Enable and configure Custom Rules for Rate Limit, JS Challenge(preview) and CAPTCHA(preview)

Implementation Effort: Medium

User Impact: Low

Overview

Use custom WAF rules to augment the core rule set (CRS) and address specific needs with precision—such as blocking traffic from certain countries, rate-limiting on sensitive paths, or matching on particular HTTP headers or query parameters. In both Azure Front Door and Application Gateway WAF policies, navigate to Custom rules, define your match conditions (for example, RemoteAddr within a set of country IP ranges for geo-blocking, or a request rate threshold on a given URI), and then select the action: Block, Allow, or Log.

For interactive challenges, you can choose JavaScript Challenge (supported in both Azure Front Door and Application Gateway) or CAPTCHA (Azure Front Door ) to verify genuine users. This approach lets you tailor your WAF policy to your application’s unique requirements while ensuring a balance between security and user experience.

Reference

• Custom rules for Azure Web Application Firewall on Azure Front Door
• Create and use Web Application Firewall v2 custom rules on Application Gateway
• Azure Web Application Firewall JavaScript challenge (preview) overview
• Azure Front Door Web Application Firewall CAPTCHA (preview)