Hello @elundgren ,
Welcome to Microsoft Q&A Platform. Thanks for posting your query.
Currently, the default value for request body size is 128 KB. If the customer requires bigger request body than the threshold which is 128 KB, they can go ahead and turn the request body inspection knob off and the request body will hit the backend servers without inspection by WAF. Not inspecting the body of a request introduces extra risk because any attack that is passed via the body will not be caught by WAF. It is recommended to inspect the entire request whenever possible.
Another workaround in this case would be to have a global WAF policy applied to the entire Application gateway, but then setup a specific waf policy (which disables body inspection) that only applies when the client request hits a specific listener, or a specific URI.
Please refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies#apply-a-per-uri-policy-preview
There are plans to increase this limit and currently, it is in Private preview. There is no definitive ETA for Public preview or GA (General Availability) but the target is most likely by the end of this year. If you are interested in trying out the private preview, do let us know and we can check with the PG team regarding same.
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.