Web ACL capacity units (WCUs) in Amazon WAF - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Determining the WCUs for a rule group, protection pack, or web ACL
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Web ACL capacity units (WCUs) in Amazon WAF

This section explains what web ACL capacity units (WCUs) are and how they work.

Amazon WAF uses WCUs to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs. Amazon WAF enforces WCU limits when you configure your rule groups and web ACLs. WCUs don't affect how Amazon WAF inspects web traffic.

Amazon WAF manages capacity for rules, rule groups, and web ACLs.

Rule WCUs

Amazon WAF calculates rule capacity when you create or update a rule. Amazon WAF calculates capacity differently for each rule type, to reflect each rule's relative cost. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. For example, a size constraint rule statement uses fewer WCUs than a statement that inspects requests using a regex pattern set.

Rule capacity requirements generally start at a base cost for the rule type and increase with complexity, for example, when you add text transformations before inspection or if you inspect the JSON body. For information about rule capacity requirements, see the listings for the rule statements at Using rule statements in Amazon WAF.

Rule group WCUs

The WCU requirements for a rule group are determined by the rules that you define inside the rule group. The maximum capacity for a rule group is 5,000 WCUs.

Each rule group has an immutable capacity setting, which the owner assigns at creation. This is true for managed rule groups and rule groups that you create through Amazon WAF. When you modify a rule group, your changes must keep the rule group's WCUs within its capacity. This ensures that protection packs or web ACLs that are using the rule group remain within their capacity requirements.

The WCUs that are in use in a rule group is the sum of the WCUs for the rules minus any processing optimizations that Amazon WAF is able to obtain by combining the behavior of the rules. For example, if you define two rules to examine the same web request component, and the rules each apply a particular transformation to the component before inspecting it, Amazon WAF might be able to charge you just once for applying the transformation. The WCU cost to use a rule group in a protection pack or web ACL is always the fixed WCU setting that you defined at the rule group creation.

When you create a rule group, take care to set the capacity high enough to accommodate the rules that you'll want to use throughout the rule group's lifetime.

Protection pack or web ACL WCUs

The WCU requirements for a protection pack or web ACL are determined by the rules and rule groups that you use inside the protection pack or web ACL.

  • The cost of using a rule group in a protection pack or web ACL is the rule group's capacity setting.

  • The cost of using a rule is the rule's calculated WCUs minus any processing optimizations that Amazon WAF is able to obtain from the protection pack or web ACL's combination of rules. For example, if you define two rules to examine the same web request component, and the rules each apply a particular transformation to the component before inspecting it, Amazon WAF might be able to charge you just once for applying the transformation.

The basic price for a protection pack or web ACL includes up to 1,500 WCUs. Using more than 1,500 WCUs incurs additional fees, according to a tiered pricing model. Amazon WAF automatically adjusts your protection pack or web ACL pricing as your protection pack or web ACL WCU usage changes. For pricing details, see Amazon WAF Pricing.

The maximum capacity for a protection pack or web ACL is 5,000 WCUs.

Determining the WCUs for a rule group, protection pack, or web ACL

As noted in prior sections, the total WCUs used in a rule group, protection pack, or web ACL will be equal to or less than the sum of the WCUs for all of the rules that are defined in the rule group, protection pack, or web ACL.

In the Amazon WAF console, you can see the capacity consumed when you add rules to your protection pack, web ACL, or rule group. The console displays the current capacity units used as you add the rules.

Through the API, you can check the maximum capacity requirements for the rules that you want to use in a protection pack, web ACL, or rule group. To do this, provide the JSON listing of the rules to the check capacity call. For more information, see CheckCapacity in the Amazon WAFV2 API Reference.