list of managed rule sets for the policy.
properties:
managedRuleSets:
description: List of rule sets.
type: array
items:
$ref: '#/definitions/ManagedRuleSet'
x-ms-identifiers:
- ruleSetType
- ruleSetVersion
ManagedRuleSet:
type: object
description: Defines a managed rule set.
required:
- ruleSetType
- ruleSetVersion
properties:
ruleSetType:
description: Defines the rule set type to use.
type: string
ruleSetVersion:
description: Defines the version of the rule set to use.
type: string
anomalyScore:
description: >-
Verizon only : If the rule set supports anomaly detection mode, this
describes the threshold for blocking requests.
type: integer
format: int32
maximum: 20
exclusiveMaximum: false
minimum: 0
exclusiveMinimum: false
ruleGroupOverrides:
description: Defines the rule overrides to apply to the rule set.
type: array
items:
$ref: '#/definitions/ManagedRuleGroupOverride'
x-ms-identifiers:
- ruleGroupName
ManagedRuleGroupOverride:
description: Defines a managed rule group override setting.
required:
- ruleGroupName
properties:
ruleGroupName:
description: Describes the managed rule group within the rule set to override
type: string
rules:
description: >-
List of rules that will be enabled. If none specified, all rules in
the group will be disabled.
type: array
items:
$ref: '#/definitions/ManagedRuleOverride'
x-ms-identifiers:
- ruleId
ManagedRuleOverride:
description: Defines a managed rule group override setting.
required:
- ruleId
properties:
ruleId:
description: Identifier for the managed rule.
type: string
enabledState:
description: >-
Describes if the managed rule is in enabled or disabled state.
Defaults to Disabled if not specified.
type: string
enum:
- Disabled
- Enabled
x-ms-enum:
name: ManagedRuleEnabledState
modelAsString: true
action:
description: Describes the override action to be applied when rule matches.
$ref: '#/definitions/ActionType'
ManagedRuleSetDefinitionList:
description: List of managed rule set definitions available for use in a policy.
properties:
value:
description: List of managed rule set definitions.
readOnly: true
type: array
items:
$ref: '#/definitions/ManagedRuleSetDefinition'
nextLink:
type: string
description: URL to retrieve next set of managed rule set definitions.
ManagedRuleSetDefinition:
description: Describes a managed rule set definition.
properties:
properties:
description: Describes managed rule set definition properties.
x-ms-client-flatten: true
$ref: '#/definitions/ManagedRuleSetDefinitionProperties'
sku:
description: >-
The pricing tier (defines a CDN provider, feature list and rate) of
the CdnWebApplicationFirewallPolicy.
$ref: ./cdn.json#/definitions/Sku
allOf:
- $ref: ./cdn.json#/definitions/Resource
ManagedRuleSetDefinitionProperties:
description: Properties for a managed rule set definition.
properties:
provisioningState:
type: string
readOnly: true
description: Provisioning state of the managed rule set.
ruleSetType:
type: string
readOnly: true
description: Type of the managed rule set.
ruleSetVersion:
type: string
readOnly: true
description: Version of the managed rule set type.
ruleGroups:
type: array
readOnly: true
items:
$ref: '#/definitions/ManagedRuleGroupDefinition'
x-ms-identifiers:
- ruleGroupName
description: Rule groups of the managed rule set.
ManagedRuleGroupDefinition:
description: Describes a managed rule group.
properties:
ruleGroupName:
type: string
readOnly: true
description: Name of the managed rule group.
description:
type: string
readOnly: true
description: Description of the managed rule group.
rules:
type: array
readOnly: true
items:
$ref: '#/definitions/ManagedRuleDefinition'
x-ms-identifiers:
- ruleId
description: List of rules within the managed rule group.
ManagedRuleDefinition:
description: Describes a managed rule definition.
properties:
ruleId:
description: Identifier for the managed rule.
readOnly: true
type: string
description:
description: Describes the functionality of the managed rule.
readOnly: true
type: string
ActionType:
description: Defines the action to take on rule match.
type: string
enum:
- Allow
- Block
- Log
- Redirect
x-ms-enum:
name: ActionType
modelAsString: true
parameters:
subscriptionIdParameter:
name: subscriptionId
in: path
description: Azure Subscription ID.
required: true
type: string
apiVersionParameter:
name: api-version
in: query
required: true
type: string
description: >-
Version of the API to be used with the client request. Current version is
2023-05-01.
PolicyNameParameter:
name: policyName
in: path
required: true
type: string
maxLength: 128
x-ms-parameter-location: method
description: The name of the CdnWebApplicationFirewallPolicy.
ResourceGroupNameParameter:
name: resourceGroupName
in: path
required: true
type: string
pattern: ^[a-zA-Z0-9_\-\(\)\.]*[^\.]$
minLength: 1
maxLength: 80
x-ms-parameter-location: method
description: Name of the Resource group within the Azure subscription.
tags:
- name: WebApplicationFirewallManagedRuleSets
- name: WebApplicationFirewallPolicies