swagger: '2.0' info: version: 2023-07-01-preview title: Microsoft Azure Azure CDN WebApplicationFirewallManagement description: APIs to manage web application firewall rules for Azure CDN host: management.azure.com schemes: - https consumes: - application/json produces: - application/json security: - azure_auth: - user_impersonation securityDefinitions: azure_auth: type: oauth2 authorizationUrl: https://login.microsoftonline.com/common/oauth2/authorize flow: implicit description: Azure Active Directory OAuth2 Flow. scopes: user_impersonation: impersonate your user account paths: ? /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/cdnWebApplicationFirewallPolicies : get: tags: - WebApplicationFirewallPolicies description: Lists all of the protection policies within a resource group. operationId: microsoftAzurePoliciesList parameters: - $ref: '#/parameters/ResourceGroupNameParameter' - $ref: '#/parameters/subscriptionIdParameter' - $ref: '#/parameters/apiVersionParameter' responses: '200': description: OK. The request has succeeded. schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicyList' default: description: Error response describing why the operation failed. schema: $ref: ./cdn.json#/definitions/ErrorResponse x-ms-pageable: nextLinkName: nextLink x-ms-examples: List Policies in a Resource Group: $ref: ./examples/WafListPolicies.json summary: >- Microsoft Azure Get Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies ? /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/cdnWebApplicationFirewallPolicies/{policyName} : get: tags: - WebApplicationFirewallPolicies description: Retrieve protection policy with specified name within a resource group. operationId: microsoftAzurePoliciesGet parameters: - $ref: '#/parameters/ResourceGroupNameParameter' - $ref: '#/parameters/PolicyNameParameter' - $ref: '#/parameters/subscriptionIdParameter' - $ref: '#/parameters/apiVersionParameter' responses: '200': description: OK. The request has succeeded. schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' default: description: Error response describing why the operation failed. schema: $ref: ./cdn.json#/definitions/ErrorResponse x-ms-examples: Get Policy: $ref: ./examples/WafPolicyGet.json summary: >- Microsoft Azure Get Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname put: tags: - WebApplicationFirewallPolicies description: >- Create or update policy with specified rule set name within a resource group. operationId: microsoftAzurePoliciesCreateorupdate parameters: - $ref: '#/parameters/ResourceGroupNameParameter' - $ref: '#/parameters/PolicyNameParameter' - $ref: '#/parameters/subscriptionIdParameter' - $ref: '#/parameters/apiVersionParameter' - description: Policy to be created. in: body name: cdnWebApplicationFirewallPolicy required: true schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' responses: '200': description: OK. The request has succeeded. schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' '201': description: >- Created. The request has been fulfilled and a new protection policy has been created. schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' '202': description: >- Accepted. The request has been accepted for processing and the operation will complete asynchronously. headers: location: type: string schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' default: description: Error response describing why the operation failed. schema: $ref: ./cdn.json#/definitions/ErrorResponse x-ms-examples: Creates specific policy: $ref: ./examples/WafPolicyCreateOrUpdate.json x-ms-long-running-operation: true summary: >- Microsoft Azure Put Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname patch: tags: - WebApplicationFirewallPolicies description: >- Update an existing CdnWebApplicationFirewallPolicy with the specified policy name under the specified subscription and resource group operationId: microsoftAzurePoliciesUpdate parameters: - $ref: '#/parameters/ResourceGroupNameParameter' - $ref: '#/parameters/PolicyNameParameter' - $ref: '#/parameters/subscriptionIdParameter' - $ref: '#/parameters/apiVersionParameter' - description: CdnWebApplicationFirewallPolicy parameters to be patched. in: body name: cdnWebApplicationFirewallPolicyPatchParameters required: true schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicyPatchParameters' responses: '200': description: OK. The request has succeeded. schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' '202': description: >- Accepted. The request has been accepted for processing and the operation will complete asynchronously. headers: location: type: string schema: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' default: description: Error response describing why the operation failed. schema: $ref: ./cdn.json#/definitions/ErrorResponse x-ms-examples: Creates specific policy: $ref: ./examples/WafPatchPolicy.json x-ms-long-running-operation: true summary: >- Microsoft Azure Patch Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname delete: tags: - WebApplicationFirewallPolicies description: Deletes Policy operationId: microsoftAzurePoliciesDelete parameters: - $ref: '#/parameters/ResourceGroupNameParameter' - $ref: '#/parameters/PolicyNameParameter' - $ref: '#/parameters/subscriptionIdParameter' - $ref: '#/parameters/apiVersionParameter' responses: '200': description: Delete successful. '204': description: >- No Content. The request has been accepted but the policy was not found. default: description: Error response describing why the operation failed. schema: $ref: ./cdn.json#/definitions/ErrorResponse x-ms-examples: Delete protection policy: $ref: ./examples/WafPolicyDelete.json x-ms-long-running-operation: false summary: >- Microsoft Azure Delete Subscriptions Subscriptionid Resourcegroups Resourcegroupname Providers Microsoft Cdn Cdnwebapplicationfirewallpolicies Policyname /subscriptions/{subscriptionId}/providers/Microsoft.Cdn/cdnWebApplicationFirewallManagedRuleSets: get: tags: - WebApplicationFirewallManagedRuleSets description: Lists all available managed rule sets. operationId: microsoftAzureManagedrulesetsList parameters: - $ref: '#/parameters/subscriptionIdParameter' - $ref: '#/parameters/apiVersionParameter' responses: '200': description: >- Success. The operation returns a list of all available web application firewall managed rule sets. schema: $ref: '#/definitions/ManagedRuleSetDefinitionList' default: description: Error response describing why the operation failed. schema: $ref: ./cdn.json#/definitions/ErrorResponse x-ms-pageable: nextLinkName: nextLink x-ms-examples: List Policies in a Resource Group: $ref: ./examples/WafListManagedRuleSets.json summary: >- Microsoft Azure Get Subscriptions Subscriptionid Providers Microsoft Cdn Cdnwebapplicationfirewallmanagedrulesets definitions: CdnWebApplicationFirewallPolicyList: description: >- Defines a list of WebApplicationFirewallPolicies for Azure CDN. It contains a list of WebApplicationFirewallPolicy objects and a URL link to get the next set of results. properties: value: type: array readOnly: true items: $ref: '#/definitions/CdnWebApplicationFirewallPolicy' description: >- List of Azure CDN WebApplicationFirewallPolicies within a resource group. nextLink: type: string description: >- URL to get the next set of WebApplicationFirewallPolicy objects if there are any. CdnWebApplicationFirewallPolicy: description: Defines web application firewall policy for Azure CDN. properties: properties: x-ms-client-flatten: true description: Properties of the web application firewall policy. $ref: '#/definitions/CdnWebApplicationFirewallPolicyProperties' etag: type: string description: >- Gets a unique read-only string that changes whenever the resource is updated. sku: description: >- The pricing tier (defines a CDN provider, feature list and rate) of the CdnWebApplicationFirewallPolicy. $ref: ./cdn.json#/definitions/Sku required: - sku allOf: - $ref: ./cdn.json#/definitions/TrackedResource CdnWebApplicationFirewallPolicyPatchParameters: type: object description: Properties required to update a CdnWebApplicationFirewallPolicy. properties: tags: description: CdnWebApplicationFirewallPolicy tags type: object additionalProperties: type: string x-ms-azure-resource: true CdnWebApplicationFirewallPolicyProperties: description: Defines CDN web application firewall policy properties. properties: policySettings: description: Describes policySettings for policy $ref: '#/definitions/policySettings' rateLimitRules: description: Describes rate limit rules inside the policy. $ref: '#/definitions/RateLimitRuleList' customRules: description: Describes custom rules inside the policy. $ref: '#/definitions/CustomRuleList' managedRules: description: Describes managed rules inside the policy. $ref: '#/definitions/ManagedRuleSetList' endpointLinks: description: >- Describes Azure CDN endpoints associated with this Web Application Firewall policy. type: array readOnly: true items: $ref: '#/definitions/CdnEndpoint' extendedProperties: description: >- Key-Value pair representing additional properties for Web Application Firewall policy. type: object additionalProperties: type: string provisioningState: readOnly: true type: string description: Provisioning state of the WebApplicationFirewallPolicy. enum: - Creating - Succeeded - Failed x-ms-enum: name: ProvisioningState modelAsString: true resourceState: title: Resource status of the policy. readOnly: true enum: - Creating - Enabling - Enabled - Disabling - Disabled - Deleting type: string x-ms-enum: name: PolicyResourceState modelAsString: true policySettings: description: Defines contents of a web application firewall global configuration properties: enabledState: description: describes if the policy is in enabled state or disabled state type: string enum: - Disabled - Enabled x-ms-enum: name: PolicyEnabledState modelAsString: true mode: description: >- Describes if it is in detection mode or prevention mode at policy level. type: string enum: - Prevention - Detection x-ms-enum: name: PolicyMode modelAsString: true defaultRedirectUrl: description: >- If action type is redirect, this field represents the default redirect URL for the client. type: string defaultCustomBlockResponseStatusCode: description: >- If the action type is block, this field defines the default customer overridable http response status code. type: integer format: int32 enum: - 200 - 403 - 405 - 406 - 429 defaultCustomBlockResponseBody: description: >- If the action type is block, customer can override the response body. The body must be specified in base64 encoding. type: string pattern: >- ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ CdnEndpoint: description: Defines the ARM Resource ID for the linked endpoints type: object readOnly: true properties: id: type: string description: ARM Resource ID string. CustomRuleList: description: Defines contents of custom rules properties: rules: description: List of rules type: array items: $ref: '#/definitions/CustomRule' x-ms-identifiers: - name CustomRule: description: >- Defines the common attributes for a custom rule that can be included in a waf policy type: object required: - name - priority - matchConditions - action properties: name: description: Defines the name of the custom rule type: string enabledState: description: >- Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. type: string enum: - Disabled - Enabled x-ms-enum: name: CustomRuleEnabledState modelAsString: true priority: description: >- Defines in what order this rule be evaluated in the overall list of custom rules type: integer format: int32 maximum: 1000 exclusiveMaximum: false minimum: 0 exclusiveMinimum: false matchConditions: description: List of match conditions. type: array items: $ref: '#/definitions/MatchCondition' x-ms-identifiers: [] action: description: Describes what action to be applied when rule matches $ref: '#/definitions/ActionType' RateLimitRuleList: description: Defines contents of rate limit rules properties: rules: description: List of rules type: array items: $ref: '#/definitions/RateLimitRule' x-ms-identifiers: - name RateLimitRule: description: Defines a rate limiting rule that can be included in a waf policy type: object required: - rateLimitThreshold - rateLimitDurationInMinutes properties: rateLimitThreshold: description: Defines rate limit threshold. type: integer format: int32 minimum: 0 exclusiveMinimum: false rateLimitDurationInMinutes: description: Defines rate limit duration. Default is 1 minute. type: integer format: int32 maximum: 60 exclusiveMaximum: false minimum: 0 exclusiveMinimum: false allOf: - $ref: '#/definitions/CustomRule' MatchCondition: description: Define match conditions required: - matchVariable - operator - matchValue properties: matchVariable: description: Match variable to compare against. type: string enum: - RemoteAddr - SocketAddr - RequestMethod - RequestHeader - RequestUri - QueryString - RequestBody - Cookies - PostArgs x-ms-enum: name: WafMatchVariable modelAsString: true selector: description: >- Selector can used to match a specific key for QueryString, Cookies, RequestHeader or PostArgs. type: string operator: description: Describes operator to be matched type: string enum: - Any - IPMatch - GeoMatch - Equal - Contains - LessThan - GreaterThan - LessThanOrEqual - GreaterThanOrEqual - BeginsWith - EndsWith - RegEx x-ms-enum: name: operator modelAsString: true negateCondition: description: Describes if the result of this condition should be negated. type: boolean matchValue: description: List of possible match values. type: array items: type: string transforms: description: List of transforms. type: array items: $ref: '#/definitions/TransformType' TransformType: description: Describes what transforms were applied before matching. type: string enum: - Lowercase - Uppercase - Trim - UrlDecode - UrlEncode - RemoveNulls x-ms-enum: name: TransformType modelAsString: true ManagedRuleSetList: description: Defines the list of managed rule sets for the policy. properties: managedRuleSets: description: List of rule sets. type: array items: $ref: '#/definitions/ManagedRuleSet' x-ms-identifiers: - ruleSetType - ruleSetVersion ManagedRuleSet: type: object description: Defines a managed rule set. required: - ruleSetType - ruleSetVersion properties: ruleSetType: description: Defines the rule set type to use. type: string ruleSetVersion: description: Defines the version of the rule set to use. type: string anomalyScore: description: >- Verizon only : If the rule set supports anomaly detection mode, this describes the threshold for blocking requests. type: integer format: int32 maximum: 20 exclusiveMaximum: false minimum: 0 exclusiveMinimum: false ruleGroupOverrides: description: Defines the rule overrides to apply to the rule set. type: array items: $ref: '#/definitions/ManagedRuleGroupOverride' x-ms-identifiers: - ruleGroupName ManagedRuleGroupOverride: description: Defines a managed rule group override setting. required: - ruleGroupName properties: ruleGroupName: description: Describes the managed rule group within the rule set to override type: string rules: description: >- List of rules that will be enabled. If none specified, all rules in the group will be disabled. type: array items: $ref: '#/definitions/ManagedRuleOverride' x-ms-identifiers: - ruleId ManagedRuleOverride: description: Defines a managed rule group override setting. required: - ruleId properties: ruleId: description: Identifier for the managed rule. type: string enabledState: description: >- Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. type: string enum: - Disabled - Enabled x-ms-enum: name: ManagedRuleEnabledState modelAsString: true action: description: Describes the override action to be applied when rule matches. $ref: '#/definitions/ActionType' ManagedRuleSetDefinitionList: description: List of managed rule set definitions available for use in a policy. properties: value: description: List of managed rule set definitions. readOnly: true type: array items: $ref: '#/definitions/ManagedRuleSetDefinition' nextLink: type: string description: URL to retrieve next set of managed rule set definitions. ManagedRuleSetDefinition: description: Describes a managed rule set definition. properties: properties: description: Describes managed rule set definition properties. x-ms-client-flatten: true $ref: '#/definitions/ManagedRuleSetDefinitionProperties' sku: description: >- The pricing tier (defines a CDN provider, feature list and rate) of the CdnWebApplicationFirewallPolicy. $ref: ./cdn.json#/definitions/Sku allOf: - $ref: ./cdn.json#/definitions/Resource ManagedRuleSetDefinitionProperties: description: Properties for a managed rule set definition. properties: provisioningState: type: string readOnly: true description: Provisioning state of the managed rule set. ruleSetType: type: string readOnly: true description: Type of the managed rule set. ruleSetVersion: type: string readOnly: true description: Version of the managed rule set type. ruleGroups: type: array readOnly: true items: $ref: '#/definitions/ManagedRuleGroupDefinition' x-ms-identifiers: - ruleGroupName description: Rule groups of the managed rule set. ManagedRuleGroupDefinition: description: Describes a managed rule group. properties: ruleGroupName: type: string readOnly: true description: Name of the managed rule group. description: type: string readOnly: true description: Description of the managed rule group. rules: type: array readOnly: true items: $ref: '#/definitions/ManagedRuleDefinition' x-ms-identifiers: - ruleId description: List of rules within the managed rule group. ManagedRuleDefinition: description: Describes a managed rule definition. properties: ruleId: description: Identifier for the managed rule. readOnly: true type: string description: description: Describes the functionality of the managed rule. readOnly: true type: string ActionType: description: Defines the action to take on rule match. type: string enum: - Allow - Block - Log - Redirect x-ms-enum: name: ActionType modelAsString: true parameters: subscriptionIdParameter: name: subscriptionId in: path description: Azure Subscription ID. required: true type: string apiVersionParameter: name: api-version in: query required: true type: string description: >- Version of the API to be used with the client request. Current version is 2023-05-01. PolicyNameParameter: name: policyName in: path required: true type: string maxLength: 128 x-ms-parameter-location: method description: The name of the CdnWebApplicationFirewallPolicy. ResourceGroupNameParameter: name: resourceGroupName in: path required: true type: string pattern: ^[a-zA-Z0-9_\-\(\)\.]*[^\.]$ minLength: 1 maxLength: 80 x-ms-parameter-location: method description: Name of the Resource group within the Azure subscription. tags: - name: WebApplicationFirewallManagedRuleSets - name: WebApplicationFirewallPolicies