azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard
verified publisher icon MicrosoftDocs

Request for update to clarify how Front Door WAF rate limits work

Open mderriey opened this issue 2 years ago • 3 comments

Hi,

The documentation is missing critical details about how rate limits work. I had to open a support ticket with Microsoft to understand why they seemed to not work properly for us.

Missing points:

  1. Rate limits are enforced per POP location — in my tests, requests from a single IP address were routed to two different POPs, explaining why I was observing roughly twice as many requests being served. Given the number of POP locations, especially in some regions, one has to think carefully about how much traffic can be authorized from a single IP when using a rate limit rule. This goes against the following sentence found on this page: "It's possible that requests from the same client might arrive at a different Azure Front Door server that hasn't refreshed the rate limit counters yet."
  2. Time windows are fixed — While I understand the difference between sliding and fixed time windows, I hadn't realised that they are fixed "in time". In our case, we use a 5-minute window. I thought that if an IP address starts making requests on minute 43, the time window would start at this time and end on minute 48. However, it looks they start on minutes 0, 5, 10, 15, etc... meaning that a single IP address can effectively rack up twice as many requests in a 5-minute window if this window overlaps two Front Door windows.

I'd appreciate confirmation of the above, although the Front Door logs seem to confirm the statements made by the support engineer I dealt with.

Cheers.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

mderriey avatar Apr 25 '24 13:04 mderriey

@mderriey Thanks for your feedback! We will investigate and update as appropriate.

TPavanBalaji avatar Apr 25 '24 16:04 TPavanBalaji

@mderriey Thank you for bringing this to our attention. I've delegated this to content author @johndowns, who will review it and offer their insightful opinions.

ManoharLakkoju-MSFT avatar Apr 28 '24 05:04 ManoharLakkoju-MSFT

Thank you. I am checking with the team. It might take some time for us to review this, but it is on our list.

johndowns avatar Apr 28 '24 19:04 johndowns

This article will be updated later this year (most likely early summer) as some new features roll out to support rate limits. When that happens, the content will be updated to better explain how this all works. #please-close

vhorne avatar Apr 30 '24 17:04 vhorne