Is Azure WebApp automatically rate limited / DOS protected?

Question

I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.

The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).

Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?

If I have to do it myself, can you point me into the right direction?

Answer 1

Update 2023: It does not seem that Azure does any kind of rate limiting by default.

However, ASP.net Core now has built-in rate limiting capabilities that I am using. The according package is Microsoft.AspNetCore.RateLimiting. Microsofts documentation is quite good on this [1][2], but I'll provide how I used it (C#):

In setup code:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRateLimiter(_ => _
    .AddFixedWindowLimiter(policyName: "MyRedeemLimitPolicy", options =>
    {
        options.PermitLimit = 3;
        options.Window = TimeSpan.FromMinutes(15);
        options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
        options.QueueLimit = 2;
    }));

var app = builder.Build();

app.UseRouting(); // Must be before app.UseRateLimiter()!

app.UseRateLimiter();

and in Controller:

    [AllowAnonymous]
    [HttpPost]
    [EnableRateLimiting("MyRedeemLimitPolicy")]
    public IActionResult RedeemKey([FromBody] RedeemData data)
    { ... }

[1] https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit

[2] https://devblogs.microsoft.com/dotnet/announcing-rate-limiting-for-dotnet/

Answer 2

As far as I know, we could use Dynamic IP Restrictions in web app.

The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

About how to config this feature. We could remote connect to the azure web app IIS and set it.

About how to remote connect web app IIS, you could refer to this article.

More details, you could also refer to this blog.