![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 27%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Hi @Natarajan, Raja,
Thank you for reaching out on Microsoft Q&A forum.
I understand that you want a solution to block malicious IPs using Azure Web Application Firewall (WAF) on Application Gateway.
Currently, Azure Web Application Firewall (WAF) policies do not support a dedicated "IP Group" resource that you can dynamically reference in custom rules for blocking malicious IPs. Instead, WAF custom rules allow you to specify IP addresses or CIDR ranges directly in match conditions to block or allow traffic. This means you need to list out IP addresses or IP ranges explicitly within the custom rule.
You can create custom rules with the IPMatch operator on the RemoteAddr or SocketAddr variable, specifying CIDR-formatted IP ranges to match and block malicious IPs. However, there is a limit on the number of IP ranges per match condition (typically around 600), so this approach works best for a moderate number of IPs.
Refer: https://learn.microsoft.com/en-us/answers/questions/1329570/azure-waf-limitationsRefer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variable-required
Besides manually adding IP ranges, Azure WAF provides managed rule sets you can enable to block known malicious traffic patterns automatically. These managed rules cover common vulnerabilities and attack vectors without the need to specify IPs.
Additionally, there is an Anomaly Scoring mode in Azure WAF that evaluates request patterns and blocks based on suspicious activity, which can help with dynamic protection beyond static IP blocking.
Kindly let us know if the above helps or you need further assistance on this issue.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Thanmayi