|
| 1 | +--- |
| 2 | +title: Create rate limiting custom rules for Application Gateway WAF v2 (preview) |
| 3 | +titleSuffix: Azure Web Application Firewall |
| 4 | +description: Learn how to configure rate limit custom rules for Application Gateway WAF v2. |
| 5 | +services: web-application-firewall |
| 6 | +author: joeolerich |
| 7 | +ms.service: web-application-firewall |
| 8 | +ms.date: 07/28/2023 |
| 9 | +ms.author: victorh |
| 10 | +ms.topic: how-to |
| 11 | +--- |
| 12 | + |
| 13 | +# Create rate limiting custom rules for Application Gateway WAF v2 (preview) |
| 14 | + |
| 15 | +> [!IMPORTANT] |
| 16 | +> Rate limiting for Web Application Firewall on Application Gateway is currently in PREVIEW. |
| 17 | +> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 18 | +
|
| 19 | +Rate limiting enables you to detect and block abnormally high levels of traffic destined for your application. Rate Limiting works by counting all traffic that that matches the configured Rate Limit rule and performing the configured action for traffic matching that rule which exceeds the configured threshold. |
| 20 | + |
| 21 | +## Configure Rate Limit Custom Rules |
| 22 | + |
| 23 | +Use the following information to configure Rate Limit Rules for Application Gateway WAFv2. |
| 24 | + |
| 25 | +**Scenario One** - Create rule to rate-limit traffic by Client IP that exceed the configured threshold, matching all traffic. |
| 26 | + |
| 27 | +#### [Portal](#tab/browser) |
| 28 | + |
| 29 | +1. Open an existing Application Gateway WAF Policy |
| 30 | +1. Select Custom Rules |
| 31 | +1. Add Custom Rule |
| 32 | +1. Add Name for the Custom Rule |
| 33 | +1. Select the Rate limit Rule Type radio button |
| 34 | +1. Enter a Priority for the rule |
| 35 | +1. Choose 1 minute for Rate limit duration |
| 36 | +1. Enter 200 for Rate limit threshold (requests) |
| 37 | +1. Select Client address for Group rate limit traffic by |
| 38 | +1. Under Conditions, choose IP address for Match Type |
| 39 | +1. For Operation, select the Does not contain radio button |
| 40 | +1. For match condition, under IP address or range, enter 255.255.255.255/32 |
| 41 | +1. Leave action setting to Deny traffic |
| 42 | +1. Select Add to add the custom rule to the policy |
| 43 | +1. Select Save to save the configuration and make the custom rule active for the WAF policy. |
| 44 | + |
| 45 | +#### [PowerShell](#tab/powershell) |
| 46 | + |
| 47 | +```azurepowershell |
| 48 | +$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr |
| 49 | +$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator IPMatch -MatchValue 255.255.255.255/32 -NegationCondition $True |
| 50 | +$groupByVariable = New-AzApplicationGatewayFirewallCustomRuleGroupByVariable -VariableName ClientAddr |
| 51 | +$groupByUserSession = New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession -GroupByVariable $groupByVariable |
| 52 | +$ratelimitrule = New-AzApplicationGatewayFirewallCustomRule -Name ClientIPRateLimitRule -Priority 90 -RateLimitDuration OneMin -RateLimitThreshold 100 -RuleType RateLimitRule -MatchCondition $condition -GroupByUserSession $groupByUserSession -Action Block -State Enabled |
| 53 | +``` |
| 54 | +#### [CLI](#tab/cli) |
| 55 | +```azurecli |
| 56 | +az network application-gateway waf-policy custom-rule create --policy-name ExamplePolicy --resource-group ExampleRG --action Block --name ClientIPRateLimitRule --priority 90 --rule-type RateLimitRule --rate-limit-threshold 100 --group-by-user-session '[{'"groupByVariables"':[{'"variableName"':'"ClientAddr"'}]}]' |
| 57 | +az network application-gateway waf-policy custom-rule match-condition add --match-variables RemoteAddr --operator IPMatch --policy-name ExamplePolicy --name ClientIPRateLimitRule --resource-group ExampleRG --value 255.255.255.255/32 --negate true |
| 58 | +``` |
| 59 | +* * * |
| 60 | + |
| 61 | +**Scenario Two** - Create Rate Limit Custom Rule to match all traffic except for traffic originating from the United States. Traffic will be grouped, counted and rate limited based on the GeoLocation of the Client Source IP address |
| 62 | + |
| 63 | +#### [Portal](#tab/browser) |
| 64 | + |
| 65 | +1. Open an existing Application Gateway WAF Policy |
| 66 | +1. Select Custom Rules |
| 67 | +1. Add Custom Rule |
| 68 | +1. Add Name for the Custom Rule |
| 69 | +1. Select the Rate limit Rule Type radio button |
| 70 | +1. Enter a Priority for the rule |
| 71 | +1. Choose 1 minute for Rate limit duration |
| 72 | +1. Enter 500 for Rate limit threshold (requests) |
| 73 | +1. Select Geo location for Group rate limit traffic by |
| 74 | +1. Under Conditions, choose Geo location for Match Type |
| 75 | +1. In the Match variables section, select RemoteAddr for Match variable |
| 76 | +1. Select the Is not radio button for operation |
| 77 | +1. Select United States for Country/Region |
| 78 | +1. Leave action setting to Deny traffic |
| 79 | +1. Select Add to add the custom rule to the policy |
| 80 | +1. Select Save to save the configuration and make the custom rule active for the WAF policy. |
| 81 | + |
| 82 | +#### [PowerShell](#tab/powershell) |
| 83 | +```azurepowershell |
| 84 | +$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr |
| 85 | +$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GeoMatch -MatchValue "US" -NegationCondition $True |
| 86 | +$groupByVariable = New-AzApplicationGatewayFirewallCustomRuleGroupByVariablde -VariableName GeoLocation |
| 87 | +$groupByUserSession = New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession -GroupByVariable $groupByVariable |
| 88 | +$ratelimitrule = New-AzApplicationGatewayFirewallCustomRule -Name GeoRateLimitRule -Priority 95 -RateLimitDuration OneMin -RateLimitThreshold 500 -RuleType RateLimitRule -MatchCondition $condition -GroupByUserSession $groupByUserSession -Action Block -State Enabled |
| 89 | +``` |
| 90 | +#### [CLI](#tab/cli) |
| 91 | +```azurecli |
| 92 | +az network application-gateway waf-policy custom-rule create --policy-name ExamplePolicy --resource-group ExampleRG --action Block --name GeoRateLimitRule --priority 95 --rule-type RateLimitRule --rate-limit-threshold 500 --group-by-user-session '[{'"groupByVariables"':[{'"variableName"':'"GeoLocation"'}]}]' |
| 93 | +az network application-gateway waf-policy custom-rule match-condition add --match-variables RemoteAddr --operator GeoMatch --policy-name ExamplePolicy --name GeoRateLimitRule --resource-group ExampleRG --value US --negate true |
| 94 | +``` |
| 95 | +* * * |
| 96 | + |
| 97 | +**Scenario Three** - Create Rate Limit Custom Rule matching all traffic for the login page, and using the GroupBy None variable. This will group and count all traffic which matches the rule as one, and apply the action across all traffic matching the rule (/login). |
| 98 | + |
| 99 | +#### [Portal](#tab/browser) |
| 100 | + |
| 101 | +1. Open an existing Application Gateway WAF Policy |
| 102 | +1. Select Custom Rules |
| 103 | +1. Add Custom Rule |
| 104 | +1. Add Name for the Custom Rule |
| 105 | +1. Select the Rate limit Rule Type radio button |
| 106 | +1. Enter a Priority for the rule |
| 107 | +1. Choose 1 minute for Rate limit duration |
| 108 | +1. Enter 100 for Rate limit threshold (requests) |
| 109 | +1. Select None for Group rate limit traffic by |
| 110 | +1. Under Conditions, choose String for Match Type |
| 111 | +1. In the Match variables section, select RequestUri for Match variable |
| 112 | +1. Select the Is not radio button for operation |
| 113 | +1. For Operator select contains |
| 114 | +1. Enter Login page path for match Value. In this example we use /login |
| 115 | +1. Leave action setting to Deny traffic |
| 116 | +1. Select Add to add the custom rule to the policy |
| 117 | +1. Select Save to save the configuration and make the custom rule active for the WAF policy. |
| 118 | + |
| 119 | +#### [PowerShell](#tab/powershell) |
| 120 | +```azurepowershell |
| 121 | +$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestUri |
| 122 | +$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "/login" -NegationCondition $True |
| 123 | +$groupByVariable = New-AzApplicationGatewayFirewallCustomRuleGroupByVariable -VariableName None |
| 124 | +$groupByUserSession = New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession -GroupByVariable $groupByVariable |
| 125 | +$ratelimitrule = New-AzApplicationGatewayFirewallCustomRule -Name LoginRateLimitRule -Priority 99 -RateLimitDuration OneMin -RateLimitThreshold 100 -RuleType RateLimitRule -MatchCondition $condition -GroupByUserSession $groupByUserSession -Action Block -State Enabled |
| 126 | +``` |
| 127 | +#### [CLI](#tab/cli) |
| 128 | +```azurecli |
| 129 | +az network application-gateway waf-policy custom-rule create --policy-name ExamplePolicy --resource-group ExampleRG --action Block --name LoginRateLimitRule --priority 99 --rule-type RateLimitRule --rate-limit-threshold 100 --group-by-user-session '[{'"groupByVariables"':[{'"variableName"':'"None"'}]}]' |
| 130 | +az network application-gateway waf-policy custom-rule match-condition add --match-variables RequestUri --operator Contains --policy-name ExamplePolicy --name LoginRateLimitRule --resource-group ExampleRG --value '/login' |
| 131 | +``` |
| 132 | +* * * |
| 133 | + |
| 134 | +## Next steps |
| 135 | + |
| 136 | +[Customize web application firewall rules](application-gateway-customize-waf-rules-portal.md) |
0 commit comments