AWS WAF quotas

Note

This is the latest version of AWS WAF. For AWS WAF Classic, see AWS WAF Classic.

AWS WAF is subject to the following quotas (formerly referred to as limits). These quotas are the same for all Regions in which AWS WAF is available. Each Region is subject to these quotas individually. The quotas are not cumulative across Regions.

AWS WAF has default quotas on the maximum number of entities you can have per account. You can request an increase in these quotas.

Resource	Default quota per account per Region
Maximum number of web ACLs	100
Maximum number of rule groups	100
Maximum number of IP sets	100
Maximum number of requests per second per web ACL	25,000
Maximum number of custom request headers per web ACL or rule group	100
Maximum number of custom response headers per web ACL or rule group	100
Maximum number of custom response bodies per web ACL or rule group	50
Maximum number of token domains in a web ACL token domain list	10

The maximum requests per second (RPS) allowed for AWS WAF on CloudFront is set by CloudFront and described in the CloudFront Developer Guide.

AWS WAF has fixed quotas on the following entity settings per account per Region. These quotas can't be changed.

Resource	Quota per account per Region
Maximum web ACL capacity units (WCUs) per web ACL*	5,000
Maximum WCUs per rule group	5,000
Maximum number of reference statements per rule group. In a rule group, a reference statement can reference an IP set or a regex pattern set.	50
Maximum number of reference statements per web ACL. In a web ACL, a reference statement can reference a rule group, an IP set, or a regex pattern set.	50
Maximum number of IP addresses in CIDR notation per IP set	10,000
Maximum number of rate-based rules per web ACL	10
Maximum number of rate-based rules per rule group	4
Minimum request rate that can be defined for a rate-based rule	100
Maximum number of unique IP addresses that can be rate limited per rate-based rule	10,000
Maximum number of characters in a string match statement	200
Maximum number of characters in each regex pattern	200
Maximum number of unique regex patterns per regex set	10
Maximum number of regex sets	10
Maximum size of a web request body that can be inspected for Application Load Balancer and AWS AppSync protections	8 KB
Maximum size of a web request body that can be inspected for CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access protections**	64 KB
Maximum number of text transformations per rule statement	10
Maximum size of the custom response body content for a single custom response definition	4 KB
Maximum number of custom headers for a single custom response definition	10
Maximum number of custom headers for a single custom request definition	10
Maximum combined size of all response body content for a single rule group or a single web ACL	50 KB

*Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL price. For more information, see AWS WAF web ACL capacity units (WCUs) and AWS WAF Pricing.

**By default, the body inspection limit is set to 16 KB for CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources, but you can increase this for any of these resources in your web ACL configuration, up to the listed maximum. For more information, see Managing body inspection size limits.

AWS WAF has the following fixed quotas on calls per account per Region. These quotas apply to the total calls to the service through any available means, including the console, CLI, AWS CloudFormation, the REST API, and the SDKs. These quotas can't be changed.

Call type	Quota per account per Region
Maximum number of calls to `AssociateWebACL`	One request every 2 seconds
Maximum number of calls to `DisassociateWebACL`	One request every 2 seconds
Maximum number of calls to `GetWebACLForResource`	One request per second
Maximum number of calls to `ListResourcesForWebACL`	One request per second
Maximum number of calls to any individual `Get` or `List` action, if no other quota is defined for it	Five requests per second
Maximum number of calls to any individual `Create`, `Put`, or `Update` action, if no other quota is defined for it	One request per second

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure security

Migrating your AWS WAF Classic resources to AWS WAF