Request for update to clarify how Front Door WAF rate limits work

[mderriey]

Hi,

The documentation is missing critical details about how rate limits work. I had to open a support ticket with Microsoft to understand why they seemed to not work properly for us.

Missing points:

1. Rate limits are enforced per POP location — in my tests, requests from a single IP address were routed to two different POPs, explaining why I was observing roughly twice as many requests being served. Given the number of POP locations, especially in some regions, one has to think carefully about how much traffic can be authorized from a single IP when using a rate limit rule. This goes against the following sentence found on this page: "It's possible that requests from the same client might arrive at a different Azure Front Door server that hasn't refreshed the rate limit counters yet."
2. Time windows are fixed — While I understand the difference between sliding and fixed time windows, I hadn't realised that they are fixed "in time". In our case, we use a 5-minute window. I thought that if an IP address starts making requests on minute 43, the time window would start at this time and end on minute 48. However, it looks they start on minutes 0, 5, 10, 15, etc... meaning that a single IP address can effectively rack up twice as many requests in a 5-minute window if this window overlaps two Front Door windows.

I'd appreciate confirmation of the above, although the Front Door logs seem to confirm the statements made by the support engineer I dealt with.

Cheers.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 6eff8d20-c7c6-edce-47a2-35710812d847
• Version Independent ID: c4cc2f8f-a6e5-7af2-d0f0-b627fef0735f
• Content: Web application firewall rate limiting for Azure Front Door
• Content Source: articles/web-application-firewall/afds/waf-front-door-rate-limit.md
• Service: web-application-firewall
• GitHub Login: @johndowns
• Microsoft Alias: jodowns

[TPavanBalaji]

@mderriey Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@mderriey Thank you for bringing this to our attention. I've delegated this to content author @johndowns, who will review it and offer their insightful opinions.

[johndowns]

Thank you. I am checking with the team. It might take some time for us to review this, but it is on our list.

[vhorne]

This article will be updated later this year (most likely early summer) as some new features roll out to support rate limits. When that happens, the content will be updated to better explain how this all works.

please-close