Amazon WAF web ACL capacity units (WCUs) - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF web ACL capacity units (WCUs)

Amazon WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs. Amazon WAF enforces WCU limits when you configure your rule groups and web ACLs. WCUs don't affect how Amazon WAF inspects web traffic.

Amazon WAF manages capacity for rules, rule groups, and web ACLs.

Rule WCUs

Amazon WAF calculates rule capacity when you create or update a rule. Amazon WAF calculates capacity differently for each rule type, to reflect each rule's relative cost. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. For example, a size constraint rule statement uses fewer WCUs than a statement that inspects requests using a regex pattern set.

Rule capacity requirements generally start at a base cost for the rule type and increase with complexity, for example, when you add text transformations before inspection or if you inspect the JSON body. For information about rule capacity requirements, see the listings for the rule statements at Rule statement basics.

Rule group WCUs

The WCU requirements for a rule group are determined by the rules that you define inside the rule group. The maximum capacity for a rule group is 5,000 WCUs.

Each rule group has an immutable capacity setting, which the owner assigns at creation. This is true for managed rule groups and rule groups that you create through Amazon WAF. When you modify a rule group, your changes must keep the rule group's WCUs within its capacity. This ensures that web ACLs that are using the rule group remain within their capacity requirements.

The WCUs that are in use in a rule group is the sum of the WCUs for the rules minus any processing optimizations that Amazon WAF is able to obtain by combining the behavior of the rules. For example, if you define two rules to examine the same web request component, and the rules each apply a particular transformation to the component before inspecting it, Amazon WAF might be able to charge you just once for applying the transformation. The WCU cost to use a rule group in a web ACL is always the fixed WCU setting that you defined at the rule group creation.

When you create a rule group, take care to set the capacity high enough to accommodate the rules that you'll want to use throughout the rule group's lifetime.

Web ACL WCUs

The WCU requirements for a web ACL are determined by the rules and rule groups that you use inside the web ACL.

  • The cost of using a rule group in a web ACL is the rule group's capacity setting.

  • The cost of using a rule is the rule's calculated WCUs minus any processing optimizations that Amazon WAF is able to obtain from the web ACL's combination of rules. For example, if you define two rules to examine the same web request component, and the rules each apply a particular transformation to the component before inspecting it, Amazon WAF might be able to charge you just once for applying the transformation.

The basic price for a web ACL includes up to 1,500 WCUs. Using more than 1,500 WCUs incurs additional fees, according to a tiered pricing model. Amazon WAF automatically adjusts your web ACL pricing as your web ACL WCU usage changes. For pricing details, see Amazon WAF Pricing.

The maximum capacity for a web ACL is 5,000 WCUs.

Determining the WCUs for a rule group or web ACL

As noted in prior sections, the total WCUs used in a rule group or web ACL will be equal to or less than the sum of the WCUs for all of the rules that are defined in the rule group or web ACL.

In the Amazon WAF console, you can see the capacity consumed when you add rules to your web ACL or rule group. The console displays the current capacity units used as you add the rules.

Through the API, you can check the maximum capacity requirements for the rules that you want to use in a web ACL or rule group. To do this, provide the JSON listing of the rules to the check capacity call. For more information, see CheckCapacity in the Amazon WAFV2 API Reference.