Using rate-based rule statements in Amazon WAF - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Using rate-based rule statements in Amazon WAF

This section explains what a rate-based rule statement is and how it works.

A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule aggregates requests according to your criteria, and counts and rate limits the aggregate groupings, based on the rule's evaluation window, request limit, and action settings.

Note

You can also rate limit web requests using the targeted protection level of the Bot Control Amazon Managed Rules rule group. Using this managed rule group incurs additional fees. For more information, see Options for rate limiting in rate-based rules and targeted Bot Control rules.

Amazon WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and each gets its own tracking and management by Amazon WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by Amazon WAF.

Not nestable – You can't nest this statement type inside other statements. You can include it directly in a protection pack or web ACL or rule group.

Scope-down statement – This rule type can take a scope-down statement, to narrow the scope of the requests that the rule tracks and rate limits. The scope-down statement can be optional or required, depending on your other rule configuration settings. The details are covered in this section. For general information about scope-down statements, see Using scope-down statements in Amazon WAF.

WCUs – 2, as a base cost. For each custom aggregation key that you specify, add 30 WCUs. If you use a scope-down statement in the rule, calculate and add the WCUs for that.

Where to find this rule statement
  • Rule builder in your protection pack or web ACL, on the console – Under Rule, for Type, choose Rate-based rule.

  • APIRateBasedStatement