Azure WAF limitations

Matheus Silva 50 Reputation points
2023-07-13T14:47:37.2+00:00

What is the limit of IP groups and IPs in a group for WAF exclusion?

Azure Web Application Firewall
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-07-14T06:32:00.04+00:00

    Hello @Matheus Silva ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if there is a limit of IP groups and IPs in a group for WAF exclusion?

    The limit of WAF IP address ranges per match condition is:

    • 540 with CRS 3.1 or lower
    • 600 with CRS 3.2 or newer

    Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits

    Maximum WAF custom rules that can be configured in a WAF is 100.

    And WAF IP address ranges per match condition is 600.

    So, that gives you a total of 60000 IP address ranges.

    NOTE: This limit is same for both Application gateway WAF and Azure Front Door WAF.

    If one custom rule already has 600 IP addresses/ranges, you can create another custom rule and add the new IPs/ranges.

    One IP range is considered as 1 entry. And you can add 600 IP ranges in one custom rule. But you need to make sure that none of the address ranges has overlapping IP addresses and all the ranges have unique IP addresses.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.