Azure – You can now implement rate-limit rules for your web application firewall (preview)

You can now implement custom rules supporting rate-limit on your regional Web Application Gateway Firewall.

The rate-limit rules detect and block abnormal high levels of traffic, helping you to protect against denial of service attack.

To implement such rule, connect to your Azure portal ( to create a new WAF (web application firewall) policy or edit an existing one.

When creating a new WAF policy, the option to enable rate-limit is available at the Custom rules step


When editing an existing WAF policy, the rate-limit option is available under the Custom rules blade


When you configure a rate limit rule, you must specify the number of requests allowed within the specified time period.

Rate limiting on WAF policy uses a sliding window algorithm to determine when traffic has breached the threshold and needs to be dropped.

During the first window where the threshold for the rule is breached, any more traffic matching the rate limit rule is dropped. From the second window onwards, traffic up to the threshold within the window configured is allowed, producing a throttling effect.

A new GroupByUserSession is also introduced, which must be configured.

The GroupByUserSession specifies how requests are grouped and counted for a matching rate limit rule:

  • ClientAddr – This is the default setting and it means that each rate limit threshold and mitigation applies independently to every unique source IP address.
  • GeoLocation – Traffic is grouped by their geography based on a Geo-Match on the client IP address. So for a rate limit rule, traffic from the same geography is grouped together.
  • None – All traffic is grouped together and counted against the threshold of the Rate Limit rule. When the threshold is breached, the action triggers against all traffic matching the rule and doesn’t maintain independent counters for each client IP address or geography. It’s recommended to use None with specific match conditions such as a sign-in page or a list of suspicious User-Agents.

The configured rate limit thresholds are counted and tracked independently for each endpoint the Web Application Firewall policy is attached to.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.