What is rate limiting for Azure Front Door Service?

Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. The socket IP address is the address of the client that initiated the TCP connection to Front Door. Typically, the socket IP address is the IP address of the user, but it might also be the IP address of a proxy server or another device that sits between the user and Front Door. By using the web application firewall (WAF) with Azure Front Door, you can mitigate some types of denial of service attacks. Rate limiting also protects you against clients that have accidentally been misconfigured to send large volumes of requests in a short time period.

Rate limits are applied at the socket IP address level. If you have multiple clients accessing your Front Door from different socket IP addresses, they'll each have their own rate limits applied. The socket IP address is the source IP address WAF sees. If your user is behind a proxy, socket IP address is often the proxy server address.

Configure a rate limit policy

Rate limiting is configured by using custom WAF rules.

When you configure a rate limit rule, you specify the threshold: the number of web requests allowed from each socket IP address within a time period of either one minute or five minutes.

You also must specify at least one match condition, which tells Front Door when to activate the rate limit. You can configure multiple rate limits that apply to different paths within your application.

If you need to apply a rate limit rule to all of your requests, consider using a match condition like the following example:

Screenshot of the Azure portal showing a match condition that applies to all requests. The match condition looks for requests where the Host header size is 0 or greater.

The match condition above identifies all requests with a Host header of length greater than 0. Because all valid HTTP requests for Front Door contain a Host header, this match condition has the effect of matching all HTTP requests.

Rate limits and Front Door servers

Requests from the same client often arrive at the same Front Door server. In that case, you'll see requests are blocked as soon as the rate limit is reached for each socket IP address.

However, it's possible that requests from the same client might arrive at a different Front Door server that hasn't refreshed the rate limit counter yet. For example, the client might open a new TCP connection for each request. If the threshold is low enough, the first request to the new Front Door server could pass the rate limit check. So, for a very low threshold (for example, less than about 50 requests per minute), you might see some requests above the threshold get through.

Next steps