Select Language:
If you’re working with AWS WAF, it’s important to understand the limits on how many resources you can reference within your configurations. These quotas help manage the complexity and performance of your security rules.
First, there’s a limit on how many reference statements you can include in a single rule group. Specifically, you can have up to 50 reference statements. These reference statements are used to include IP sets or regex pattern sets in your rules. For example, if you create a rule group to block malicious traffic, you might have:
- 20 rules referencing different IP address ranges known for malicious activity.
- 15 rules that check URLs against various malicious patterns.
- 10 rules referencing geographic blocking lists.
As long as the total number of these reference statements stays at or below 50, you won’t run into issues.
The second limit is on how many reference statements you can include in your top-level web access control list (web ACL). This limit is also 50. The web ACL ties everything together and applies your rules to protect your resources. For example, within a web ACL, you might have:
- 10 references to different rule groups, such as managed rule sets from AWS or custom groups you create.
- 25 references to various IP sets used for allowlists or blocklists.
- 10 references to regex pattern sets for different URL patterns.
Again, all these references combined should not exceed 50.
These are fixed limits, and they can’t be increased. To keep your WAF setup running smoothly, design your rules and references thoughtfully, making sure you stay within these boundaries.
For more details, you can check out the official AWS documentation on WAF quotas here: AWS WAF quotas.
ChatGPT
Perplexity
Gemini AI
Grok AI
