Share via

Why does Azure application gateway rate limit WAF return a 403 and not a 429?

Levi 30 Reputation points
04 Mar 2024, 13:57

When Azure Application gateway rate limiter functions as expected, we were expecting a 429, but instead, a 403 is returned. Why is this?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,152 questions
Azure Web Application Firewall
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 27,201 Reputation points Microsoft Employee
    04 Mar 2024, 23:51

    @Levi

    Thank you for reaching out.

    I understand you wish to know why Azure application gateway rate limit returns a 403 response instead of 429 response.

    Currently 403 response is by design and the product team is aware of this scenario. The team will be releasing a feature for this scenario where customers will be able to customize the http response code for rate-limit on their own. I currently do not have a fixed ETA to share about when this feature will be released but request you to keep an eye out on Azure updates for Application Gateway.

    Hope this helps! Please let me know if you have any questions. Thank you!

  2. Fagerhed Bengt-Ove 0 Reputation points
    21 Mar 2025, 09:40

    Could you please provide an update on the status of this feature?
    Has there been any progress or an estimated release date for this functionality?

    We're about to take Application Gateway into use in our production using rate limiting. Customers that previously had the response HTTP 429 (Too Many Requests) will get HTTP 403 (Forbidden) and it will be hard to distinguish between the two cases.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.