Dynamic IP Restriction with HTTP/2

Question

We are considering using DynamicIpRestriction to deny excessive access from a single IP in Azure App Service.

As a question, in the case of HTTP/2, it is doubtful whether it is effective to deny excessive access using this function. In the case of HTTP/1.1, the number of simultaneous connections is restricted to 6 due to client side (browser) restrictions. We are aware that we can limit the number of concurrent requests by maxConcurrentRequests, but In the case of HTTP/2, parallel requests can be made on the same socket, and there is no upper limit.

Could you tell me if there is a best practice to reject excessive access with DynamicIpRestricion when using HTTP/2?

Answer 1

Could you tell me if there is a best practice to reject excessive access with DynamicIpRestricion when using HTTP/2?

As per this Azure Blog article, HTTP/2 is an advanced version of HTTP/1.1 where only few changes made in it such as Http/2 has only 1 TCP/IP Connection, fully multiplexed, binary model, single connection usage for parallelism, overhead reduction by using header compression process.

As per my research, I didn’t find the alternative way for protecting the app service from attacks (DDoS) using the “Dynamic IP Restriction” feature and the process for it same as here after enabling the HTTP/2 and working as expected.