AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Developer Guide (API Version 2019-07-29)

AWS WAF Limits

AWS WAF has default limits on the number of entities per account. You can request an increase in these limits.

Resource Default Limit

Web ACLs AWS account per Region

100

Rule groups per region

100

WebACL capacity units (WCUs) per web ACL

1,500

WCUs per rule group

1,500

IP sets per region

100

Regex sets per Region

10

Unique regex patterns per regex set

10

Rate-based rules per web ACL

10

Requests per second per web ACL (applies only to Application Load Balancers)

100,000

Requests per Second (RPS) limits for AWS WAF on CloudFront are the RPS limits support by CloudFront, which is described in the CloudFront Developer Guide.

The following limits on AWS WAF entities can't be changed.

Resource Default Limit
IP addresses in CIDR notation per IP set

10,000

Unique IP addresses that can be blocked per rate-based rule

10,000

Maximum characters allowed for each regex pattern

200

Maximum characters allowed for a string match condition

200

Maximum size of a web request body that can be inspected

8 KB

Minimum request rate that can be defined for a rate-based rule

100