This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 54%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFN%3C/text%3E%3C/svg%3E)
We have created an Azure Frontdoor Premim Tier with a Web Application Firewall associated with it and we are having some issues with a specific rule we created to apply rate limiting.
The rule is looking for a specific URL and specifies a limit of 2 http requests per every 1 minutes. The rule has a top priority number of 1
I´ve created a loop to perform HTTP requests and for 100 htpp requests, 86 are being allowed and 14 blocked in an interval of 1 minute.
I also tried with a higher threshold ( 30 requests for every 5 minutes) and still had the same outcome.
Can someone explain me why is this not working as expected and if there´s any way we can apply rate limiting correctly
We are using a Powershell script to test this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 60%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Hi Fabian,
Can you share the details or screenshot of the rule that you created for rate-limiting? It would be helpful to understand the issue.
Best regards,
Hello @Fabián Avilés ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that the Rate Limiting rule applied on your Azure WAF Front Door Premium doesn't seem to be working as expected.
The rate limit feature is designed to filter attacks (DOS) and it's approximate by design. Putting a really low number (like 50/100 per minute) is not going to work well because the counting is done post-response (as well as the propagation within the environment). In other words, one particular server is never going to block the first request from a given Client IP address. Our documentation also states this is intended for high traffic:
Rate limiting rules: A rate limiting rule limits abnormally high traffic from any client IP address. You might configure a threshold on the number of web requests allowed from a client IP during a one-minute duration.
The system behaves this way because we are optimizing it for maximum performance (lowest latency and max throughput).
The rate limiting feature is optimized for DOS scenarios, so low thresholds may not start blocking traffic immediately once a client passes the threshold. We generally recommend setting it to a value of at least 200 or more.
Setting larger time window sizes (for example, five minutes over one minute) and larger threshold values (for example, 200 over 100) tend to be more accurate in enforcing close to rate limit's thresholds than using the shorter time window sizes and lower threshold values.
Kindly let us know if the above helps or you need further assistance on this issue.
I see @Michael Lee has already shared the link for this in the answer below. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello Gitarani,
Thank you for the input.
This is one of our latest set-ups:
And it still does not work.
Please let time know if we need to make some changes to the configuration.
Thank you for the update, @Fabián Avilés .
Could you please confirm if you have any high priority rate limiting rule (with similar match values & conditions) before this priority 10 rule, which might be getting evaluated before it and the WAF stops processing the rules below?
Rules with lower-priority values are evaluated before rules with higher values. The rule evaluation stops on any rule action except for Log. Priority numbers must be unique among all custom rules.
If yes, please make sure that there is no duplicate rate limiting rule with a higher priority before this priority 10 rule.
If not, then to troubleshoot the exact issue here, we will need a specialized 1:1 session, where a support engineer can check the issue and collect the required backend logs. So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Regards,
Gita
Hello Gitarani,
Thank you for getting back to me. We do no have another rule created. I'll try to work with support to get this sorted. Thank you!!
Hello @Fabián Avilés , thank you for the prompt update. If you require assistance in getting one-time free technical support, please don't hesitate to contact us. Thank you!
Hi Fabian,
Your symptom is related to how AFD WAF is working on the rate-limiting. You can refer to this link:
Best regards,
Hello Michael! Thank you!