AWS WAF Classic endpoints and quotas - AWS General Reference

AWS WAF Classic endpoints and quotas

Note

This page provides information related to AWS WAF Classic. If you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated your web ACLs over yet, you need to use AWS WAF Classic to access those resources. Otherwise, do not use this version.

For information related to the latest version of AWS WAF, see AWS WAF endpoints and quotas.

The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.

Service Endpoints

AWS WAF Classic for CloudFront distributions has a single endpoint: waf.amazonaws.com. It supports HTTPS requests only.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

US East (N. Virginia) us-east-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

US West (N. California) us-west-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

US West (Oregon) us-west-2

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Africa (Cape Town) af-south-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Hong Kong) ap-east-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Mumbai) ap-south-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Seoul) ap-northeast-2

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Singapore) ap-southeast-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Sydney) ap-southeast-2

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Tokyo) ap-northeast-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Canada (Central) ca-central-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Europe (Frankfurt) eu-central-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Europe (Ireland) eu-west-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Europe (London) eu-west-2

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Europe (Milan) eu-south-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Europe (Paris) eu-west-3

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Europe (Stockholm) eu-north-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

Middle East (Bahrain) me-south-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

South America (São Paulo) sa-east-1

waf.amazonaws.com

waf-fips.amazonaws.com

HTTPS

HTTPS

AWS WAF Classic for Application Load Balancers and API Gateway APIs has the following endpoints:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2

waf-regional.us-east-2.amazonaws.com

waf-regional-fips.us-east-2.amazonaws.com

HTTPS

HTTPS

US East (N. Virginia) us-east-1

waf-regional.us-east-1.amazonaws.com

waf-regional-fips.us-east-1.amazonaws.com

HTTPS

HTTPS

US West (N. California) us-west-1

waf-regional.us-west-1.amazonaws.com

waf-regional-fips.us-west-1.amazonaws.com

HTTPS

HTTPS

US West (Oregon) us-west-2

waf-regional.us-west-2.amazonaws.com

waf-regional-fips.us-west-2.amazonaws.com

HTTPS

HTTPS

Africa (Cape Town) af-south-1

waf-regional.af-south-1.amazonaws.com

waf-regional-fips.af-south-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Hong Kong) ap-east-1

waf-regional.ap-east-1.amazonaws.com

waf-regional-fips.ap-east-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Mumbai) ap-south-1

waf-regional.ap-south-1.amazonaws.com

waf-regional-fips.ap-south-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Seoul) ap-northeast-2

waf-regional.ap-northeast-2.amazonaws.com

waf-regional-fips.ap-northeast-2.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Singapore) ap-southeast-1

waf-regional.ap-southeast-1.amazonaws.com

waf-regional-fips.ap-southeast-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Sydney) ap-southeast-2

waf-regional.ap-southeast-2.amazonaws.com

waf-regional-fips.ap-southeast-2.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Tokyo) ap-northeast-1

waf-regional.ap-northeast-1.amazonaws.com

waf-regional-fips.ap-northeast-1.amazonaws.com

HTTPS

HTTPS

Canada (Central) ca-central-1

waf-regional.ca-central-1.amazonaws.com

waf-regional-fips.ca-central-1.amazonaws.com

HTTPS

HTTPS

Europe (Frankfurt) eu-central-1

waf-regional.eu-central-1.amazonaws.com

waf-regional-fips.eu-central-1.amazonaws.com

HTTPS

HTTPS

Europe (Ireland) eu-west-1

waf-regional.eu-west-1.amazonaws.com

waf-regional-fips.eu-west-1.amazonaws.com

HTTPS

HTTPS

Europe (London) eu-west-2

waf-regional.eu-west-2.amazonaws.com

waf-regional-fips.eu-west-2.amazonaws.com

HTTPS

HTTPS

Europe (Milan) eu-south-1

waf-regional.eu-south-1.amazonaws.com

waf-regional-fips.eu-south-1.amazonaws.com

HTTPS

HTTPS

Europe (Paris) eu-west-3

waf-regional.eu-west-3.amazonaws.com

waf-regional-fips.eu-west-3.amazonaws.com

HTTPS

HTTPS

Europe (Stockholm) eu-north-1

waf-regional.eu-north-1.amazonaws.com

waf-regional-fips.eu-north-1.amazonaws.com

HTTPS

HTTPS

Middle East (Bahrain) me-south-1

waf-regional.me-south-1.amazonaws.com

waf-regional-fips.me-south-1.amazonaws.com

HTTPS

HTTPS

South America (São Paulo) sa-east-1

waf-regional.sa-east-1.amazonaws.com

waf-regional-fips.sa-east-1.amazonaws.com

HTTPS

HTTPS

AWS GovCloud (US) us-gov-west-1

waf-regional.us-gov-west-1.amazonaws.com

waf-regional-fips.us-gov-west-1.amazonaws.com

HTTPS

HTTPS

Service Quotas

AWS WAF Classic has default quotas on the number of entities per account. You can request an increase in these quotas.

Resource Default

Web ACLs per AWS account

50

Rules per AWS account

100

Rate-based-rules per AWS account per Region

5

Conditions per AWS account

100 of each condition type (For example: 100 size constraint conditions, 100 IP match conditions, and so on. The exception is regex match conditions. You can have a maximum of 10 regex match conditions per account per Region. This quota cannot be increased.)

Requests per Second 10,000 per web ACL*

*This quota applies only to AWS WAF Classic on an Application Load Balancer and API Gateway. Requests per Second (RPS) quotas for AWS WAF Classic on CloudFront are the same as the RPS quotas support by CloudFront described in the Amazon CloudFront Developer Guide.

The following quotas on AWS WAF Classic entities can't be changed.

Resource Default

Rule groups per web ACL

2: 1 customer-created rule group and 1 AWS Marketplace rule group

Rules per web ACL

10

Conditions per rule

10

IP address ranges (in CIDR notation) per IP match condition

10,000

IP addresses blocked per rate-based rule

10,000

Minimum rate-based rule rate limit per 5 minute period

100

Filters per cross-site scripting match condition

10

Filters per size constraint condition

10

Filters per SQL injection match condition

10

Filters per string match condition

10

In string match conditions, the number of characters in HTTP header names, when you've configured AWS WAF to inspect the headers in web requests for a specified value

40

In string match conditions, the number of characters in the value that you want AWS WAF to search for

50

In regex match conditions, the number of characters in the pattern that you want AWS WAF to search for

70

In regex match conditions, the number of patterns per pattern set

10

In regex match conditions, the number of pattern sets per regex condition

1

The number of pattern sets per AWS account per Region

5

GeoMatchSets per AWS account per Region

50

Locations per GeoMatchSet

50

These quotas are the same for all Regions in which AWS WAF Classic is available. Each Region is subject to these quotas individually. That is, the quotas are not cumulative across regions.