Azure Front Door WAF rate-limit behind NAT

Pantelis, Vasilis 1

Hello,

I was researching Azure FrontDoor rate-limiting capabilities and as far as I can tell rate-limiting happens on an IP level, ie: when an IP surpasses the limit set for a given threshold it's blocked from calling the backend for a certain amount of time (I think 1 minute by default, not sure if that's configurable at all).

My question is, if the offending client is behind a NAT network (a corporate network for example), then the whole network and all other clients in it are also rate-limited. Is there a way in Azure FrontDoor WAF to set the rate-limit for that client only? For example, is there a way to rate limit depending on a header value or some way to differentiate the offending client from all the other clients behind the same network and IP?

Thank you,
Vasilis

1 answer

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2022-03-31T12:41:10.023+00:00

Hello @Pantelis, Vasilis ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if there is a way to rate limit on Azure Front Door WAF depending on a header value or some way to differentiate the offending client from all the other clients sitting behind NAT?

It should be possible.
As documented in our documentation,

Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.

So, you can combine the rate limit rules with HTTP/HTTPS request parameters such as query strings, POST args, Request URI, Request Header, and Request Body.

Refer the below doc on how to configure a WAF rate limit rule using Azure PowerShell & linking it to Azure Front Door:
https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell?toc=/azure/frontdoor/toc.json

From Azure Portal, you can configure the same WAF policies --> custom policies --> Add custom rule as below:

In the match conditions, you can configure "matchVariable": "RequestHeader".
Refer the below article for how to define the HTTP match parameters:
https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules#waf-custom-rules-example-based-on-http-parameters

Kindly let us know if the above helped or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Pantelis, Vasilis 1 Reputation point

2022-04-06T09:15:15.87+00:00

Hi,

Thank you for the prompt response. Unfortunately this doesn't help all that much. We cannot safely put values in a header match rule that would be different per client.

Imagine if someone behind a NAT network opened our login page and entered some credentials and for some unknown reason the API call to authorize the credentials starts hitting the endpoint multiple times per second. How would I construct a rate-limit rule to say "this person behind the NAT network is abusing my endpoint, rate-limit them" instead of "this IP is abusing my endpoint, rate-limit it"?

And of course, the rule should be such that an actual attacker would get blocked, and that blocking should happen at the edge (where the rate-limit rules are defined).

Thank you again for your answers,
Vasilis

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2022-04-06T11:38:18.327+00:00

Hello @Pantelis, Vasilis ,

Thank you for the update.

Let me discuss this requirement with the Azure Front Door Product Group to get more information and will keep you posted.

Regards,
Gita

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2022-04-06T16:51:46.907+00:00

Hello @Pantelis, Vasilis ,

Below is the response from our Product Group team on this requirement:

There is no straightforward way to achieve this. Some of the options that can be tried are as below:

1) We can match based on specific url and do rate limiting only for that url. For example we can do rate limiting based on www.contoso-ad.com/login.php
Refer the rate limiting section in the below blog where this approach is covered:
https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

2) There are some header values which are unique per client ( e.g: Cookie ). Those header values can be leveraged.

3) Other option is to ask the NAT device to insert X-Forward-for header with the client ip value

Kindly let us know if the above helps.
I've also reached out to the Azure WAF Product Group team and awaiting their response. Will keep you posted.

Regards,
Gita

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2022-04-07T13:47:33.463+00:00

Hello @Pantelis, Vasilis ,

One more addition to this:

There are two type of match variables in IP address match, RemoteAddr and SocketAddr. RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.

You can configure a rate limiting rule with the "RemoteAddr" match variable.

Refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction

Regards,
Gita

Pantelis, Vasilis 1 Reputation point

2022-04-21T10:49:45.423+00:00

Hello again,

Sorry for the delay in my response. This is pretty much what we already knew about Azure Front Door. It's impossible to control our customers' network configuration so a lot of them will probably not use a proxy that applies the X-Forwarded-For header in requests but use NAT on a lower level.

Cookies are probably the only way that makes some sense as they can be created per session and then used as a parameter for rate-limiting. We are considering our options but would love to see automatic cookie handling or some other mechanism on Azure Front Door for rate limiting, in the sense that we would like to leverage Azure's edge network to do this work for us and not have packets even reaching our backend if they are considered malicious per our rate-limiting rules.

Thank you for your time and effort in this request.

Kind regards,
Vasilis

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2022-04-21T11:40:23.043+00:00

Thank you for the update, @Pantelis, Vasilis .

I would request you to leave your feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

I will also share this feedback internally to the Azure Front Door product group team.

Regards,
Gita
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Front Door WAF rate-limit behind NAT

1 answer

Your answer