Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure Custom WAF Rules with Rate Limiting

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Web Application Firewall (WAF) security policies configured for your Microsoft Azure Front Door profiles include custom, rate-limiting rules in order to protect against application-layer attacks, API abuse, and suspicious traffic patterns.

Security

Azure Web Application Firewall (WAF) provides centralized protection of your applications from common threats such as SQL injections, Cross Site Scripting (XSS), and local and remote file executions. You can also restrict access to your applications by countries, IP address ranges, and other HTTP(S) parameters via custom rules using the firewall service. Custom and rate-limiting WAF rules are essential for protecting against application-layer attacks and service abuse that can overwhelm backend systems.

Audit

To determine if the security policies configured for your Azure Front Door profiles contain custom, rate-limiting WAF rules, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Front Door for Value, then choose Apply to list the Azure Front Door (AFD) profiles available in the selected subscription.

05 Click on the name (link) of the AFD profile that you want to examine.

06 In the resource navigation panel, under Security, select Security policies.

07 From the Domain state : All filter box, select Enabled and choose OK. From the Provisioning state : All, select Succeeded, and choose OK. This will show only the active WAF security policies associated with your AFD profile. If there are no active WAF security policies listed on this page, Web Application Firewall (WAF) is not enabled for the selected Azure Front Door profile and the Audit process ends here. Otherwise, continue the Audit process with the next step.

08 Click on the Expand button (i.e., right arrow icon) next to the active WAF security policy that you want to examine and click on the name (link) of the associated WAF policy.

01 In the WAF policy navigation panel, under Settings, select Custom rules to list the custom rules created for the selected WAF policy.

09 On the Custom rules listing page, check for any active rate-limiting WAF rules defined for the selected policy. An active rate-limiting WAF rule has the Rule type set to Rate limit and Status set to Enabled. If none of the custom rules listed on this page match the search criteria, the security policy configured for your Azure Front Door profile does not contain custom, rate-limiting WAF rules.

10 Repeat steps no. 8 - 10 for each WAF security policy associated with your Azure Front Door profile.

11 Repeat steps no. 5 – 11 for each Azure Front Door profile deployed in the selected Azure subscription.

12 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run afd profile list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Front Door (AFD) profile available within the current subscription: 

az afd profile list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AFD profile identifiers: 

Name                       ResourceGroup
-----------------------    ------------------------------
cc-project5-afd-profile    cloud-shell-storage-westeurope
cc-web-cdn-afd-profile     cloud-shell-storage-westeurope

06 Run afd security-policy list command (Windows/macOS/Linux) with the name of the Azure Front Door profile that you want to examine and its associated resource group as the identifier parameters, to list the name and the provisioning state of each security policy configured with the selected AFD profile: 

az afd security-policy list
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query '[].{"name":name,"provisioningState":provisioningState}'

07 The command output should return the requested identification information. If the command output returns a ParentResourceNotFound error or the "provisioningState" is not set to "Succeeded", there are no WAF security policies associated with the selected Azure Front Door profile and the Audit process ends here. Otherwise, continue the Audit process with the next step: 

Name                             ProvisioningState
-------------------------------  -----------------
cc-project5-afd-security-policy  Succeeded
cc-project5-managed-waf-policy   Succeeded

08 Run afd security-policy show command (Windows/macOS/Linux) with the name of the AFD security policy that you want to examine and its associated resource group as the identifier parameters, to describe the ID of the WAF policy associated with your AFD security policy: 

az afd security-policy show
	--security-policy-name cc-project5-afd-security-policy
	--resource-group cloud-shell-storage-westeurope
	--profile-name cc-project5-afd-profile
	--query 'parameters.wafPolicy.id'

09 The command output should return the requested resource ID: 

"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorWebApplicationFirewallPolicies/afdprotection"

10 Run network front-door waf-policy show command (Windows/macOS/Linux) with the ID of the WAF policy returned in the previous step as the identifier parameter, to describe the custom rules defined for the selected WAF policy: 

az network front-door waf-policy show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorWebApplicationFirewallPolicies/afdprotection"
	--query 'customRules'

11 The command output should return the configuration information for each custom rule defined for the selected WAF policy: 

{
	"rules": [
		{
			"action": "Block",
			"enabledState": "Enabled",
			"groupBy": [],
			"matchConditions": [
				{
					"matchValue": [
						"RU"
					],
					"matchVariable": "RemoteAddr",
					"negateCondition": false,
					"operator": "GeoMatch",
					"transforms": []
				}
			],
			"name": "geoprotection",
			"priority": 100,
			"rateLimitDurationInMinutes": 1,
			"rateLimitThreshold": 100,
			"ruleType": "MatchRule"
		},
		{
			"action": "Block",
			"enabledState": "Enabled",
			"groupBy": [],
			"matchConditions": [
				{
					"matchValue": [
						"10.0.0.0/24"
					],
					"matchVariable": "RemoteAddr",
					"negateCondition": true,
					"operator": "IPMatch",
					"transforms": []
				}
			],
			"name": "ipprotection",
			"priority": 200,
			"rateLimitDurationInMinutes": 1,
			"rateLimitThreshold": 100,
			"ruleType": "MatchRule"
		}
	]
}

Check the network front-door waf-policy show command output for any active rate-limiting WAF rules defined for the selected policy. An active rate-limiting WAF rule has the "ruleType" set to RateLimitRule and "enabledState" set to "Enabled". If none of the custom rules defined for the WAF policy match the search criteria, the security policy configured for your Azure Front Door profile does not contain custom, rate-limiting WAF rules.

12 Repeat steps no. 8 - 11 for each WAF security policy associated with your Azure Front Door profile.

13 Repeat steps no. 6 - 12 for each Azure Front Door profile available within the current Azure subscription.

14 Repeat steps no. 3 – 13 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that the security policies configured for your Azure Front Door profiles contain custom, rate-limiting WAF rules, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Front Door for Value, then choose Apply to list the Azure Front Door (AFD) profiles available in the selected subscription.

05 Click on the name (link) of the AFD profile that you want to configure.

06 In the resource navigation panel, under Security, select Security policies.

07 From the Domain state : All filter box, select Enabled and choose OK. From the Provisioning state : All, select Succeeded, and choose OK. This will show only the active WAF security policies associated with your AFD profile.

08 Click on the Expand button (i.e., right arrow icon) next to the active WAF security policy that you want to configure and click on the name (link) of the associated WAF policy.

09 In the WAF policy navigation panel, under Settings, select Custom rules.

10 Choose Add custom rule and perform the following actions to create your new custom rule:

  1. For Custom rule name, enter a unique name for your new custom rule.
  2. For Status choose Enabled.
  3. For Rule type, choose Rate limit.
  4. For Priority, assign a unique number to specify the order in which the rule is processed relative to other custom rules (e.g., 100).
  5. For Rate limit duration, enter the rate limit counting duration (1 or 5 minutes).
  6. For Rate limit threshold (requests), enter the maximum number of requests allowed within the defined rate limit duration.
  7. In the Conditions section, provide the following information:
    1. For If, specify a match variable, an operator, and a match value. Each custom rule can contain multiple match conditions. A match condition might be based on geo-location, client IP address, size, or string match. String match can be against a list of match variables.
    2. For Then, specify the rule action. You can choose to deny, redirect, log traffic, or run a JavaScript challenge or CAPTCHA.
  8. Choose Add to create your new, custom, rate-limiting WAF rule.

11 If required, repeat step no. 10 to define more rate-limiting WAF rules.

12 Repeat steps no. 5 – 11 for each Azure Front Door profile that you want to configure, deployed in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network front-door waf-policy rule create command (Windows/macOS/Linux) to create a new, custom, rate-limiting WAF rule for the WAF policy specified by the --policy-name parameter: 

az network front-door waf-policy rule create
	--name "geoprotection"
	--policy-name "afdprotection"
	--resource-group "cloud-shell-storage-westeurope"
	--priority 500
	--rule-type "RateLimitRule"
	--rate-limit-duration 5
	--rate-limit-threshold 100
	--action Block
	--disabled false
	--defer

05 The command output should return the configuration information available for the new custom rule: 

{
	"customRules": {
		"rules": [
			{
				"action": "Block",
				"enabledState": "Enabled",
				"groupBy": null,
				"matchConditions": [],
				"name": "geoprotection",
				"priority": 500,
				"rateLimitDurationInMinutes": 5,
				"rateLimitThreshold": 100,
				"ruleType": "RateLimitRule"
			}
		]
	},
	"etag": null,
	"frontendEndpointLinks": null,
	"id": null,
	"location": "Global",
	"managedRules": {
		"managedRuleSets": [
			{
				"exclusions": [],
				"ruleGroupOverrides": [],
				"ruleSetAction": "Block",
				"ruleSetType": "Microsoft_DefaultRuleSet",
				"ruleSetVersion": "2.1"
			}
		]
	},
	"name": null,
	"policySettings": {
		"customBlockResponseBody": null,
		"customBlockResponseStatusCode": null,
		"enabledState": "Enabled",
		"javascriptChallengeExpirationInMinutes": 30,
		"mode": "Detection",
		"redirectUrl": null,
		"requestBodyCheck": "Enabled",
		"scrubbingRules": null,
		"state": null
	},
	"provisioningState": null,
	"resourceState": null,
	"routingRuleLinks": null,
	"securityPolicyLinks": null,
	"sku": {
		"name": "Premium_AzureFrontDoor"
	},
	"tags": {},
	"type": null
}

06 Run network front-door waf-policy rule match-condition add command (Windows/macOS/Linux) to add a match-condition to the rate-limiting WAF rule defined in step no. 4: 

az network front-door waf-policy rule match-condition add
	--name "geoprotection"
	--policy-name "afdprotection"
	--resource-group "cloud-shell-storage-westeurope"
	--match-variable RemoteAddr
	--operator GeoMatch
	--values "KP"

07 The command output should return all the information available for the new rate-limiting WAF rule: 

{
	"customRules": {
		"rules": [
			{
				"action": "Block",
				"enabledState": "Enabled",
				"groupBy": [
					{
						"variableName": "SocketAddr"
					}
				],
				"matchConditions": [
					{
						"matchValue": [
						"KP"
						],
						"matchVariable": "RemoteAddr",
						"negateCondition": false,
						"operator": "GeoMatch",
						"selector": null,
						"transforms": []
					}
				],
				"name": "geoprotection",
				"priority": 500,
				"rateLimitDurationInMinutes": 5,
				"rateLimitThreshold": 100,
				"ruleType": "RateLimitRule"
			}
		]
	},
	"etag": null,
	"frontendEndpointLinks": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/afdprotection",
	"location": "Global",
	"managedRules": {
		"managedRuleSets": [
			{
				"exclusions": [],
				"ruleGroupOverrides": [],
				"ruleSetAction": "Block",
				"ruleSetType": "Microsoft_DefaultRuleSet",
				"ruleSetVersion": "2.1"
			}
		]
	},
	"name": "afdprotection",
	"policySettings": {
		"customBlockResponseBody": null,
		"customBlockResponseStatusCode": null,
		"enabledState": "Enabled",
		"javascriptChallengeExpirationInMinutes": 30,
		"mode": "Detection",
		"redirectUrl": null,
		"requestBodyCheck": "Enabled",
		"scrubbingRules": null,
		"state": null
	},
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resourceState": "Enabled",
	"routingRuleLinks": null,
	"securityPolicyLinks": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/cc-project5-afd-profile1/securitypolicies/cc-project5-afd-security-policy",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"sku": {
		"name": "Premium_AzureFrontDoor"
	},
	"tags": {},
	"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
}

08 If required, repeat steps no. 4 - 7 to define more rate-limiting WAF rules.

09 Repeat steps no. 4 - 8 for each Azure Front Door profile that you want to configure, available within the current subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 4, 2025

Related FrontDoor rules