Using your rule group in a Web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Using your rule group in a Web ACL

To use a rule group in a web ACL, on the console, when you add or update the rules in your web ACL, on the Add rules and rule groups page, choose Add rules, and then choose Add my own rules and rule groups. Then choose Rule group and select your rule group from the list.

In your web ACL, you can alter the behavior of a rule group and its rules by setting the individual rule actions to count and by overriding the resulting rule group action to count. This can help you do things like test a rule group, identify false positives from rules in a rule group, and customize how a managed rule group handles your requests. For more information about these options, see Overriding the actions of a rule group or its rules.

Eventual consistency

When you make changes to web ACLs or web ACL components, like rules and rule groups, AWS WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you add an IP address to an IP set that's referenced by a blocking rule in a web ACL, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an AWS resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.