Azure Gateway File Upload Limits (4GB) even if Policy to inspect body is disabled or exclusion rules applied

Henk Ve 20 Reputation points
2023-11-21T02:48:21.9733333+00:00 
We are receiving the following HTTP errors when uploading files larger than 4GB.
413 Request Entity Too Large
	413 Request Entity Too Large
	Microsoft-Azure-Application-Gateway/v2

According to official MS Azure documentation* its states the following:
*Web application firewall request size limits in Azure Application Gateway 
- https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#limits

WAF-V2 default limits the file upload size to 4GB. 

However, the upload size limits are STILL ENFORCED even if you 
disable the body inspection or disable OWASP WAF Rules (200002,200003,200004) completely or
configure WAF in prevention mode as mentioned a bit later in the same documentation.


How can we bypass the 4GB limits in Azure Gateway?
Our customers has a requirement to upload large files and they access a web application through the Azure Gateway.
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,002 questions
Azure Web Application Firewall
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee
    2023-11-21T07:42:42.8033333+00:00

    Hello @Henk Ve ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are receiving HTTP error 413 when uploading files larger than 4 GB in your Application gateway WAF v2 SKU.

    Azure Application gateway V2 has a maximum file upload limit of 4 GB for both Standard and WAF SKU (when you are using the new WAF engine with CRS 3.2 or newer). So, it doesn't matter if you are using WAF or not, the maximum limit for file upload remains at 4 GB as of today.

    enter image description here

    Refer: https://video2.skills-academy.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits

    https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/waf-engine#support-for-new-features

    However, the upload size limits are STILL ENFORCED even if you disable the body inspection or disable OWASP WAF Rules (200002,200003,200004) completely or configure WAF in prevention mode as mentioned a bit later in the same documentation.

    The section of the documentation that you are referring to here is for "Request body inspection".

    The default value for request body size is 128 KB. But for CRS 3.2 (on the WAF_v2 SKU) and newer, you can set a 2 MB request body size limit.

    User's image

    And if the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. Same goes for max file upload limit field.

    User's image

    The above section talks about the behavior of WAF inspecting the request body depending on the mode of the WAF.

    But the file upload limit remains the same which is 4 GB, and this is a hard limit. You cannot upload files larger than 4 GB as of today.

    If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    https://feedback.azure.com/d365community/idea/fcac56ec-005c-ec11-a819-0022484bf651

    Azure WAF Product Group team recommends looking into chunking file uploads to exceed the 4GB limit.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest