Azure FrontDoor (classic) and WAF can not stop brute-attacks! There is no global rate-limit configuration!

Question

Hello,

Questions first;

1. Is there any way of configuring FrontDoor/WAF to stop brute-attacks with Global Rate Limit or some other way?
2. If we can not stop brute-attacks via FrontDoor/WAF, then what is Microsoft's offer to apply those logic, configurations?

• Azure Application Gateway?
• DNS provider DDoS configurations?
• Any other way?

and more details about the questions above;

I've successfully set up FD (classic) for one of our Azure web-app. (1) and added a custom domain (2), also enabled the WAF for the web-app protection (3). I can confirm the process with those steps (please correct me if my confirmation process is wrong);

1. I do nslookup for the CNAME for the custom domain that connects us to the Azure web app and it points out the FrontDoor default host/endpoint.
2. I do request to domain and I can see the request count on FrontDoor (classic) metrics.
3. Similarly, I can see the same request count on the Azure web-app metrics! Which is the question of this post!

So, as I've explained above, interestingly I can see all requests goes from FrontDoor on the metrics of my web app. Basically, we need the FrontDoor to avoid any brute-attack on the custom domain which connects us to the Azure web app. I had researched how to configure WAF with Prevention policy mode and custom rules more in deep (4) and applied all samples also some individual configurations from my own.

I had keep tried some basic brute-attacks by myself to the web-app service and all the requests were passing through Frondoor and then received by the web app. Below you'll find some metrics screenshot which shows the same requests on both FrontDoor metrics page and Web-app Application Insight metrics.

Metrics:

• FrontDoor requests: https://nimb.ws/Qovr5a
• Web-app requests: https://nimb.ws/OwJMfQ

Meanwhile, I had keep searching for how to setup WAF in a better way and find out two articles from Azure customer/users which says "There is no any Global Rate Limit" configuration for the Azure WAF and FrontDoor. Article writers say the information comes from the Azure support team. (5)

Thus, I wanted to ask the two questions above to you, so you can clear the situation and show the correct path to us/customers/users about WAF and Global Rate Limits or stopping the brute-attacks.

Thanks for your time and answers.

---

(1) I've followed this article to setup FrontDoor (classic) @ https://learn.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door

(2) I've followed this article to add a custom domain on FrontDoor (classic) @ https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain

(3) I've followed those articles to configure WAF on FrontDoor (classic) @ https://learn.microsoft.com/en-us/azure/frontdoor/front-door-waf @ https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview @ https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal @ https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning

(4) I've followed those articles to configure custom rules for WAF @ https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules @ https://techcommunity.microsoft.com/t5/azure-network-security/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

(5) The articles that mentions about there is no any Global Rate Limit on WAF @ https://faun.pub/what-azure-waf-cant-do-2290c86351c4 @ https://serverfault.com/questions/1068653/how-to-implement-rate-limiting-in-azure-web-application-firewallwaf

Answer 1

Hello @Nuri Engin , Thank you for reaching out and providing the detailed question above.

1. Azure WAF does provide a rate limiting option. You can go through this documentation to set a rate limit rule for Azure Front Door using WAF rate limit rule that controls the number of requests allowed from clients to a web application. Please be aware that rate limits are applied for each client IP address. If you have multiple clients accessing your Front Door from different IP addresses, they will have their own rate limits applied. Please let me know if you have any additional concerns here.

Update: Apologies I just went through this blog you shared above. As per the blog had you already configured the Rate Limit Rule above before doing the Brute test? (This rule will not work if you have any sort of proxy set-up before Azure Front Door) If yes can you please share a screenshot of the custom WAF rule configuration. Also as this rule prevents any client IP to exceed threshold defined for that specific path, are you looking for any particular way of rate limiting? You can explore the option of using Azure DDoS Protection Standard as discussed below.

2. Regarding the 2nd question's DDOS part. You can go through this documentation about how Azure Front Door prevents DDOS attack as it has Azure DDoS Protection Basic integrated by default. You can also configure Custom WAF rules or Integrate Azure DDoS Protection Standard for additional protection.

Please let me know if have any additional questions or concerns. Thank you!
(PS: I was not able to access the screenshot links shared above, if you have any additional questions can you please share those screenshots again. You can also do a Private comment above if it helps.)

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.