WAF Allowed IP restriction with Application Gateway

Harsh Thakor 116 Reputation points
2023-03-31T11:58:42.2733333+00:00

Hi Team,

We are using Azure Application Gateway V2 with WAF and we came across the Warning in the WAF Custom policy that,  it can only allow 600 Ips in one custom rule.

So I am having a few questions on this, please help with it.

  1. Is there any such restriction?
  2. In case if we want to add more IPS what needs to be done?
  3. If we add a range(/28) instead of single IP will it count as 1 entry or it will be counted as a SUM of the whole range?
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,098 questions
Azure Web Application Firewall
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
97 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,671 Reputation points Microsoft Employee
    2023-04-02T06:45:31.55+00:00

    Hello @Harsh Thakor ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are using Azure Application Gateway V2 with WAF and came across the Warning in the WAF Custom policy that, it can only allow 600 IPs in one custom rule, so you have a few questions regarding same. I've answered them below.

    Is there any such restriction?

    Yes, there is such a restriction, but it is WAF IP address ranges per match condition.

    WAF IP address ranges per match condition:

    540 - with CRS 3.1 or lower

    600 - with CRS 3.2 or newer

    Refer: https://zcusa.951200.xyz/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits

    In case if we want to add more IPS what needs to be done?

    As mentioned in the limits:

    User's image

    Maximum WAF custom rules that can be configured in a WAF policy is 100. And WAF IP address ranges per match condition in one custom rule is 600.

    So, that gives you a total of 60000 IP address ranges.

    If one custom rule already has 600 IP addresses/ranges, you can create another custom rule and add the new IPs/ranges.

    If we add a range (/28) instead of single IP, will it count as 1 entry or it will be counted as a SUM of the whole range?

    As per the documentation, it is 600 IP address ranges, so one IP range is considered as 1 entry. And you can add 600 IP ranges in one custom rule.

    But you need to make sure that none of the address ranges has overlapping IP addresses and all the ranges have unique IP addresses.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.