Is there any limitation on Patch requests on Azure Application Gateway?

Question

I have an Azure Application Gateway (WAF mode is detection) and a web application in the backend in my edge network. Everything works well, but I have an issue with a "Patch" request. When I sent this request I received:

400 Bad Request

Microsoft-Azure-Application-Gateway/v2

I didn't have this issue in another environment without Azure Application Gateway (WAF mode detection).

I wanna know if there is any limitation on the "Patch" request.

Answer 1

Hi Mohsen Akhavan,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are facing issues with the Patch Requests on Application Gateway WAF in detection mode.

Kindly note Azure Application Gateway by default does not limit or block "Patch" requests in detection mode. However, there are a few things that could potentially cause the issue you're experiencing:

Request Size Limits: Azure Application Gateway's Web Application Firewall allows you to configure request size limits,

If you patch request exceeded these limits, your application gateway could result in a 400 Bad Request Error.

You may refer the application gateway diagnostics logs to know if one of these limits are causing the Bad Request Error. You may use the below query under the Logs tab of application Gateway on Azure Portal

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | sort by TimeGenerated

https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/diagnostics?tabs=configure-log-portal

Once you know the policy definition limits which is causing the issue, you may follow the further steps to modify it.

Refer the below link to know these limits

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits

The request body size field and the file upload size limit are both configurable within the Web Application Firewall. The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. The file upload limit field is specified in megabytes, and it governs the maximum allowed file upload size.

To know about your current policy limits you may use the below PowerShell command.

$plcy = Get-AzApplicationGatewayFirewallPolicy -Name <policy-name> -ResourceGroupName <resourcegroup-name>
$plcy.PolicySettings

You may modify the Request size limits using the below PowerShell commands, for example to set RequestBodyEnforcement to false. This setting controls if your Web Application Firewall will enforce a max size limit on request bodies; when turned off it will not reject any requests for being too large.

$plcy = Get-AzApplicationGatewayFirewallPolicy -Name <policy-name> -ResourceGroupName <resourcegroup-name> $plcy.PolicySettings.RequestBodyEnforcement=false Set-AzApplicationGatewayFirewallPolicy -InputObject $plcy

Once you identify which settings is causing issue for your patch requests using the Application Gateway diagnostic logs you may modify the same setting. Refer the below page for same -

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#troubleshooting

If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Ujjawal Tyagi