Setting rule priority in a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Setting rule priority in a web ACL

This section explains how AWS WAF uses numeric priority settings to set the evaluation order for rules.

In a web ACL and inside any rule group, you determine the evaluation order of the rules using numeric priority settings. You must give each rule in a web ACL a unique priority setting within that web ACL, and you must give each rule in a rule group a unique priority setting within that rule group.

Note

When you manage rule groups and web ACLs through the console, AWS WAF assigns unique numeric priority settings for you based on the order of the rules in the list. AWS WAF assigns the lowest numeric priority to the rule at the top of the list, and the highest numeric priority to the rule at the bottom.

When AWS WAF evaluates any web ACL or rule group against a web request, it evaluates the rules from the lowest numeric priority setting on up until it either finds a match that terminates the evaluation or exhausts all of the rules.

For example, say you have the following rules and rule groups in your web ACL, prioritized as shown:

  • Rule1 – priority 0

  • RuleGroupA – priority 100

    • RuleA1 – priority 10,000

    • RuleA2 – priority 20,000

  • Rule2 – priority 200

  • RuleGroupB – priority 300

    • RuleB1 – priority 0

    • RuleB2 – priority 1

AWS WAF would evaluate the rules for this web ACL in the following order:

  • Rule1

  • RuleGroupA RuleA1

  • RuleGroupA RuleA2

  • Rule2

  • RuleGroupB RuleB1

  • RuleGroupB RuleB2