WAF rule limits.

10/09/2023

AWS Web Application Firewall (WAF) provides protection against common web exploits and allows you to create rules to filter malicious traffic. Each AWS WAF rule has specific limits to ensure efficient operation. As of my last knowledge update in September 2021, here are the common limits for AWS WAF rules:

  1. WebACL Limit:
    • Each AWS account can have up to 200 WebACLs (Web Access Control Lists) per region.
  2. Rule Limit per WebACL:
    • Each WebACL can have up to 10 default rules and 100 additional rules.
  3. Rule Groups Limit:
    • You can associate up to 10 rule groups with a WebACL.
  4. Rule Size:
    • The maximum size of a rule is 4,000 bytes.
  5. Rate-Based Rule Limits:
    • Each WebACL can have up to 10 rate-based rules.
  6. Conditions per Rule:
    • Each rule can contain up to 10 conditions.
  7. String and Regex Match Conditions:
    • Each condition can contain up to 10 string matches and 10 regex match conditions.
  8. IPSet and GeoMatch Conditions:
    • Each condition can contain up to 2 IPSet and 2 GeoMatch conditions.
  9. Size of IPSet:
    • The maximum number of IP addresses or ranges in an IPSet is 10,000.
  10. Rate Limits for Rate-Based Rules:
    • The maximum request rate for a rate-based rule is 20,000 requests per 5-minute period.
  11. Rate-Based Rule Scoping:
    • Rate-based rules can be scoped to IP addresses or specific request components (URI, query string, headers, etc.).

Please note that these limits are based on information available up until September 2021. AWS may update these limits in the future, so it's always a good idea to refer to the latest AWS documentation for the most current information.

If you need to request a limit increase for any of these resources, you can do so through the AWS Service Quotas console or by contacting AWS Support. Keep in mind that limit increases are subject to approval and may take some time to process.

Comments

No posts found

Write a review