Amazon WAF Classic quotas
Warning
Amazon WAF Classic support will end on September 30, 2025.
Note
This is Amazon WAF Classic documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see Migrating your Amazon WAF Classic resources to Amazon WAF.
For the latest version of Amazon WAF, see Amazon WAF.
Amazon WAF Classic is subject to the following quotas (formerly referred to as limits).
Amazon WAF Classic has default quotas on the number of entities per account per Region. You can request an increase
Resource | Default quota per account per Region |
---|---|
Web ACLs |
50 |
Rules |
100 |
Rate-based-rules |
5 |
Conditions per account per Region |
For all conditions except for regex match and geo match, 100 of each condition type. For example, 100 size constraint conditions and 100 IP match conditions. For regex and geo match conditions, see the following table. |
Requests per Second | 25,000 per web ACL* |
*This quota applies only to Amazon WAF Classic on an Application Load Balancer. Requests per Second (RPS) quotas for Amazon WAF Classic on
CloudFront are the same as the RPS quotas support by CloudFront that is described in the CloudFront Developer Guide
The following quotas on Amazon WAF Classic entities can't be changed.
Resource | Quota per account per Region |
---|---|
Rule groups per web ACL |
2: 1 customer-created rule group and 1 Amazon Web Services Marketplace rule group |
Rules per web ACL |
10 |
Conditions per rule |
10 |
IP address ranges (in CIDR notation) per IP match condition |
10,000 You can update up to 1,000 addresses at a time. The API call |
IP addresses blocked per rate-based rule |
10,000 |
Minimum rate-based rule rate limit per 5 minute period |
100 |
Filters per cross-site scripting match condition |
10 |
Filters per size constraint condition |
10 |
Filters per SQL injection match condition |
10 |
Filters per string match condition |
10 |
In string match conditions, the number of characters in HTTP header names, when you've configured Amazon WAF Classic to inspect the headers in web requests for a specified value |
40 |
In string match conditions, the number of characters in the value that you want Amazon WAF Classic to search for |
50 |
Regex match conditions |
10 |
In regex match conditions, the number of characters in the pattern that you want Amazon WAF Classic to search for |
70 |
In regex match conditions, the number of patterns per pattern set |
10 |
In regex match conditions, the number of pattern sets per regex condition |
1 |
Pattern sets |
5 |
Geo match conditions |
50 |
Locations per geo match condition |
50 |
Amazon WAF Classic has the following fixed quotas on calls per account per Region. These quotas apply to the total calls to the service through any available means, including the console, CLI, Amazon CloudFormation, the REST API, and the SDKs. These quotas can't be changed.
Call type | Quota per account per Region |
---|---|
Maximum number of calls to AssociateWebACL |
1 request every 2 seconds |
Maximum number of calls to DisassociateWebACL |
1 request every 2 seconds |
Maximum number of calls to GetWebACLForResource |
1 request per second |
Maximum number of calls to ListResourcesForWebACL |
1 request per second |
Maximum number of calls to CreateWebACLMigrationStack |
1 request per second |
Maximum number of calls to GetChangeToken |
10 requests per second |
Maximum number of calls to GetChangeTokenStatus |
1 request per second |
Maximum number of calls to any individual List action, if no other quota is defined for it |
5 requests per second |
Maximum number of calls to any individual Create , Put , Get , or Update action, if no other quota is defined for it |
1 request per second |