Front Door Standard/Premium with rate limit

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Visualize

This template deploys a Front Door Standard/Premium with a rate limit.

Sample overview and deployed resources

This sample template creates a Front Door profile with a rate limit. To keep the sample simple, Front Door is configured to direct traffic to a static website configured as an origin, but this could be any origin supported by Front Door.

The following resources are deployed as part of the solution:

Front Door Standard/Premium

  • Front Door profile, endpoint, origin group, origin, and route to direct traffic to the static website.
    • Note that you can use either the standard or premium Front Door SKU for this sample. The rate limit custom rule for the WAF are supported in either SKU (note that managed rule sets require the premium SKU though). By default, the standard SKU is used.
  • Front Door WAF policy with a custom rate limit rule.
    • Currently Front Door requires that a rate limit rule has a match condition. This specifies the subset of requests it should apply to. For this sample, we are using an IP address-based match condition and setting the value to "not". This is an IANA documentation range and no real clients will use that range, so this match condition effectively matches all requests. Note that the rate limit is applied per IP address.
  • Front Door security policy to attach the WAF policy to the Front Door endpoint.

Deployment steps

You can click the "deploy to Azure" button at the beginning of this document or follow the instructions for command line deployment using the scripts in the root of this repo.



Once you have deployed the Azure Resource Manager template, wait a few minutes before you attempt to access your Front Door endpoint to allow time for Front Door to propagate the settings throughout its network.

You can then access the Front Door endpoint. The hostname is emitted as an output from the deployment - the output is named frontDoorEndpointHostName. If you access the base hostname you should see a page saying Welcome. If you see a different error page, wait a few minutes and try again.

To test the rate limit, refresh the page repeatedly. By default, after 10 requests from the same IP address within a five minute period, Front Door will block requests from the same IP address.

Tags: Microsoft.Cdn/profiles, Microsoft.Cdn/profiles/afdEndpoints, Microsoft.Cdn/profiles/originGroups, Microsoft.Cdn/profiles/originGroups/origins, Microsoft.Cdn/profiles/afdEndpoints/routes, Microsoft.Network/FrontDoorWebApplicationFirewallPolicies, Microsoft.Cdn/profiles/securityPolicies