Rate Limit using Azure Application Gateway

There is no native mechanism within the Azure Application Gateway to apply rate limiting.

Probably the simplest would be to look at the Azure Front Door service:

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-overview

In particular the client rate limiting WAF rules:

https://docs.microsoft.com/en-us/azure/frontdoor/waf-overview#waf-rules

Note that this will restrict rate limits based on a specific client IP, if you have a whole range of clients, it won't necessarily help you.

Note that the Backend Pool for FrontDoor can be any hostname, so it can be a set of Virtual Machines, or you could have a simple Azure Load Balancer which you can use as an endpoint. Though I wouldn't suggest using an Azure Application Gateway in this setup as it duplicates functionality in Front Door and has a cost you don't have with a Basic Azure Load Balancer.

My recommendation would also be to look at Virtual Machine Scale Sets (VMSS) and use that as a mechanism to also auto-scale based on demand. That way you can rate limit individual client IPs (from the refresh button jamming), but also scale your application based on legitimate client volume - and scale back down again afterwards to save cost. See:

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview

Finally, the link you reference is part of Azure API Management, which is a platform specifically for building and exposing complex API platforms. While you can achieve a range of traffic manipulation options using that service, it is probably not what you are looking for in this case, as it is geared as a more comprehensive enterprise API management platform with a whole range of capability that you won't need.

UPDATED: While it was easy for me to throw in some URLs it actually isn't very well documented how you would apply the policy to Azure Front Door to do what you want to achieve.

So here are some steps in PowerShell that give it a go - note it may not exactly be what you want, but it should get you started (using the new Az.Frontdoor module):

First we create a match condition, here I am matching any IP address (though you could build IP range specific conditions if you preferred):

$mc = New-AzFrontDoorMatchConditionObject -MatchVariable RemoteAddr -OperatorProperty Any

Next we create a custom rate limit rule, this will take that matching any match condition and if it sees more than 10 requests in a 1 minute period that meet that condition, it will block them for 1 minute (I think - this is a very new service and the documentation isn't super clear, this is what I found from some experimentation):

$cr = New-AzFrontDoorCustomRuleObject -Name MyRule1 -RuleType RateLimitRule -MatchCondition $mc -Action Block -RateLimitThreshold 10 -RateLimitDurationInMinutes 1 -Priority 10

Then we create a WAF policy with just our single custom rule:

$policy = New-AzFrontDoorFireWallPolicy -ResourceGroupName AD -Name MyPolicy -Customrule $cr -EnabledState Enabled -Mode Prevention

Then we attach it to our Front Door instance (replace TestRG and TestFD with your names of the resource group and Front Door instance respectively):

$fd = Get-AzFrontDoor -ResourceGroupName TestRG -Name TestFD
$fd[0].FrontendEndpoints[0].WebApplicationFirewallPolicyLink = $policy.Id
Set-AzFrontDoor -InputObject $fd[0]

Hope that helps get you started, as I say, it seems a little unclear how the rate limit is actually enforced. If I find our more details - or others have them, I am happy to update the answer again.

The reference I used to construct this was the Az.Frontdoor documentation:

https://docs.microsoft.com/en-us/powershell/module/az.frontdoor/?view=azps-1.6.0

Author by

Christoph Fink

I'm a software developer with experience in C#, PHP, HTML, JavaScript, ActionScript, SQL and a little C, C++.

Updated on September 18, 2022