Enable and configure Custom Rules for Rate Limit

Implementation Effort: Medium

User Impact: Medium

Overview

Application-layer abuse and denial-of-service conditions are frequently caused by excessive or abnormal request rates rather than malformed payloads. Scenarios such as credential‑stuffing attacks, brute‑force sign‑in attempts, API abuse, and misconfigured clients can overwhelm application backends even when traffic appears syntactically valid. Static network controls and signature-based protections alone are insufficient to address these patterns because they lack awareness of request frequency and context.

Rate limiting in Azure Web Application Firewall (WAF) provides a mechanism to detect and mitigate these behaviors by monitoring the number of requests that match defined conditions over a specified time window. When request volumes exceed configured thresholds, WAF can automatically block or throttle traffic, helping to preserve application availability and protect backend resources from exhaustion. This capability is implemented through custom WAF rules and is supported on Azure Application Gateway WAF v2 and Azure Front Door WAF when using the latest WAF engine.

Reference

• What is rate limiting for Web Application Firewall on Application Gateway?
• What is rate limiting for Azure Front Door?
• Custom rules for Azure Web Application Firewall on Azure Front Door
• Create and use Web Application Firewall v2 custom rules on Application Gateway