Rate limiting does not work

Hi, you’re blocking everything: the IP scope 0.0.00/255.255.255.255 is invalid and your rule is likely a Match/Block (not a Rate limit) so every request gets 403 immediately and never recovers; fix by (a) recreating it as Rate limit (not Match), (b) scoping to RemoteAddr = 0.0.0.0/0 (and ::/0 for IPv6) or a narrower path/host, (c) setting threshold “100 per client per 1 min”, and (d) confirming you’re rate-limiting the real client IP, if traffic comes via NAT/Front Door/AppGW chain, many users share one IP and will instantly hit the threshold, so apply the rule at the edge (Front Door) or raise the threshold; to restore now, disable the rule or set action to Log and add an Allow rule for health probes; verify in WAF logs that rate-limited requests return 429 (403 means a plain Block), then tune threshold/window and scope.

Hi Todd Covert,

Welcome to Microsoft Q&A and thank you for posting your query here!

The issue with your custom rate limiting rule is caused by an invalid IP address range specification. The IP address range "0.0.00/255.255.255.255" is not valid and causes the rule to immediately block all traffic with a 403 Forbidden error.

How to Create a Rate Limiting Custom Rule in Azure Application Gateway WAF v2:

Rate limiting allows you to block traffic that exceeds a configured request threshold from a client IP address. Using an invalid IP address range causes all traffic to be blocked immediately (403 Forbidden).

Step-by-step to create a rate limiting rule limiting requests by client IP:

Open an existing Application Gateway WAF Policy.

1. Go to Custom Rules.

Click Add Custom Rule.

Enter a name for the rule.

For Rule type, select Rate limit.

Set Priority (e.g., 100).

Choose 1 minute for Rate limit duration.

Set the Rate limit threshold (requests) (e.g., 100).

Select Client address for Group rate limit traffic by.

Under Conditions, select IP address for Match type.

For Operation, select Does not contain.

For the IP address or range, enter 255.255.255.255/32.

Leave the action setting to Deny traffic.

Click Add.

Click Save to activate the rule.

Important note on IP address range:

To rate limit based on all IPs, use 255.255.255.255/32 as the negation condition.

• If you want to specify ranges, use valid CIDR notation (e.g., 0.0.0.0/0 for all IPs).
• Invalid IP range formats cause immediate blocking (403) without recovery. How to Create a Rate Limiting Custom Rule in Azure Application Gateway WAF v2 Rate limiting allows you to block traffic that exceeds a configured request threshold from a client IP address. Using an invalid IP address range causes all traffic to be blocked immediately (403 Forbidden).

Example PowerShell snippet for the rule:

$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator IPMatch -MatchValue 255.255.255.255/32 -NegationCondition $True
$groupByVariable = New-AzApplicationGatewayFirewallCustomRuleGroupByVariable -VariableName ClientAddr
$groupByUserSession = New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession -GroupByVariable $groupByVariable
$ratelimitrule = New-AzApplicationGatewayFirewallCustomRule -Name ClientIPRateLimitRule -Priority 100 -RateLimitDuration OneMin -RateLimitThreshold 100 -RuleType RateLimitRule -MatchCondition $condition -GroupByUserSession $groupByUserSession -Action Block -State Enabled

Official documentation link:

https://free.blessedness.top/en-us/azure/web-application-firewall/ag/rate-limiting-configure?tabs=browser

If you found the answer helpful, it would be great if you please mark it "Accept as answer". This will help others to find answers in Q&A.

Thanks,

Harish.