AWS WAF Limits

AWS WAF has default limits on the number of entities per account. You can request an increase in these limits.

Resource	Default Limit
Web ACLs AWS account per Region	100
Rule groups per region	100
WebACL capacity units (WCUs) per web ACL	1,500
WCUs per rule group	1,500
IP sets per region	100
Regex sets per Region	10
Unique regex patterns per regex set	10
Rate-based rules per web ACL	10
Requests per second per web ACL (applies only to Application Load Balancers)	100,000

Requests per Second (RPS) limits for AWS WAF on CloudFront are the RPS limits support by CloudFront, which is described in the CloudFront Developer Guide.

The following limits on AWS WAF entities can't be changed.

Resource	Default Limit
IP addresses in CIDR notation per IP set	10,000
Unique IP addresses that can be blocked per rate-based rule	10,000
Maximum characters allowed for each regex pattern	200
Maximum characters allowed for a string match condition	200
Maximum size of a web request body that can be inspected	8 KB
Minimum request rate that can be defined for a rate-based rule	100

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »