Merge pull request #294117 from MicrosoftDocs/main

Publish to live, Wednesday 4AM PST, 2/5

Author: PMEds28

articles/azure-signalr/media/signalr-howto-config-application-firewall/signalr-add-application-firewall-rule.png

@@ -17,7 +17,7 @@ The Application Firewall provides sophisticated control over client connections
 
 ## What Does the Application Firewall Do?
 
-The Application Firewall consists of various rule lists. Currently, there is a rule list called *Client Connection Count Rules*. Future updates will support more rule lists to control aspects like connection lifetime and message throughput.
+The Application Firewall consists of various rule lists. Currently, there are two rule lists called *Client Connection Count Rules* and *Client Traffic Control Rules*. Future updates will support more rule lists to control aspects such as connection lifetime.
 
 This guideline is divided into three parts:
 1. Introduction to different application firewall rules.
@@ -56,7 +56,18 @@ Client Connection Count Rules restrict concurrent client connections. When a cli
 > [!WARNING]
 > * **Avoid using too aggressive maxCount**. Client connections may close without completing the TCP handshake. SignalR service can't detect those "half-closed" connections immediately. The connection is taken as active until the heartbeat failure. Therefore, aggressive throttling strategies might unexpectedly throttle clients. A smoother approach is to **leave some buffer** for the connection count, for example: double the *maxCount*.
 
+## Client Traffic Control Rules
+Client Traffic Control Rules restrict the inbound throughput of client connections. When a client attempts to send a message, the rules are checked **sequentially**. Within each *aggregation window*, the message size will be aggregated to check against *max inbound message*. If any rule is violated, the connection is disconnected. 
 
+   #### TrafficThrottleByUserIdRule
+   This rule limits the inbound throughput of a user. 
+
+   #### TrafficThrottleByJwtSignatureRule
+   This rule limits the inbound throughput of each token.
+
+   #### TrafficThrottleByJwtCustomClaimRule
+   This rule limits the inbound throughput of the same claim.
+   
 
 ## Set up Application Firewall 
 
@@ -73,7 +84,7 @@ Use Visual Studio Code or your favorite editor to create a file with the followi
 @description('The name for your SignalR service')
 param resourceName string = 'contoso'
 
-resource signalr 'Microsoft.SignalRService/signalr@2024-04-01-preview' = {
+resource signalr 'Microsoft.SignalRService/signalr@2024-10-01-preview' = {
   name: resourceName
   properties: {
     applicationFirewall:{
@@ -101,6 +112,42 @@ resource signalr 'Microsoft.SignalRService/signalr@2024-04-01-preview' = {
                 claimName: 'paidUser'
             }
         ]
+         clientTrafficControlRules:[
+        // Add or remove rules as needed
+        {
+            // This rule will be skipped if no userId is set
+            type: 'TrafficThrottleByUserIdRule'
+            // Every minute
+            aggregationWindowInSeconds: 60
+            // 10MB
+            maxInboundMessageBytes: 10485760
+        }
+        {
+            type: 'TrafficThrottleByJwtSignatureRule'
+            // Every 30 seconds
+            aggregationWindowInSeconds: 30
+            // 5MB
+            maxInboundMessageBytes: 5242880
+        }
+        {
+            // This rule will be skipped if no freeUser claim is set
+            type: 'TrafficThrottleByJwtCustomClaimRule'
+            // Every 10 minutes
+            aggregationWindowInSeconds: 600
+            // 1MB
+            maxInboundMessageBytes: 1048576
+            claimName: 'freeUser'
+        }
+        {
+            // This rule will be skipped if no paidUser claim is set
+            type: 'TrafficThrottleByJwtCustomClaimRule'  
+            // Every 30 seconds
+            aggregationWindowInSeconds: 30
+            // 1MB
+            maxInboundMessageBytes: 1048576
+            claimName: 'paidUser'
+        }
+      ]
     }
   }
 }

articles/azure-signalr/signalr-howto-configure-application-firewall.md

@@ -12,12 +12,12 @@ ms.author: biqian
 
 The Application Firewall provides sophisticated control over client connections in a distributed system. Before diving into its functionality and setup, let's clarify what the Application Firewall does not do:
 
-1. It does not replace authentication. The firewall operates behind the client connection authentication layer.
-2. It is not related to network layer access control.
+1. It doesn't replace authentication. The firewall operates behind the client connection authentication layer.
+2. It isn't related to network layer access control.
 
 ## What Does the Application Firewall Do?
 
-The Application Firewall consists of various rule lists. Currently, there is a rule list called *Client Connection Count Rules*. Future updates will support more rule lists to control aspects like connection lifetime and message throughput.
+The Application Firewall consists of various rule lists. Currently, there are two rule lists called *Client Connection Count Rules* and *Client Traffic Control Rules*. Future updates will support more rule lists to control aspects such as connection lifetime.
 
 This guideline is divided into three parts:
 1. Introduction to different application firewall rules.
@@ -48,6 +48,14 @@ Client Connection Count Rules restrict concurrent client connections. When a cli
 > * **Avoid using too aggressive maxCount**. Client connections may close without completing the TCP handshake. SignalR service can't detect those "half-closed" connections immediately. The connection is taken as active until the heartbeat failure. Therefore, aggressive throttling strategies might unexpectedly throttle clients. A smoother approach is to **leave some buffer** for the connection count, for example: double the *maxCount*.
 
 
+## Client Traffic Control Rules
+Client Traffic Control Rules restrict the inbound throughput of client connections. When a client attempts to send a message, the rules are checked **sequentially**. Within each *aggregation window*, the message size will be aggregated to check against *max inbound message*. If any rule is violated, the connection is disconnected. 
+
+   #### TrafficThrottleByUserIdRule
+   This rule limits the inbound throughput of a user. 
+
+   #### TrafficThrottleByJwtSignatureRule
+   This rule limits the inbound throughput of each token.
 
 ## Set up Application Firewall 
 
@@ -64,22 +72,40 @@ Use Visual Studio Code or your favorite editor to create a file with the followi
 @description('The name for your Web PubSub service')
 param resourceName string = 'contoso'
 
-resource webpubsub 'Microsoft.SignalRService/webpubsub@2024-04-01-preview' = {
+resource webpubsub 'Microsoft.SignalRService/webpubsub@2024-10-01-preview' = {
   name: resourceName
   properties: {
     applicationFirewall:{
-        clientConnectionCountRules:[
-            // Add or remove rules as needed
-            {
-              // This rule will be skipped if no userId is set
-                type: 'ThrottleByUserIdRule'
-                maxCount: 5
-            }
-            {
-                type: 'ThrottleByJwtSignatureRule'
-                maxCount: 10
-            }
-        ]
+        clientConnectionCountRules: [
+        // Add or remove rules as needed
+        {
+          // This rule will be skipped if no userId is set
+            type: 'ThrottleByUserIdRule'
+            maxCount: 5
+        }
+        {
+            type: 'ThrottleByJwtSignatureRule'
+            maxCount: 10
+        }
+      ]
+      clientTrafficControlRules: [
+        // Add or remove rules as needed
+        {
+            // This rule will be skipped if no userId is set
+            type: 'TrafficThrottleByUserIdRule'
+            // Every minute
+            aggregationWindowInSeconds: 60
+            // 10MB
+            maxInboundMessageBytes: 10485760
+        }
+        {
+            type: 'TrafficThrottleByJwtSignatureRule'
+            // Every 30 seconds
+            aggregationWindowInSeconds: 30
+            // 5MB
+            maxInboundMessageBytes: 5242880
+        }
+      ]
     }
   }
 }

articles/azure-web-pubsub/howto-configure-application-firewall.md

@@ -752,8 +752,6 @@
     href: configure-connector-login-detection.md        
   - name: Create a custom connector
     href: create-custom-connector.md
-  - name: Create a codeless connector
-    href: create-codeless-connector.md
   - name: Normalize data
     items:
     - name: ASIM overview
@@ -766,8 +764,6 @@
       href: normalization-ingest-time.md
     - name: Use ASIM
       href: normalization-about-parsers.md
-    - name: Develop ASIM parsers
-      href: normalization-develop-parsers.md
     - name: Manage ASIM parsers
       href: normalization-manage-parsers.md
     - name: Modify content to use ASIM
@@ -1147,10 +1143,16 @@
       href: sentinel-integration-guide.md
     - name: Partner integrations best practices
       href: partner-integrations.md
+    - name: Creating codeless data connectors (CCP)
+      href: create-codeless-connector.md
+    - name: Creating analytics rules
+      href: sentinel-analytic-rules-creation.md
     - name: Creating workbooks
       href: sentinel-workbook-creation.md
     - name: Creating playbooks
       href: sentinel-playbook-creation.md
+    - name: Creating ASIM parsers
+      href: normalization-develop-parsers.md
     - name: Publish solutions
       href: publish-sentinel-solutions.md
     - name: Solution lifecycle post publish