Upgrade front-door WAF policy command models to 2025-11-01

- Updated command models for waf-policy create/update with new schema
- Added ManagedRuleSetException support (exceptionsList)
- New subscription-level WAF policy list resource
- Updated resource specs for 2025-11-01

Author: JingnanXu

Commands/network/front-door-web-application-firewall-policy/_list.md

@@ -0,0 +1,9 @@
+# [Command] _network front-door-web-application-firewall-policy list_
+
+List all of the protection policies within a subscription.
+
+## Versions
+
+### [2025-11-01](/Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5uZXR3b3JrL2Zyb250ZG9vcndlYmFwcGxpY2F0aW9uZmlyZXdhbGxwb2xpY2llcw==/2025-11-01.xml) **Stable**
+
+<!-- mgmt-plane /subscriptions/{}/providers/microsoft.network/frontdoorwebapplicationfirewallpolicies 2025-11-01 -->

Commands/network/front-door-web-application-firewall-policy/readme.md

@@ -0,0 +1,8 @@
+# [Group] _network front-door-web-application-firewall-policy_
+
+Manage Front Door Web Application Firewall Policy
+
+## Commands
+
+- [list](/Commands/network/front-door-web-application-firewall-policy/_list.md)
+: List all of the protection policies within a subscription.

Commands/network/front-door/waf-policy/_create.md

@@ -31,5 +31,5 @@ Create policy with specified rule set name within a resource group.
 
 - Creates specific policy
     ```bash
-        network front-door waf-policy create --resource-group rg1 --policy-name Policy1 --location WestUs --enabled-state Enabled --mode Prevention --redirect-url http://www.bing.com --custom-block-response-status-code 429 --custom-block-response-body PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg== --request-body-check Disabled --javascript-challenge-expiration-in-minutes 30 --captcha-expiration-in-minutes 30 --log-scrubbing "{state:Enabled,scrubbing-rules:[{match-variable:RequestIPAddress,selector-match-operator:EqualsAny,selector:null,state:Enabled}]}" --custom-rules "{rules:[{name:Rule1,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:IPMatch,match-value:[192.168.1.0/24,10.0.0.0/24]}],action:Block},{name:Rule2,priority:2,rule-type:MatchRule,match-conditions:[{match-variable:RemoteAddr,operator:GeoMatch,match-value:[CH]},{match-variable:RequestHeader,operator:Contains,selector:UserAgent,match-value:[windows],transforms:[Lowercase]}],action:Block},{name:Rule3,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:ServiceTagMatch,match-value:[AzureBackup,AzureBotService]}],action:CAPTCHA}]}" --managed-rules "{managed-rule-sets:[{rule-set-type:DefaultRuleSet,rule-set-version:1.0,rule-set-action:Block,exclusions:[{matchVariable:RequestHeaderNames,selectorMatchOperator:Equals,selector:User-Agent}],rule-group-overrides:[{rule-group-name:SQLI,exclusions:[{matchVariable:RequestCookieNames,selectorMatchOperator:StartsWith,selector:token}],rules:[{rule-id:942100,enabled-state:Enabled,action:Redirect,exclusions:[{matchVariable:QueryStringArgNames,selectorMatchOperator:Equals,selector:query}]},{rule-id:942110,enabled-state:Disabled}]}]},{rule-set-type:Microsoft_HTTPDDoSRuleSet,rule-set-version:1.0,rule-group-overrides:[{rule-group-name:ExcessiveRequests,rules:[{rule-id:500100,enabled-state:Enabled,action:Block,sensitivity:High}]}]}]}" --sku Premium_AzureFrontDoor
+        network front-door waf-policy create --resource-group rg1 --policy-name Policy1 --location WestUs --enabled-state Enabled --mode Prevention --redirect-url http://www.bing.com --custom-block-response-status-code 429 --custom-block-response-body PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg== --request-body-check Disabled --javascript-challenge-expiration-in-minutes 30 --captcha-expiration-in-minutes 30 --log-scrubbing "{state:Enabled,scrubbing-rules:[{match-variable:RequestIPAddress,selector-match-operator:EqualsAny,selector:null,state:Enabled}]}" --custom-rules "{rules:[{name:Rule1,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:IPMatch,match-value:[192.168.1.0/24,10.0.0.0/24]}],action:Block},{name:Rule2,priority:2,rule-type:MatchRule,match-conditions:[{match-variable:RemoteAddr,operator:GeoMatch,match-value:[CH]},{match-variable:RequestHeader,operator:Contains,selector:UserAgent,match-value:[windows],transforms:[Lowercase]}],action:Block},{name:Rule3,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:ServiceTagMatch,match-value:[AzureBackup,AzureBotService]}],action:CAPTCHA}]}" --managed-rules "{managed-rule-sets:[{rule-set-type:Microsoft_DefaultRuleSet,rule-set-version:2.2,rule-set-action:Block,exclusions:[{matchVariable:RequestHeaderNames,selectorMatchOperator:Equals,selector:User-Agent}],rule-group-overrides:[{rule-group-name:SQLI,exclusions:[{matchVariable:RequestCookieNames,selectorMatchOperator:StartsWith,selector:token}],rules:[{rule-id:942100,enabled-state:Enabled,action:Redirect,exclusions:[{matchVariable:QueryStringArgNames,selectorMatchOperator:Equals,selector:query}]},{rule-id:942110,enabled-state:Disabled}]}]},{rule-set-type:Microsoft_HTTPDDoSRuleSet,rule-set-version:1.0,rule-group-overrides:[{rule-group-name:ExcessiveRequests,rules:[{rule-id:500100,enabled-state:Enabled,action:Block,sensitivity:High}]}]}],exceptions-list:{exceptions:[{match-variable:RequestHeaderNames,selector-match-operator:Equals,selector:User-Agent,value-match-operator:Contains,match-values:[Mozilla],scopes:[{rule-set-type:Microsoft_DefaultRuleSet,rule-set-version:2.2},{rule-set-type:Microsoft_HTTPDDoSRuleSet,rule-set-version:1.0}]}]}}" --sku Premium_AzureFrontDoor
     ```

Commands/network/front-door/waf-policy/_update.md

@@ -54,14 +54,7 @@ Update policy with specified rule set name within a resource group.
 
 #### examples
 
-- update log scrubbing
+- Creates specific policy
     ```bash
-        network front-door waf-policy update -g rg -n n1 --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}"
-        network front-door waf-policy update -g rg -n n1 --log-scrubbing scrubbing-rules[1]="{match-variable:RequestUri,selector-match-operator:Equals}"
-        network front-door waf-policy update -g rg -n n1 --log-scrubbing "{scrubbing-rules:[{match-variable:RequestBodyJsonArgNames,selector-match-operator:EqualsAny}],state:Enabled}" scrubbing-rules[1]="{match-variable:RequestUri,selector-match-operator:EqualsAny}"
-    ```
-
-- Update specific policy
-    ```bash
-        network front-door waf-policy update --resource-group rg1 --policy-name Policy1 --location WestUs --enabled-state Enabled --mode Prevention --redirect-url http://www.bing.com --custom-block-response-status-code 429 --custom-block-response-body PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg== --request-body-check Disabled --javascript-challenge-expiration-in-minutes 30 --captcha-expiration-in-minutes 30 --log-scrubbing "{state:Enabled,scrubbing-rules:[{match-variable:RequestIPAddress,selector-match-operator:EqualsAny,selector:null,state:Enabled}]}" --custom-rules "{rules:[{name:Rule1,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:IPMatch,match-value:[192.168.1.0/24,10.0.0.0/24]}],action:Block},{name:Rule2,priority:2,rule-type:MatchRule,match-conditions:[{match-variable:RemoteAddr,operator:GeoMatch,match-value:[CH]},{match-variable:RequestHeader,operator:Contains,selector:UserAgent,match-value:[windows],transforms:[Lowercase]}],action:Block},{name:Rule3,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:ServiceTagMatch,match-value:[AzureBackup,AzureBotService]}],action:CAPTCHA}]}" --managed-rules "{managed-rule-sets:[{rule-set-type:DefaultRuleSet,rule-set-version:1.0,rule-set-action:Block,exclusions:[{matchVariable:RequestHeaderNames,selectorMatchOperator:Equals,selector:User-Agent}],rule-group-overrides:[{rule-group-name:SQLI,exclusions:[{matchVariable:RequestCookieNames,selectorMatchOperator:StartsWith,selector:token}],rules:[{rule-id:942100,enabled-state:Enabled,action:Redirect,exclusions:[{matchVariable:QueryStringArgNames,selectorMatchOperator:Equals,selector:query}]},{rule-id:942110,enabled-state:Disabled}]}]},{rule-set-type:Microsoft_HTTPDDoSRuleSet,rule-set-version:1.0,rule-group-overrides:[{rule-group-name:ExcessiveRequests,rules:[{rule-id:500100,enabled-state:Enabled,action:Block,sensitivity:High}]}]}]}" --sku Premium_AzureFrontDoor
+        network front-door waf-policy update --resource-group rg1 --policy-name Policy1 --location WestUs --enabled-state Enabled --mode Prevention --redirect-url http://www.bing.com --custom-block-response-status-code 429 --custom-block-response-body PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg== --request-body-check Disabled --javascript-challenge-expiration-in-minutes 30 --captcha-expiration-in-minutes 30 --log-scrubbing "{state:Enabled,scrubbing-rules:[{match-variable:RequestIPAddress,selector-match-operator:EqualsAny,selector:null,state:Enabled}]}" --custom-rules "{rules:[{name:Rule1,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:IPMatch,match-value:[192.168.1.0/24,10.0.0.0/24]}],action:Block},{name:Rule2,priority:2,rule-type:MatchRule,match-conditions:[{match-variable:RemoteAddr,operator:GeoMatch,match-value:[CH]},{match-variable:RequestHeader,operator:Contains,selector:UserAgent,match-value:[windows],transforms:[Lowercase]}],action:Block},{name:Rule3,priority:1,rule-type:RateLimitRule,rate-limit-threshold:1000,match-conditions:[{match-variable:RemoteAddr,operator:ServiceTagMatch,match-value:[AzureBackup,AzureBotService]}],action:CAPTCHA}]}" --managed-rules "{managed-rule-sets:[{rule-set-type:Microsoft_DefaultRuleSet,rule-set-version:2.2,rule-set-action:Block,exclusions:[{matchVariable:RequestHeaderNames,selectorMatchOperator:Equals,selector:User-Agent}],rule-group-overrides:[{rule-group-name:SQLI,exclusions:[{matchVariable:RequestCookieNames,selectorMatchOperator:StartsWith,selector:token}],rules:[{rule-id:942100,enabled-state:Enabled,action:Redirect,exclusions:[{matchVariable:QueryStringArgNames,selectorMatchOperator:Equals,selector:query}]},{rule-id:942110,enabled-state:Disabled}]}]},{rule-set-type:Microsoft_HTTPDDoSRuleSet,rule-set-version:1.0,rule-group-overrides:[{rule-group-name:ExcessiveRequests,rules:[{rule-id:500100,enabled-state:Enabled,action:Block,sensitivity:High}]}]}],exceptions-list:{exceptions:[{match-variable:RequestHeaderNames,selector-match-operator:Equals,selector:User-Agent,value-match-operator:Contains,match-values:[Mozilla],scopes:[{rule-set-type:Microsoft_DefaultRuleSet,rule-set-version:2.2},{rule-set-type:Microsoft_HTTPDDoSRuleSet,rule-set-version:1.0}]}]}}" --sku Premium_AzureFrontDoor
     ```

Commands/network/readme.md

@@ -49,6 +49,9 @@ Manage Azure Network resources.
 - [front-door](/Commands/network/front-door/readme.md)
 : Manage Classical Azure Front Doors. For managing Azure Front Door Standard/Premium, please refer https://learn.microsoft.com/en-us/cli/azure/afd?view=azure-cli-latest.
 
+- [front-door-web-application-firewall-policy](/Commands/network/front-door-web-application-firewall-policy/readme.md)
+: Manage Front Door Web Application Firewall Policy
+
 - [ip-group](/Commands/network/ip-group/readme.md)
 : Commands to manage IP group.
 

Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5uZXR3b3JrL2Zyb250ZG9vcndlYmFwcGxpY2F0aW9uZmlyZXdhbGxtYW5hZ2VkcnVsZXNldHM=/2025-11-01.json

@@ -1 +1 @@
-{"plane": "mgmt-plane", "resources": [{"id": "/subscriptions/{}/providers/microsoft.network/frontdoorwebapplicationfirewallmanagedrulesets", "version": "2025-11-01", "swagger": "mgmt-plane/frontdoor/ResourceProviders/Microsoft.Network/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9wcm92aWRlcnMvTWljcm9zb2Z0Lk5ldHdvcmsvRnJvbnREb29yV2ViQXBwbGljYXRpb25GaXJld2FsbE1hbmFnZWRSdWxlU2V0cw==/V/MjAyNS0xMS0wMQ=="}], "commandGroups": [{"name": "network front-door waf-policy managed-rule-definition", "commands": [{"name": "list", "version": "2025-11-01", "resources": [{"id": "/subscriptions/{}/providers/microsoft.network/frontdoorwebapplicationfirewallmanagedrulesets", "version": "2025-11-01", "swagger": "mgmt-plane/frontdoor/ResourceProviders/Microsoft.Network/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9wcm92aWRlcnMvTWljcm9zb2Z0Lk5ldHdvcmsvRnJvbnREb29yV2ViQXBwbGljYXRpb25GaXJld2FsbE1hbmFnZWRSdWxlU2V0cw==/V/MjAyNS0xMS0wMQ=="}], "argGroups": [{"name": "", "args": [{"type": "SubscriptionId", "var": "$Path.subscriptionId", "options": ["subscription"], "required": true, "idPart": "subscription"}]}], "operations": [{"operationId": "ManagedRuleSets_List", "http": {"path": "/subscriptions/{subscriptionId}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallManagedRuleSets", "request": {"method": "get", "path": {"params": [{"type": "string", "name": "subscriptionId", "arg": "$Path.subscriptionId", "required": true}]}, "query": {"consts": [{"readOnly": true, "const": true, "default": {"value": "2025-11-01"}, "type": "string", "name": "api-version", "required": true}]}}, "responses": [{"statusCode": [200], "body": {"json": {"var": "$Instance", "schema": {"type": "object", "props": [{"type": "string", "name": "nextLink"}, {"readOnly": true, "type": "array<object>", "name": "value", "item": {"type": "object", "props": [{"readOnly": true, "type": "string", "name": "id"}, {"type": "ResourceLocation", "name": "location"}, {"readOnly": true, "type": "string", "name": "name"}, {"type": "object", "name": "properties", "props": [{"readOnly": true, "type": "string", "name": "provisioningState"}, {"readOnly": true, "type": "array<object>", "name": "ruleGroups", "item": {"type": "object", "props": [{"readOnly": true, "type": "string", "name": "description"}, {"readOnly": true, "type": "string", "name": "ruleGroupName"}, {"readOnly": true, "type": "array<object>", "name": "rules", "item": {"type": "object", "props": [{"readOnly": true, "type": "string", "name": "defaultAction", "enum": {"items": [{"value": "Allow"}, {"value": "AnomalyScoring"}, {"value": "Block"}, {"value": "CAPTCHA"}, {"value": "JSChallenge"}, {"value": "Log"}, {"value": "Redirect"}]}}, {"readOnly": true, "type": "string", "name": "defaultSensitivity", "enum": {"items": [{"value": "High"}, {"value": "Low"}, {"value": "Medium"}]}}, {"readOnly": true, "type": "string", "name": "defaultState", "enum": {"items": [{"value": "Disabled"}, {"value": "Enabled"}]}}, {"readOnly": true, "type": "string", "name": "description"}, {"readOnly": true, "type": "string", "name": "ruleId"}]}}]}}, {"readOnly": true, "type": "string", "name": "ruleSetId"}, {"readOnly": true, "type": "string", "name": "ruleSetType"}, {"readOnly": true, "type": "string", "name": "ruleSetVersion"}], "clientFlatten": true}, {"type": "object", "name": "tags", "additionalProps": {"item": {"type": "string"}}}, {"readOnly": true, "type": "string", "name": "type"}]}}]}}}}, {"isError": true, "body": {"json": {"schema": {"type": "@ODataV4Format"}}}}]}}], "outputs": [{"type": "array", "ref": "$Instance.value", "clientFlatten": true, "nextLink": "$Instance.nextLink"}], "confirmation": ""}]}]}
+{"plane": "mgmt-plane", "resources": [{"id": "/subscriptions/{}/providers/microsoft.network/frontdoorwebapplicationfirewallmanagedrulesets", "version": "2025-11-01", "swagger": "mgmt-plane/frontdoor/ResourceProviders/Microsoft.Network/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9wcm92aWRlcnMvTWljcm9zb2Z0Lk5ldHdvcmsvZnJvbnREb29yV2ViQXBwbGljYXRpb25GaXJld2FsbE1hbmFnZWRSdWxlU2V0cw==/V/MjAyNS0xMS0wMQ=="}], "commandGroups": [{"name": "network front-door waf-policy managed-rule-definition", "commands": [{"name": "list", "version": "2025-11-01", "resources": [{"id": "/subscriptions/{}/providers/microsoft.network/frontdoorwebapplicationfirewallmanagedrulesets", "version": "2025-11-01", "swagger": "mgmt-plane/frontdoor/ResourceProviders/Microsoft.Network/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9wcm92aWRlcnMvTWljcm9zb2Z0Lk5ldHdvcmsvZnJvbnREb29yV2ViQXBwbGljYXRpb25GaXJld2FsbE1hbmFnZWRSdWxlU2V0cw==/V/MjAyNS0xMS0wMQ=="}], "argGroups": [{"name": "", "args": [{"type": "SubscriptionId", "var": "$Path.subscriptionId", "options": ["subscription"], "required": true, "idPart": "subscription"}]}], "operations": [{"operationId": "ManagedRuleSets_List", "http": {"path": "/subscriptions/{subscriptionId}/providers/Microsoft.Network/frontDoorWebApplicationFirewallManagedRuleSets", "request": {"method": "get", "path": {"params": [{"type": "string", "name": "subscriptionId", "arg": "$Path.subscriptionId", "required": true, "format": {"minLength": 1}}]}, "query": {"consts": [{"readOnly": true, "const": true, "default": {"value": "2025-11-01"}, "type": "string", "name": "api-version", "required": true, "format": {"minLength": 1}}]}}, "responses": [{"statusCode": [200], "body": {"json": {"var": "$Instance", "schema": {"type": "object", "props": [{"type": "string", "name": "nextLink"}, {"readOnly": true, "type": "array<object>", "name": "value", "item": {"type": "object", "props": [{"readOnly": true, "type": "string", "name": "id"}, {"type": "ResourceLocation", "name": "location"}, {"readOnly": true, "type": "string", "name": "name"}, {"type": "object", "name": "properties", "props": [{"readOnly": true, "type": "string", "name": "provisioningState"}, {"readOnly": true, "type": "array<object>", "name": "ruleGroups", "item": {"type": "object", "props": [{"readOnly": true, "type": "string", "name": "description"}, {"readOnly": true, "type": "string", "name": "ruleGroupName"}, {"readOnly": true, "type": "array<object>", "name": "rules", "item": {"type": "object", "props": [{"readOnly": true, "type": "string", "name": "defaultAction", "enum": {"items": [{"value": "Allow"}, {"value": "AnomalyScoring"}, {"value": "Block"}, {"value": "CAPTCHA"}, {"value": "JSChallenge"}, {"value": "Log"}, {"value": "Redirect"}]}}, {"readOnly": true, "type": "string", "name": "defaultSensitivity", "enum": {"items": [{"value": "High"}, {"value": "Low"}, {"value": "Medium"}]}}, {"readOnly": true, "type": "string", "name": "defaultState", "enum": {"items": [{"value": "Disabled"}, {"value": "Enabled"}]}}, {"readOnly": true, "type": "string", "name": "description"}, {"readOnly": true, "type": "string", "name": "ruleId"}]}}]}}, {"readOnly": true, "type": "string", "name": "ruleSetId"}, {"readOnly": true, "type": "string", "name": "ruleSetType"}, {"readOnly": true, "type": "string", "name": "ruleSetVersion"}], "clientFlatten": true}, {"type": "object", "name": "tags", "additionalProps": {"item": {"type": "string"}}}, {"readOnly": true, "type": "string", "name": "type"}]}}]}}}}, {"isError": true, "body": {"json": {"schema": {"type": "@ODataV4Format"}}}}]}}], "outputs": [{"type": "array", "ref": "$Instance.value", "clientFlatten": true, "nextLink": "$Instance.nextLink"}], "confirmation": ""}]}]}