Using your rule group in a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Using your rule group in a web ACL

To use a rule group in a web ACL, on the console, when you add or update the rules in your web ACL, on the Add rules and rule groups page, choose Add rules, and then choose Add my own rules and rule groups. Then choose Rule group and select your rule group from the list.

In your web ACL, you can alter the behavior of a rule group and its rules by setting the individual rule actions to count and by overriding the resulting rule group action to count. This can help you do things like test a rule group, identify false positives from rules in a rule group, and customize how a managed rule group handles your requests. For more information about these options, see Overriding the actions of a rule group or its rules.

If your rule group contains a rate-based statement, each web ACL where you use the rule group has its own separate rate tracking and management for the rate-based rule, independent of any other web ACL where you use the rule group. For more information, see Rate-based rule statement.

Temporary inconsistencies during updates

When you change a web ACL or any of its components, like rules and rule groups, AWS WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an AWS resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.