How to configure custom rate limiting rule for Azure Front Door Standard Web Application Firewall

Question

How to configure custom rate limiting rule for Azure Front Door Standard Web Application Firewall

BH 30

I want to configure a rate limiting rule in the web application firewall for Azure Front Door Standard. When requests from a client IP address exceed the set threshold, the requests should be blocked. I cannot find examples for this scenario. I find only match conditions based on path.

The AI answer does not match the available options in the Azure portal rule configuration UI. Specifically, when Rule type is set to Rate Limit, the conditions Match Type options are presented as Geo location, IP address, Size, String. There is no RequestUri that I can find.

How would I configure a rate limiting rule for the WAF used by AFD that blocks requests from a client IP address when the requests exceed a specified threshold within the specified period of time?

BH 30 Reputation points

2025-04-28T12:36:50.5833333+00:00

Thank you Sindhuja for your quick response. I believe that I may not have been precise enough in my question. The question was "How would I configure a rate limiting rule for the WAF used by AFD that blocks requests from a client IP address when the requests exceed a specified threshold within the specified period of time?" and by that I actually mean "...from an unknown client IP address..." so I cannot add a known IP address or range into the field.

Your screenshot above leads me to believe that I should leave the IP address or range field blank and the rule will consider requests from any and all IP addresses, and block requests from the offending IP address. Can you please confirm whether that is the case? And if I should instead enter something in the IP address and range field, please let me know what I should enter to achieve the desired result.
Sindhuja Dasari 940 Reputation points Microsoft External Staff Moderator

2025-04-28T13:06:01.8833333+00:00

Hello BH

Thank you for the clarification. I understand that you want to configure the match condition to apply to any client IP, not just known IPs. You cannot leave the IP Address field blank in the portal, as it will show a validation error.

You should enter an * (asterisk) as the IP address match value. This indicates that the rule to match any and all client IPs. Azure interprets * as a wildcard match, meaning any incoming RemoteAddr will be checked.

The configuration should look like:

Setting Value

Match Type IP Address

Operator Equals

Match Values *(a single asterisk)

Rate Limit Threshold Eg.100,1000 requests

Rate Limit Duration Eg.1 minute

Action Block

This configuration blocks requests from any offending IP, based on your threshold and time window.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
BH 30 Reputation points

2025-04-28T13:36:16.21+00:00

Thanks again for the quick response. I do appreciate the attentiveness. I have entered the * value in the IP address and ranges field and unfortunately, have received an error message informing me that "Only valid IPv4/IPv6 addresses or ranges are allowed." Please see the screenshot pasted below.

Is there a valid and verified method for implementing a rate limiting rule for IP addresses that are unknown until they violate the rule?
Sindhuja Dasari 940 Reputation points Microsoft External Staff Moderator

2025-04-28T13:43:10.86+00:00

Hello BH

Please add the range 0.0.0.0/0 in IP address details.

Let me know if you have any queries
BH 30 Reputation points

2025-04-28T14:19:30.8733333+00:00

Thank you, the IP address and ranges field accepts the range 0.0.0.0/0. I have saved the rule and will test it and check the logs.

To summarize: The question was "How would I configure a rate limiting rule for the WAF used by AFD that blocks requests from a client IP address when the requests exceed a specified threshold within the specified period of time?" and by that I actually mean "...from an unknown client IP address..." so I cannot add a known IP address or range into the field.

The published Azure documentation covers rate limiting for requests to a URL matching a specified string and does not address the question above.

The solution is to follow the pattern depicted in the image pasted below:

Please consider this question answered correctly.
Sindhuja Dasari 940 Reputation points Microsoft External Staff Moderator

2025-04-28T14:48:18.7633333+00:00

Hi BH

Glad to hear that you were able to configure the rule. I have converted my comment to an answer.

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

1 additional answer

Your answer

BH 30 Reputation points

2025-04-28T12:36:50.5833333+00:00

Thank you Sindhuja for your quick response. I believe that I may not have been precise enough in my question. The question was "How would I configure a rate limiting rule for the WAF used by AFD that blocks requests from a client IP address when the requests exceed a specified threshold within the specified period of time?" and by that I actually mean "...from an unknown client IP address..." so I cannot add a known IP address or range into the field.

Your screenshot above leads me to believe that I should leave the IP address or range field blank and the rule will consider requests from any and all IP addresses, and block requests from the offending IP address. Can you please confirm whether that is the case? And if I should instead enter something in the IP address and range field, please let me know what I should enter to achieve the desired result.
Sindhuja Dasari 940 Reputation points Microsoft External Staff Moderator

2025-04-28T13:06:01.8833333+00:00

Hello BH

Thank you for the clarification. I understand that you want to configure the match condition to apply to any client IP, not just known IPs. You cannot leave the IP Address field blank in the portal, as it will show a validation error.

You should enter an * (asterisk) as the IP address match value. This indicates that the rule to match any and all client IPs. Azure interprets * as a wildcard match, meaning any incoming RemoteAddr will be checked.

The configuration should look like:

Setting Value

Match Type IP Address

Operator Equals

Match Values *(a single asterisk)

Rate Limit Threshold Eg.100,1000 requests

Rate Limit Duration Eg.1 minute

Action Block

This configuration blocks requests from any offending IP, based on your threshold and time window.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
BH 30 Reputation points

2025-04-28T13:36:16.21+00:00

Thanks again for the quick response. I do appreciate the attentiveness. I have entered the * value in the IP address and ranges field and unfortunately, have received an error message informing me that "Only valid IPv4/IPv6 addresses or ranges are allowed." Please see the screenshot pasted below.

Is there a valid and verified method for implementing a rate limiting rule for IP addresses that are unknown until they violate the rule?
Sindhuja Dasari 940 Reputation points Microsoft External Staff Moderator

2025-04-28T13:43:10.86+00:00

Hello BH

Please add the range 0.0.0.0/0 in IP address details.

Let me know if you have any queries
BH 30 Reputation points

2025-04-28T14:19:30.8733333+00:00

Thank you, the IP address and ranges field accepts the range 0.0.0.0/0. I have saved the rule and will test it and check the logs.

To summarize: The question was "How would I configure a rate limiting rule for the WAF used by AFD that blocks requests from a client IP address when the requests exceed a specified threshold within the specified period of time?" and by that I actually mean "...from an unknown client IP address..." so I cannot add a known IP address or range into the field.

The published Azure documentation covers rate limiting for requests to a URL matching a specified string and does not address the question above.

The solution is to follow the pattern depicted in the image pasted below:

Please consider this question answered correctly.
Sindhuja Dasari 940 Reputation points Microsoft External Staff Moderator

2025-04-28T14:48:18.7633333+00:00

Hi BH

Glad to hear that you were able to configure the rule. I have converted my comment to an answer.

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello BH

I understand that you are trying to configure custom rate limiting rule for Azure Front Door Standard Web Application Firewall.

If you are looking for the option with RequestUri, you could find it as below:

Under Custom rule, conditions-->Select Match Type as String or Size-->Match Variable as RequestUri

Please refer to the screenshot for reference:

Rate

If you want to configure it using the IP ranges, then

Match Type =IP Address
Set the range
Please add the range 0.0.0.0/0 in IP address details.
Set the Action: Choose Block -this will block the requests after the threshold is breached, so they’ll receive a 403 Forbidden response.

Finalize and apply the changes.

Refer Custom Rate Limit-Azure for the detailed steps to configure the rate limit

By default, WAF policies may be in Detection mode, switch to prevention mode.

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

BH 30 Reputation points

2025-04-28T15:00:38.9166667+00:00

This process was faster and easier than opening a support ticket in the Azure portal

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Setting		Value
Match Type		IP Address
Operator		Equals
Match Values		*(a single asterisk)
Rate Limit Threshold		Eg.100,1000 requests
Rate Limit Duration		Eg.1 minute
Action		Block

Share via

How to configure custom rate limiting rule for Azure Front Door Standard Web Application Firewall

1 additional answer

Your answer