Hello @Pantelis, Vasilis ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if there is a way to rate limit on Azure Front Door WAF depending on a header value or some way to differentiate the offending client from all the other clients sitting behind NAT?
It should be possible.
As documented in our documentation,
Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.
So, you can combine the rate limit rules with HTTP/HTTPS request parameters such as query strings, POST args, Request URI, Request Header, and Request Body.
Refer the below doc on how to configure a WAF rate limit rule using Azure PowerShell & linking it to Azure Front Door:
https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell?toc=/azure/frontdoor/toc.json
From Azure Portal, you can configure the same WAF policies --> custom policies --> Add custom rule as below:
In the match conditions, you can configure "matchVariable": "RequestHeader".
Refer the below article for how to define the HTTP match parameters:
https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules#waf-custom-rules-example-based-on-http-parameters
Kindly let us know if the above helped or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.