Introduction:
Web applications are often exposed to various types of attacks, such as denial-of-service (DoS), brute force, or credential stuffing. These attacks can overwhelm your application with a large number of requests, affecting its performance and availability. To prevent these attacks, you need a way to detect and block abnormal traffic patterns and limit the rate of requests to your application.
In this blog post, we will introduce a new feature - Rate limiting for Azure Web Application Firewall on Application Gateway that is currently in Public Preview. This feature allows you to define custom rules to limit the number of requests from different sources, such as IP addresses, geographies, or user sessions. By using rate limiting on Application Gateway WAF_v2, you can mitigate many types of attacks, protect against misconfigured clients, or control traffic rates from specific regions.
What is rate limiting for Application Gateway WAF?
Rate limiting for Web Application Firewall (WAF) on Application Gateway allows you to define custom rules to limit the number of requests that match certain conditions within a specified time period. For example, you can limit the number of requests per minute from a single IP address, or the number of requests per hour from a certain country. By doing so, you can prevent your application from being overwhelmed by excessive or malicious traffic.
This feature uses a sliding window algorithm to determine when traffic has exceeded the threshold and needs to be dropped. During the first window where the threshold for the rule is breached, any more traffic matching the rate limit rule is dropped. From the second window onwards, traffic up to the threshold within the window configured is allowed, producing a throttling effect.
How to configure rate limiting policies?
Rate limiting is configured using custom WAF rules in a policy. You can create multiple rate limit rules that match different variables and paths within your policy. Each rule has a threshold, a match condition, and a group by variable.
The threshold is the number of requests allowed within the specified time period. For example, you can set a threshold of 100 requests per minute or 1000 requests per hour.
The match condition is the criteria that determines when to activate the rate limit. You can match various variables, such as request method, header, query string, body, cookie, or path. For example, you can match requests with a specific user agent or cookie value.
The group by variable is the variable that defines how requests are grouped and counted for a matching rate limit rule. You can choose one of the following three options:
Use cases for Rate limiting:
Rate limiting can be used for various scenarios, such as:
Best practices for Rate limiting Feature on Application Gateway WAF:
Here are some of the best practices that you should be aware of while configuring this feature.
Configuring rate limiting on Application Gateway WAF:
If you want to try out rate limiting on Application Gateway WAF_v2 (preview), you can follow these steps:
Example Scenario:
Here we have setup an Application Gateway WAF policy for a sample webpage with host IP: 20.160.216.25. As we can see in the below image, a rate limit rule has been configured to deny traffic from a specific IP, if the number of requests exceed 100 with in a duration of 1 minute.
To verify the functionality of this setup, you have two options: either manually reload the page http://20.160.216.25 more than 100 times (or any limit specified on the rule) in less than a minute or use a traffic generator tool such as Microsoft Client to Server Traffic Tool or any simple script to send multiple requests to the destination IP address. After performing either of these actions, you will observe that this attempt will be blocked by the Application Gateway WAF due to the configured rate limit rule for the specified source IP address.
To analyze the traffic patterns for your web application in a given period of time, you can utilize the metrics that are available for your Application Gateway WAF as displayed in the below image.
Conclusion:
In this way, Rate limiting feature on Application Gateway WAF can be used to manage and enhance your application’s traffic quality. It allows you to avoid undesirable or harmful requests, safeguard your resources and service, and adjust your traffic distribution according to your business objectives. Rate limiting can be implemented in various situations, such as mitigating DoS attacks, protecting against misconfigured clients, and controlling traffic rates from specific regions.
Additional Resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.