Azure Front Door WAF rate limit policy doesn't block request for full rate limit duration

Mikiel Agutu 0

Hello

I have set up a rate limit WAF for Azure Front Door. I set it to 200 requests in a 5 minute window. After testing with a script to send 3000 requests in 60s I find that only some of my requests are blocked.

When configuring the WAF, the tooltip says 'Maximum number of requests allowed within the defined rate limit duration'. Therefore I would expect all requests to be blocked once the first one has hit the threshold, and for the block to last around 5 minutes. However this is not the case.

I am aware of this from the docs:

Requests from the same client may arrive at different Azure Front Door servers that haven't refreshed the rate limit counters yet. If the threshold is low enough, the first request to the new Azure Front Door server could pass the rate limit check. For a low threshold (for example, less than about 200 requests per minute), you might see some requests above the threshold get through. It's also worth noting that Azure Front Door WAF rate limiting operates on a fixed time period, so once a rate limit threshold is breached, all traffic matching that rate limiting rule is blocked for the remainder of the fixed window.

However I would still expect that, at some point, all the servers catch up and then I am blocked consistently for 5 minutes. But that doesn't seem to happen.

So what is the expected behavior? Is it possible for an IP to be be fully blocked or is it expected to always be a bit flaky?

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-05-07T11:43:53.0733333+00:00
@Mikiel Agutu ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Thank you for your observation.

I see you are following the document Rate limits and Azure Front Door servers.

Can you provide more information on your setup?

Are you sure your API is using the same IP (or IP that matches the Rate limiting rule) for all the 3000 requests?

With "I find that only some of my requests are blocked" , can you give us the exact number/percentage of requests blocked (in the overall 3000)

Wrt, "I would still expect that, at some point, all the servers catch up and then I am blocked consistently for 5 minutes. But that doesn't seem to happen",

Are you talking about the 1st test (1st 3000 requets)?

Or are you talking about a 2nd test (2nd 3000 requests) and the requests from the 2nd test is still going through even before the 5 minutes from the 1st test cools off

If so, can you give us an exact number/percentage on how many requests from the 2nd test went through in the first 5 minute window.

Cheers,

Kapil
Mikiel Agutu 0 Reputation points

2024-05-07T13:49:15.0466667+00:00

Hello Kapil

I have run some more tests and here are my findings:

With 1000 requests, only 191 were blocked

With 3000 requests, only 847 were blocked

Given I configured the limit to 200 requests, I would expect that the majority should be blocked, even taking the rate limit synchronization issue into account.

These were performed with a 'fresh' rate limit window. I am running the test from my laptop so I don't see why Front Door would consider these requests to becoming from different IP addresses.
KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-05-08T05:28:07.3733333+00:00

@Mikiel Agutu ,

To troubleshoot further, we will need a specialized 1:1 session, where a support engineer can have a screen share session and check the backend logs.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need a one-time free technical support , please check my private message.

Cheers,

Kapil

Share via

Azure Front Door WAF rate limit policy doesn't block request for full rate limit duration