top of page

Addressing Security Concerns with Azure Application Gateway (WAF)

In the digital age, security is a paramount concern for any organization. With the increasing sophistication of cyber threats, it is crucial to have robust security measures in place to protect your web applications. Denial-of-service (DoS) attacks become very common on recent threat where an attacker overwhelms a network with traffic until it is no longer available to its intended users. What can we do to address this without investing another dime?

Microsoft Azure introduced a new feature in last week called Rate-Limiting within Azure Application Gateway (WAF) without extra cost!

What is Azure Application Gateway?

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

Azure Web Application Firewall

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. It is based on the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP). It protects your web applications from web vulnerabilities and attacks without modification to back-end code.

Rate-Limit Rule Feature

In November 2023, Azure introduced a new feature called Rate-Limiting for the Web Application Firewall on Application Gateway. This feature enables you to detect and block abnormally high levels of traffic destined for your application. Rate limiting is configured using custom WAF rules in a policy. When you configure a rate limit rule, you must specify the threshold:

  • the number of requests allowed within the specified time period.

Rate limiting on Application Gateway WAF_v2 uses a sliding window algorithm to determine when traffic has breached the threshold and needs to be dropped. You can configure multiple rate limit rules that match different variables and paths within your policy.

The GroupByUserSession specifies how requests are grouped and counted for a matching rate limit rule. The following three GroupByVariables are currently available:

  • ClientAddr

  • GeoLocation

  • None


Azure Application Gateway and its integrated Web Application Firewall provide a comprehensive solution for managing web traffic and protecting web applications. The addition of the Rate-Limit rule feature further enhances its capabilities, providing an effective tool against denial-of-service attacks and misconfigured clients. This makes Azure Application Gateway a comprehensive solution for any organization looking to optimize and secure their web traffic.



bottom of page