{ "swagger": "2.0", "info": { "version": "2019-06-15-preview", "title": "Azure CDN WebApplicationFirewallManagement", "description": "APIs to manage web application firewall rules for Azure CDN" }, "host": "management.azure.com", "schemes": [ "https" ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "security": [ { "azure_auth": [ "user_impersonation" ] } ], "securityDefinitions": { "azure_auth": { "type": "oauth2", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "flow": "implicit", "description": "Azure Active Directory OAuth2 Flow.", "scopes": { "user_impersonation": "impersonate your user account" } } }, "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/CdnWebApplicationFirewallPolicies": { "get": { "tags": [ "WebApplicationFirewallPolicies" ], "description": "Lists all of the protection policies within a resource group.", "operationId": "Policies_List", "parameters": [ { "$ref": "#/parameters/ResourceGroupNameParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK. The request has succeeded.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicyList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "./cdn.json#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List Policies in a Resource Group": { "$ref": "./examples/WafListPolicies.json" } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/CdnWebApplicationFirewallPolicies/{policyName}": { "get": { "tags": [ "WebApplicationFirewallPolicies" ], "description": "Retrieve protection policy with specified name within a resource group.", "operationId": "Policies_Get", "parameters": [ { "$ref": "#/parameters/ResourceGroupNameParameter" }, { "$ref": "#/parameters/PolicyNameParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK. The request has succeeded.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "./cdn.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Get Policy": { "$ref": "./examples/WafPolicyGet.json" } } }, "put": { "tags": [ "WebApplicationFirewallPolicies" ], "description": "Create or update policy with specified rule set name within a resource group.", "operationId": "Policies_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ResourceGroupNameParameter" }, { "$ref": "#/parameters/PolicyNameParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "description": "Policy to be created.", "in": "body", "name": "cdnWebApplicationFirewallPolicy", "required": true, "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } } ], "responses": { "200": { "description": "OK. The request has succeeded.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } }, "201": { "description": "Created. The request has been fulfilled and a new protection policy has been created.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } }, "202": { "description": "Accepted. The request has been accepted for processing and the operation will complete asynchronously.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "./cdn.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Creates specific policy": { "$ref": "./examples/WafPolicyCreateOrUpdate.json" } }, "x-ms-long-running-operation": true }, "patch": { "tags": [ "WebApplicationFirewallPolicies" ], "description": "Update an existing CdnWebApplicationFirewallPolicy with the specified policy name under the specified subscription and resource group", "operationId": "Policies_Update", "parameters": [ { "$ref": "#/parameters/ResourceGroupNameParameter" }, { "$ref": "#/parameters/PolicyNameParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "description": "CdnWebApplicationFirewallPolicy parameters to be patched.", "in": "body", "name": "cdnWebApplicationFirewallPolicyPatchParameters", "required": true, "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicyPatchParameters" } } ], "responses": { "200": { "description": "OK. The request has succeeded.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } }, "202": { "description": "Accepted. The request has been accepted for processing and the operation will complete asynchronously.", "schema": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "./cdn.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Creates specific policy": { "$ref": "./examples/WafPatchPolicy.json" } }, "x-ms-long-running-operation": true }, "delete": { "tags": [ "WebApplicationFirewallPolicies" ], "description": "Deletes Policy", "operationId": "Policies_Delete", "parameters": [ { "$ref": "#/parameters/ResourceGroupNameParameter" }, { "$ref": "#/parameters/PolicyNameParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "Delete successful." }, "204": { "description": "No Content. The request has been accepted but the policy was not found." } }, "x-ms-examples": { "Delete protection policy": { "$ref": "./examples/WafPolicyDelete.json" } }, "x-ms-long-running-operation": false } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Cdn/CdnWebApplicationFirewallManagedRuleSets": { "get": { "tags": [ "WebApplicationFirewallManagedRuleSets" ], "description": "Lists all available managed rule sets.", "operationId": "ManagedRuleSets_List", "parameters": [ { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "Success. The operation returns a list of all available web application firewall managed rule sets.", "schema": { "$ref": "#/definitions/ManagedRuleSetDefinitionList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "./cdn.json#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List Policies in a Resource Group": { "$ref": "./examples/WafListManagedRuleSets.json" } } } } }, "definitions": { "CdnWebApplicationFirewallPolicyList": { "description": "Defines a list of WebApplicationFirewallPolicies for Azure CDN. It contains a list of WebApplicationFirewallPolicy objects and a URL link to get the next set of results.", "properties": { "value": { "type": "array", "readOnly": true, "items": { "$ref": "#/definitions/CdnWebApplicationFirewallPolicy" }, "description": "List of Azure CDN WebApplicationFirewallPolicies within a resource group." }, "nextLink": { "type": "string", "description": "URL to get the next set of WebApplicationFirewallPolicy objects if there are any." } } }, "CdnWebApplicationFirewallPolicy": { "description": "Defines web application firewall policy for Azure CDN.", "properties": { "properties": { "x-ms-client-flatten": true, "description": "Properties of the web application firewall policy.", "$ref": "#/definitions/CdnWebApplicationFirewallPolicyProperties" }, "etag": { "type": "string", "description": "Gets a unique read-only string that changes whenever the resource is updated." }, "sku": { "description": "The pricing tier (defines a CDN provider, feature list and rate) of the CdnWebApplicationFirewallPolicy.", "$ref": "./cdn.json#/definitions/Sku" } }, "required": [ "sku" ], "allOf": [ { "$ref": "./cdn.json#/definitions/TrackedResource" } ] }, "CdnWebApplicationFirewallPolicyPatchParameters": { "type": "object", "description": "Properties required to update a CdnWebApplicationFirewallPolicy.", "properties": { "tags": { "description": "CdnWebApplicationFirewallPolicy tags", "type": "object", "additionalProperties": { "type": "string" } } }, "x-ms-azure-resource": true }, "CdnWebApplicationFirewallPolicyProperties": { "description": "Defines CDN web application firewall policy properties.", "properties": { "policySettings": { "description": "Describes policySettings for policy", "$ref": "#/definitions/policySettings" }, "rateLimitRules": { "description": "Describes rate limit rules inside the policy.", "$ref": "#/definitions/RateLimitRuleList" }, "customRules": { "description": "Describes custom rules inside the policy.", "$ref": "#/definitions/CustomRuleList" }, "managedRules": { "description": "Describes managed rules inside the policy.", "$ref": "#/definitions/ManagedRuleSetList" }, "endpointLinks": { "description": "Describes Azure CDN endpoints associated with this Web Application Firewall policy.", "type": "array", "readOnly": true, "items": { "$ref": "#/definitions/CdnEndpoint" } }, "provisioningState": { "readOnly": true, "type": "string", "description": "Provisioning state of the WebApplicationFirewallPolicy.", "enum": [ "Creating", "Succeeded", "Failed" ], "x-ms-enum": { "name": "ProvisioningState", "modelAsString": true } }, "resourceState": { "title": "Resource status of the policy.", "readOnly": true, "enum": [ "Creating", "Enabling", "Enabled", "Disabling", "Disabled", "Deleting" ], "type": "string", "x-ms-enum": { "name": "PolicyResourceState", "modelAsString": true } } } }, "policySettings": { "description": "Defines contents of a web application firewall global configuration", "properties": { "enabledState": { "description": "describes if the policy is in enabled state or disabled state", "type": "string", "enum": [ "Disabled", "Enabled" ], "x-ms-enum": { "name": "PolicyEnabledState", "modelAsString": true } }, "mode": { "description": "Describes if it is in detection mode or prevention mode at policy level.", "type": "string", "enum": [ "Prevention", "Detection" ], "x-ms-enum": { "name": "PolicyMode", "modelAsString": true } }, "defaultRedirectUrl": { "description": "If action type is redirect, this field represents the default redirect URL for the client.", "type": "string" }, "defaultCustomBlockResponseStatusCode": { "description": "If the action type is block, this field defines the default customer overridable http response status code.", "type": "integer", "enum": [ 200, 403, 405, 406, 429 ] }, "defaultCustomBlockResponseBody": { "description": "If the action type is block, customer can override the response body. The body must be specified in base64 encoding.", "type": "string", "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$" } } }, "CdnEndpoint": { "description": "Defines the ARM Resource ID for the linked endpoints", "type": "object", "readOnly": true, "properties": { "id": { "type": "string", "description": "ARM Resource ID string." } } }, "CustomRuleList": { "description": "Defines contents of custom rules", "properties": { "rules": { "description": "List of rules", "type": "array", "items": { "$ref": "#/definitions/CustomRule" } } } }, "CustomRule": { "description": "Defines the common attributes for a custom rule that can be included in a waf policy", "type": "object", "required": [ "name", "priority", "matchConditions", "action" ], "properties": { "name": { "description": "Defines the name of the custom rule", "type": "string" }, "enabledState": { "description": "Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.", "type": "string", "enum": [ "Disabled", "Enabled" ], "x-ms-enum": { "name": "CustomRuleEnabledState", "modelAsString": true } }, "priority": { "description": "Defines in what order this rule be evaluated in the overall list of custom rules", "type": "integer", "maximum": 1000, "exclusiveMaximum": false, "minimum": 0, "exclusiveMinimum": false }, "matchConditions": { "description": "List of match conditions.", "type": "array", "items": { "$ref": "#/definitions/MatchCondition" } }, "action": { "description": "Describes what action to be applied when rule matches", "$ref": "#/definitions/ActionType" } } }, "RateLimitRuleList": { "description": "Defines contents of rate limit rules", "properties": { "rules": { "description": "List of rules", "type": "array", "items": { "$ref": "#/definitions/RateLimitRule" } } } }, "RateLimitRule": { "description": "Defines a rate limiting rule that can be included in a waf policy", "type": "object", "required": [ "rateLimitThreshold", "rateLimitDurationInMinutes" ], "properties": { "rateLimitThreshold": { "description": "Defines rate limit threshold.", "type": "integer", "minimum": 0, "exclusiveMinimum": false }, "rateLimitDurationInMinutes": { "description": "Defines rate limit duration. Default is 1 minute.", "type": "integer", "maximum": 60, "exclusiveMaximum": false, "minimum": 0, "exclusiveMinimum": false } }, "allOf": [ { "$ref": "#/definitions/CustomRule" } ] }, "MatchCondition": { "description": "Define match conditions", "required": [ "matchVariable", "operator", "matchValue" ], "properties": { "matchVariable": { "description": "Match variable to compare against.", "type": "string", "enum": [ "RemoteAddr", "SocketAddr", "RequestMethod", "RequestHeader", "RequestUri", "QueryString", "RequestBody", "Cookies", "PostArgs" ], "x-ms-enum": { "name": "MatchVariable", "modelAsString": true } }, "selector": { "description": "Selector can used to match a specific key for QueryString, Cookies, RequestHeader or PostArgs.", "type": "string" }, "operator": { "description": "Describes operator to be matched", "type": "string", "enum": [ "Any", "IPMatch", "GeoMatch", "Equal", "Contains", "LessThan", "GreaterThan", "LessThanOrEqual", "GreaterThanOrEqual", "BeginsWith", "EndsWith", "RegEx" ], "x-ms-enum": { "name": "operator", "modelAsString": true } }, "negateCondition": { "description": "Describes if the result of this condition should be negated.", "type": "boolean" }, "matchValue": { "description": "List of possible match values.", "type": "array", "items": { "type": "string" } }, "transforms": { "description": "List of transforms.", "type": "array", "items": { "$ref": "#/definitions/TransformType" } } } }, "TransformType": { "description": "Describes what transforms were applied before matching.", "type": "string", "enum": [ "Lowercase", "Uppercase", "Trim", "UrlDecode", "UrlEncode", "RemoveNulls" ], "x-ms-enum": { "name": "TransformType", "modelAsString": true } }, "ManagedRuleSetList": { "description": "Defines the list of managed rule sets for the policy.", "properties": { "managedRuleSets": { "description": "List of rule sets.", "type": "array", "items": { "$ref": "#/definitions/ManagedRuleSet" } } } }, "ManagedRuleSet": { "type": "object", "description": "Defines a managed rule set.", "required": [ "ruleSetType", "ruleSetVersion" ], "properties": { "ruleSetType": { "description": "Defines the rule set type to use.", "type": "string" }, "ruleSetVersion": { "description": "Defines the version of the rule set to use.", "type": "string" }, "anomalyScore": { "description": "Verizon only : If the rule set supports anomaly detection mode, this describes the threshold for blocking requests.", "type": "integer", "maximum": 20, "exclusiveMaximum": false, "minimum": 0, "exclusiveMinimum": false }, "ruleGroupOverrides": { "description": "Defines the rule overrides to apply to the rule set.", "type": "array", "items": { "$ref": "#/definitions/ManagedRuleGroupOverride" } } } }, "ManagedRuleGroupOverride": { "description": "Defines a managed rule group override setting.", "required": [ "ruleGroupName" ], "properties": { "ruleGroupName": { "description": "Describes the managed rule group within the rule set to override", "type": "string" }, "rules": { "description": "List of rules that will be disabled. If none specified, all rules in the group will be disabled.", "type": "array", "items": { "$ref": "#/definitions/ManagedRuleOverride" } } } }, "ManagedRuleOverride": { "description": "Defines a managed rule group override setting.", "required": [ "ruleId" ], "properties": { "ruleId": { "description": "Identifier for the managed rule.", "type": "string" }, "enabledState": { "description": "Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified.", "type": "string", "enum": [ "Disabled", "Enabled" ], "x-ms-enum": { "name": "ManagedRuleEnabledState", "modelAsString": true } }, "action": { "description": "Describes the override action to be applied when rule matches.", "$ref": "#/definitions/ActionType" } } }, "ManagedRuleSetDefinitionList": { "description": "List of managed rule set definitions available for use in a policy.", "properties": { "value": { "description": "List of managed rule set definitions.", "readOnly": true, "type": "array", "items": { "$ref": "#/definitions/ManagedRuleSetDefinition" } }, "nextLink": { "type": "string", "description": "URL to retrieve next set of managed rule set definitions." } } }, "ManagedRuleSetDefinition": { "description": "Describes a managed rule set definition.", "properties": { "properties": { "description": "Describes managed rule set definition properties.", "x-ms-client-flatten": true, "$ref": "#/definitions/ManagedRuleSetDefinitionProperties" }, "sku": { "description": "The pricing tier (defines a CDN provider, feature list and rate) of the CdnWebApplicationFirewallPolicy.", "$ref": "./cdn.json#/definitions/Sku" } }, "allOf": [ { "$ref": "./cdn.json#/definitions/Resource" } ] }, "ManagedRuleSetDefinitionProperties": { "description": "Properties for a managed rule set definition.", "properties": { "provisioningState": { "type": "string", "readOnly": true, "description": "Provisioning state of the managed rule set." }, "ruleSetType": { "type": "string", "readOnly": true, "description": "Type of the managed rule set." }, "ruleSetVersion": { "type": "string", "readOnly": true, "description": "Version of the managed rule set type." }, "ruleGroups": { "type": "array", "readOnly": true, "items": { "$ref": "#/definitions/ManagedRuleGroupDefinition" }, "description": "Rule groups of the managed rule set." } } }, "ManagedRuleGroupDefinition": { "description": "Describes a managed rule group.", "properties": { "ruleGroupName": { "type": "string", "readOnly": true, "description": "Name of the managed rule group." }, "description": { "type": "string", "readOnly": true, "description": "Description of the managed rule group." }, "rules": { "type": "array", "readOnly": true, "items": { "$ref": "#/definitions/ManagedRuleDefinition" }, "description": "List of rules within the managed rule group." } } }, "ManagedRuleDefinition": { "description": "Describes a managed rule definition.", "properties": { "ruleId": { "description": "Identifier for the managed rule.", "readOnly": true, "type": "string" }, "description": { "description": "Describes the functionality of the managed rule.", "readOnly": true, "type": "string" } } }, "ActionType": { "description": "Defines the action to take on rule match.", "type": "string", "enum": [ "Allow", "Block", "Log", "Redirect" ], "x-ms-enum": { "name": "ActionType", "modelAsString": true } } }, "parameters": { "SubscriptionIdParameter": { "name": "subscriptionId", "in": "path", "description": "Azure Subscription ID.", "required": true, "type": "string" }, "ApiVersionParameter": { "name": "api-version", "in": "query", "required": true, "type": "string", "description": "Version of the API to be used with the client request. Current version is 2017-04-02." }, "PolicyNameParameter": { "name": "policyName", "in": "path", "required": true, "type": "string", "maxLength": 128, "x-ms-parameter-location": "method", "description": "The name of the CdnWebApplicationFirewallPolicy." }, "ResourceGroupNameParameter": { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "pattern": "^[a-zA-Z0-9_\\-\\(\\)\\.]*[^\\.]$", "minLength": 1, "maxLength": 80, "x-ms-parameter-location": "method", "description": "Name of the Resource group within the Azure subscription." } } }