Azure Application Gateway file upload limits

Question

Recently I'm working with the Azure Application Gateway and when I try to upload a file I got the response 413 Entity Too Large. I read about it and the limit for the file upload is 2GB but I'm very confused because I uploaded successfully a file of 3.2 GB. Are there any change in this limit?. It fails when I try to upload a file of 4.6 GB. I'm using Standard_v2 SKU size.

score 6 · Answer 1 · answered Feb 28 '22 at 17:42

Other answer is misleading or poorly written. This answer should make it clearer as there are a few details

Considering you want to enable the maximum limits on the V2 SKU, it behaves like this:

No WAF enabled: 4GB (this is 2GB on V1 SKU) - the type of request does not matter, can be a non-upload request.
Any configuration with WAF enabled without 'Inspect request body': 4GB - the type of request does not matter, can be a non-upload request.
WAF enabled via 'Application Gateway WAF policy' resource (this is a separate resouce) and OWASP 3.2 policy with 'Inspect request body' checked and with value 4000 on 'Max file upload size (MB)': 4GB - but only when your request has the Content-Type set to multipart/form-data, this will recognize it as a file upload (I've tested a bunch of other header values, and so far that one is only recognized as a file upload). Any other content type will result in the evaluation of the maximum value set in the 'Max request body size (KB)' field, which can only handle 2000KB (2MB) as maximum value on OWASP 3.2 currently and just 128 KB for lower OWASP versions.

If you go over the limit, you get the following message with HTTP status code 403:

<html>

<head>
    <title>403 Forbidden</title>
</head>

<body>
    <center>
        <h1>403 Forbidden</h1>
    </center>
    <hr>
    <center>Microsoft-Azure-Application-Gateway/v2</center>
</body>

</html>

How to proccede when you want to chunk file upload for example for 8MB? — Augustas, Dec 06 '22 at 14:11
@Augustas if you need 'Inspect request body' enabled you can still make exclusions for specific scenarios, see: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal#identify-request-attributes-to-exclude — r3verse, Dec 07 '22 at 15:15

score 3 · Answer 2 · answered Feb 06 '20 at 08:22

3

If you have WAF enabled and if your content type is a form based like application/json or application/xml or multipart/form-data , then it is considered as non-file upload.

OWASP rule is blocking the file upload. Check here for the rule definition.

Work with your application team to change the content type or disable the rule in your WAF is you feel it is not an attach to your application.

answered Feb 06 '20 at 08:22

msrini-MSIT

1,444
1
7
11

I don't have WAF enabled but the content-type is multipart/form-data, because you can upload multiple files in the same request. – yosel vera Feb 06 '20 at 14:01
1

Can you double check that you have WAF enabled or not? 413 is because of the OWASP module not permitting large uploads in forms. – msrini-MSIT Feb 06 '20 at 16:59
these are my settings https://drive.google.com/open?id=1rKWs7l65n3nWjszOhG5vLYaywwx_PVhW let me know if you see it – yosel vera Feb 06 '20 at 20:18
@msrini-MSIT what if I ran into this without enabled WAF? – Circle Hsiao Feb 14 '22 at 14:57
@CircleHsiao I've added a separate answer which should clear things up – r3verse Feb 28 '22 at 17:47

Azure Application Gateway file upload limits

2 Answers2