![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 80%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi Steven, that's how the DDoS works, it's a rate limiter, not a blocker.
You will need an IP blacklist in order to do what you want.
Instead of relying on WAF's inconsistent rate limit counter, you use two rules working together — your origin detects the abuse and signals the WAF, and the WAF's match rule (which has no distributed counter problem) does the blocking.
Step 1 — Origin adds a response header when rate limit is hit
In your application, track login attempts per IP. When an IP exceeds your threshold, add a custom header to the response, for example:
X-Block-Client: true
Your app already has consistent server-side state (Redis, memory cache, database), so this counter will be accurate.
Step 2 — Create a WAF Match rule to block on that header
In Azure Front Door WAF, create a second custom rule:
- Rule type: Match (not Rate limit)
- Priority: 0 (higher than your rate limit rule)
- Condition:
- Match variable:
ResponseHeader- Header name:
X-Block-Client- Operator:
Contains- Match value:
true - Action: Deny traffic (returns 429 or 403)
- Match value:
- Operator:
- Header name:
- Match variable:
Step 3 — Strip the header before it reaches the client
Make sure Azure Front Door strips X-Block-Client from the response before it's sent to the end user, so you're not leaking internal signaling. You can do this via a Front Door Rules Engine action to remove the response header.
Why this works better
Match rules in Azure WAF evaluate a simple condition on the current request/response — there's no distributed counter involved, so the block is consistent on every single request once your origin has flagged that IP. The unreliable part (counting) moves into your application where you have full control over it.
The main tradeoff is that the first ~20 requests (or however many your app allows) still reach your origin before the block kicks in. But that's actually fine for login protection — you want your app to be the authoritative source on whether an IP should be blocked, and the WAF then enforces it at the edge for all subsequent requests.
Hope that helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)