WAF Exclusion Limit

Aravindhan 6 Reputation points
2022-09-01T11:19:59.967+00:00

Hi Team,

What is the limit on the number of exclusion in WAF Policy? Is it 100 ? or 40 ?

Bcoz i see this

WAF exclusion per policy 100 100

And also

Maximum WAF exclusions per Application Gateway 40

In the page

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits

Appreciate the clarification

Azure Web Application Firewall
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 11,251 Reputation points Microsoft Employee
    2022-09-03T20:37:07.813+00:00

    Hello @Aravindhan ,
    Thank you for reaching out.

    The information present in the document mentioned above is correct. The difference here is due to WAF policy for Azure Application gateway (Regional WAF policy) and Azure Front Door (Global WAF policy). There are two options when applying WAF policies in Azure. WAF with Azure Front Door is a globally distributed, edge security solution. WAF with Application Gateway is a regional, dedicated solution.

    237469-image.png

    This limitation of exclusion is per application gateway. To put it other words you can attach as many regional WAF policy to your application gateway but the cumulative exclusions must not exceed 40. If you are exceeding this limit it is recommended to use custom rules instead.

    237440-image.png

    This limitation is for a Global WAF policy attached to Azure Front Door Standard/Premium.

    Hope this helps answer your query. Please let me know if you have any additional questions here. Thank you!