I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
Update 2023: It does not seem that Azure does any kind of rate limiting by default.
However, ASP.net Core now has built-in rate limiting capabilities that I am using. The according package is Microsoft.AspNetCore.RateLimiting. Microsofts documentation is quite good on this [1][2], but I'll provide how I used it (C#):
In setup code:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRateLimiter(_ => _
.AddFixedWindowLimiter(policyName: "MyRedeemLimitPolicy", options =>
{
options.PermitLimit = 3;
options.Window = TimeSpan.FromMinutes(15);
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 2;
}));
var app = builder.Build();
app.UseRouting(); // Must be before app.UseRateLimiter()!
app.UseRateLimiter();
and in Controller:
[AllowAnonymous]
[HttpPost]
[EnableRateLimiting("MyRedeemLimitPolicy")]
public IActionResult RedeemKey([FromBody] RedeemData data)
{ ... }
[1] https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit
[2] https://devblogs.microsoft.com/dotnet/announcing-rate-limiting-for-dotnet/