Configure a Web Application Firewall rate limit rule using Azure PowerShell
The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from clients during a one-minute duration. This article shows how to configure a WAF rate limit rule that controls the number of requests allowed from clients to a web application that contains /promo in the URL using Azure PowerShell.
If you don't have an Azure subscription, create a free account before you begin.
Before you begin to set up a rate limit policy, set up your PowerShell environment and create a Front Door profile.
Set up your PowerShell environment
Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.
You can install Azure PowerShell on your local machine and use it in any PowerShell session. Follow the instructions on the page, to sign in with your Azure credentials, and install Az PowerShell module.
Connect to Azure with an interactive dialog for sign in
Before install Front Door module, make sure the current version of PowerShellGet is installed. Run the following command and reopen PowerShell.
Install-Module PowerShellGet -Force -AllowClobber
Install Az.FrontDoor module
Install-Module -Name Az.FrontDoor
Create a Front Door profile
Create a Front Door profile by following the instructions described in Quickstart: Create a Front Door profile
Define url match conditions
Define a URL match condition (URL contains /promo) using New-AzFrontDoorWafMatchConditionObject. The following example matches /promo as the value of the RequestUri variable:
$promoMatchCondition = New-AzFrontDoorWafMatchConditionObject ` -MatchVariable RequestUri ` -OperatorProperty Contains ` -MatchValue "/promo"
Create a custom rate limit rule
Set a rate limit using New-AzFrontDoorWafCustomRuleObject. In the following example, the limit is set to 1000. Requests from any client to the promo page exceeding 1000 during one minute are blocked until the next minute starts.
$promoRateLimitRule = New-AzFrontDoorWafCustomRuleObject ` -Name "rateLimitRule" ` -RuleType RateLimitRule ` -MatchCondition $promoMatchCondition ` -RateLimitThreshold 1000 ` -Action Block -Priority 1
Configure a security policy
Find the name of the resource group that contains the Front Door profile using
Get-AzureRmResourceGroup. Next, configure a security policy with a custom rate limit rule using New-AzFrontDoorWafPolicy in the specified resource group that contains the Front Door profile.
The below example uses the Resource Group name myResourceGroupFD1 with the assumption that you've created the Front Door profile using instructions provided in the Quickstart: Create a Front Door article.
$ratePolicy = New-AzFrontDoorWafPolicy ` -Name "RateLimitPolicyExamplePS" ` -resourceGroupName myResourceGroupFD1 ` -Customrule $promoRateLimitRule ` -Mode Prevention ` -EnabledState Enabled
Link policy to a Front Door front-end host
Link the security policy object to an existing Front Door front-end host and update Front Door properties. First retrieve the Front Door object using Get-AzFrontDoor command. Next, set the front-end WebApplicationFirewallPolicyLink property to the resourceId of the "$ratePolicy" created in the previous step using Set-AzFrontDoor command.
The below example uses the Resource Group name myResourceGroupFD1 with the assumption that you've created the Front Door profile using instructions provided in the Quickstart: Create a Front Door article. Also, in the below example, replace $frontDoorName with the name of your Front Door profile.
$FrontDoorObjectExample = Get-AzFrontDoor ` -ResourceGroupName myResourceGroupFD1 ` -Name $frontDoorName $FrontDoorObjectExample.FrontendEndpoints.WebApplicationFirewallPolicyLink = $ratePolicy.Id Set-AzFrontDoor -InputObject $FrontDoorObjectExample
You only need to set WebApplicationFirewallPolicyLink property once to link a security policy to a Front Door front-end. Subsequent policy updates are automatically applied to the front-end.
- Learn more about Front Door.