AWS WAF Classic quotas - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS WAF Classic quotas

Warning

Deprecation notice: AWS WAF Classic support will end on September 30, 2025.

Note

This is AWS WAF Classic documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your resources, see Migrating your AWS WAF Classic resources to AWS WAF.

For the latest version of AWS WAF, see AWS WAF.

AWS WAF Classic is subject to the following quotas (formerly referred to as limits).

AWS WAF Classic has default quotas on the number of entities per account per Region. You can request an increase to these.

Resource Default quota per account per Region

Web ACLs

50

Rules

100

Rate-based-rules

5

Conditions per account per Region

For all conditions except for regex match and geo match, 100 of each condition type. For example, 100 size constraint conditions and 100 IP match conditions. For regex and geo match conditions, see the following table.

Requests per Second 25,000 per web ACL*

*This quota applies only to AWS WAF Classic on an Application Load Balancer. Requests per Second (RPS) quotas for AWS WAF Classic on CloudFront are the same as the RPS quotas support by CloudFront that is described in the CloudFront Developer Guide.

The following quotas on AWS WAF Classic entities can't be changed.

Resource Quota per account per Region

Rule groups per web ACL

2: 1 customer-created rule group and 1 AWS Marketplace rule group

Rules per web ACL

10

Conditions per rule

10

IP address ranges (in CIDR notation) per IP match condition

10,000

You can update up to 1,000 addresses at a time. The API call UpdateIPSet accepts a maximum of 1,000 addresses in a single request.

IP addresses blocked per rate-based rule

10,000

Minimum rate-based rule rate limit per 5 minute period

100

Filters per cross-site scripting match condition

10

Filters per size constraint condition

10

Filters per SQL injection match condition

10

Filters per string match condition

10

In string match conditions, the number of characters in HTTP header names, when you've configured AWS WAF Classic to inspect the headers in web requests for a specified value

40

In string match conditions, the number of characters in the value that you want AWS WAF Classic to search for

50

Regex match conditions

10

In regex match conditions, the number of characters in the pattern that you want AWS WAF Classic to search for

70

In regex match conditions, the number of patterns per pattern set

10

In regex match conditions, the number of pattern sets per regex condition

1

Pattern sets

5

Geo match conditions

50

Locations per geo match condition

50

AWS WAF Classic has the following fixed quotas on calls per account per Region. These quotas apply to the total calls to the service through any available means, including the console, CLI, AWS CloudFormation, the REST API, and the SDKs. These quotas can't be changed.

Call type Quota per account per Region
Maximum number of calls to AssociateWebACL

1 request every 2 seconds

Maximum number of calls to DisassociateWebACL

1 request every 2 seconds

Maximum number of calls to GetWebACLForResource

1 request per second

Maximum number of calls to ListResourcesForWebACL

1 request per second

Maximum number of calls to CreateWebACLMigrationStack

1 request per second

Maximum number of calls to GetChangeToken

10 requests per second

Maximum number of calls to GetChangeTokenStatus

1 request per second

Maximum number of calls to any individual List action, if no other quota is defined for it

5 requests per second

Maximum number of calls to any individual Create, Put, Get, or Update action, if no other quota is defined for it

1 request per second