AWS WAF Limits
AWS WAF has default limits on the number of entities per account. You can request an increase in these limits.
| Resource | Default Limit |
|---|---|
|
Web ACLs per AWS account |
50 |
|
Rules per AWS account |
100 |
|
Rate-based-rules per AWS account |
5 |
|
Conditions per AWS account |
100 of each condition type (For example: 100 size constraint conditions, 100 IP match conditions, and so on. The exception is regex match conditions. You can have a maximum of 10 regex match conditions per account. This limit cannot be increased.) |
| Requests per Second | 10,000 per web ACL* |
*This limit applies only to AWS WAF on an Application Load Balancer. Requests per Second (RPS) limits for AWS WAF on CloudFront are the same as the RPS limits support by CloudFront that is described in the CloudFront Developer Guide.
The following limits on AWS WAF entities can't be changed.
| Resource | Limit |
|---|---|
|
Rules per web ACL |
10 |
|
Conditions per rule |
10 |
|
IP address ranges (in CIDR notation) per IP match condition |
10,000 |
|
IP addresses blocked per rate-based rule |
10,000 |
|
Minimum rate-based rule rate limit per 5 minute period |
2000 |
|
Filters per cross-site scripting match condition |
10 |
|
Filters per size constraint condition |
10 |
|
Filters per SQL injection match condition |
10 |
|
Filters per string match condition |
10 |
|
In string match conditions, the number of characters in HTTP header names, when you've configured AWS WAF to inspect the headers in web requests for a specified value |
40 |
|
In string match conditions, the number of characters in the value that you want AWS WAF to search for |
50 |
|
In regex match conditions, the number of characters in the pattern that you want AWS WAF to search for |
70 |
|
In regex match conditions, the number of patterns per pattern set |
10 |
|
In regex match conditions, the number of pattern sets per regex condition |
1 |
|
The number of pattern sets per account |
5 |
|
GeoMatchSets per account |
50 |
|
Locations per GeoMatchSet |
50 |
