Azure WAF multiple Geo Location Custom Rules

Jason A Clark 31 Reputation points


I have an Azure Application Gateway V2 pointing at a new WAF custom Policy.

In this custom policy I have added a single custom rule to deny access from certain countries.

I have about 15 countries I want to allow access and deny all the other countries.

Adding all the other countries from the pick list to deny I get a message saying 'Only Maximum of 10 geo locations are allowed'

Any idea of what combinations of custom rules I can do to achieve this without an excessive amount of custom rules.

At the moment I would be looking at creating 16 custom deny rules ( 16*10 countries in each rule to get to the 160 country exclude list )

There must be an easier way?


Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
611 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,007 questions
0 comments No comments
{count} votes

Accepted answer
  1. msrini-MSFT 9,271 Reputation points Microsoft Employee


    Can you try to deny all the countries in a less priority rule and whitelist the allowed country with higher priority? This way you only need to use 3 custom rules.


    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Jason A Clark 31 Reputation points

    Thanks Msrini, I came up with the following that seems to work.

    Priority 10 - Allow 10 countries (Geo Location Rule)
    Priority 20 - Allow 6 countries (Geo Location Rule)
    Priority 100 - Deny all that "doe not contain" an arbitrary IP address e.g. (IP Address Match Rule)

    Once again thanks J

    2 people found this answer helpful.

  2. Danejahtt 1 Reputation point

    Hey Jason,

    Awesome feedback.


    0 comments No comments