We have a lot of web applications behind one Application Gateway. We recognize a problem with a couple of them when "Inspect request body size" is on and configured to it's default size - 128KB.
I would like to get recommendation how to solve it best way:
Turn it off?
Increase a Max body size?
Create additional Application Gateway?
Any ideas will be appreciated.
I understand that you are having issues with Azure App Gateway where you are seeing an issue when "Inspect request body size" is turned on and set to 128KB and want to know the best way to address the same.
As per Azure WAF Request size limits: The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. This field has a minimum value of 1 KB and a maximum value of 128 KB. The default value for request body size is 128 KB.
However, For CRS 3.2 (on the WAF_v2 SKU) and newer, these limits are as follows:
2MB request body size limit
4GB file upload limit
WAF also offers a configurable knob to turn the request body inspection on or off. By default, the request body inspection is enabled. If the request body inspection is turned off, WAF doesn't evaluate the contents of HTTP message body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.
To change to CRS 3.2, go to WAF Policy > Manged Rules > change to 3.2 and hit save. Once you do the same, change the size of the request body size to 2 MB and hit save.
Hope this helps. If you have any further questions, please do let us know and we will be glad to assist further. Thank you!