Exam AZ-700 topic 4 question 11 discussion

"Rate limits are applied for each client IP address. If you have multiple clients accessing your Front Door from different IP addresses, they will have their own rate limits applied."

It´s correct. Lab tested, you can add IP addresses as conditions in the same rule.

Rate limiting is configured using custom WAF rules in a policy. You can create multiple rate limit rules that match different variables and paths within your policy. Each rule has a threshold, a match condition, and a group by variable. The threshold is the number of requests allowed within the specified time period. For example, you can set a threshold of 100 requests per minute or 1000 requests per hour. The match condition is the criteria that determines when to activate the rate limit. You can match various variables, such as request method, header, query string, body, cookie, or path. For example, you can match requests with a specific user agent or cookie value. The group by variable is the variable that defines how requests are grouped and counted for a matching rate limit rule. You can choose one of the following three options:

Rate limiting is configured using custom WAF rules in a policy. You can create multiple rate limit rules that match different variables and paths within your policy. Each rule has a threshold, a match condition, and a group by variable. The threshold is the number of requests allowed within the specified time period. For example, you can set a threshold of 100 requests per minute or 1000 requests per hour. The match condition is the criteria that determines when to activate the rate limit. You can match various variables, such as request method, header, query string, body, cookie, or path. For example, you can match requests with a specific user agent or cookie value. The group by variable is the variable that defines how requests are grouped and counted for a matching rate limit rule. You can choose one of the following three options:

"ClientAddr: This is the default option, and it means that each rate limit threshold and mitigation applies independently to every unique source IP address." Answer C From here: https://techcommunity.microsoft.com/t5/azure-network-security-blog/rate-limiting-feature-for-azure-waf-on-application-gateway-now/ba-p/3934957#:~:text=Rate%20limiting%20is%20configured%20using,and%20a%20group%20by%20variable.

I C is correct! Correct answer modify condition based on IP address of remote sites, you can also you Geo and rate limit is applied per condition

Answer C. Tested on LAB. You can add multiple IP on the Same Condition. I have also tested that the limit is on each ip, not shared. If one IP reach the limit the other IP have its own limit and its able to connect withou problem

Just tested in the lab with the following: $IPMatchCondition = New-AzFrontDoorWafMatchConditionObject -MatchVariable RemoteAddr -OperatorProperty IPMatch -NegateCondition $false -MatchValue "20.234.16.25", "20.234.16.26", "20.234.16.27" $IPAllowRule = New-AzFrontDoorWafCustomRuleObject -Name "IPAllowRule" -RuleType MatchRule -MatchCondition $IPMatchCondition -Action Allow -Priority 10 $IPAllowPolicyExamplePS = New-AzFrontDoorWafPolicy -Name "IPRestrictionExamplePS" -resourceGroupName rg-test -Customrule $IPAllowRule -Mode Detection -EnabledState Enabled I, also, created the rule with one IP address then, manually, was able to add two more IPs.

Option B is Correct

in exam march 23

To apply a rate limit of 100 requests for traffic that originates from each office, you should create two additional associations. This is because the current configuration applies a rate limit of 100 requests for traffic that originates from the office in Montreal only. By creating two additional associations, you can apply a rate limit of 100 requests for traffic that originates from each office

When a custom rule is created in WAF policy there is option to add IP address not just on but multiple so 1 rule is sufficient ..all that is needed all the edge IPs from all locations in the one rule

B Per this link https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction#create-a-waf-policy You can add an IP address or range only. You would need to create two additional associations for the other 2 locations.

https://github.com/MicrosoftDocs/azure-docs/issues/32333, as per the above doc, tried the below. So yes the answer is Modify the condition. $testIPmatches = New-AzFrontDoorWafMatchConditionObject -MatchVariable RemoteAddr -OperatorProperty IPMatch -NegateCondition $true -MatchValue "103.78.18.242" , "103.78.18.245"

Should be B Create a two additional associations they are individual resources, individual locations.

As per the following link https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell and this one https://azure.microsoft.com/en-us/resources/templates/front-door-rate-limiting/ I understand that each rate-limit is for a specific IP address only, I never found anything about a group of IPs, so I would consider the response B : create a two additional associations