1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Introduction to AWS Web Application Firewall

Service Limitations


2m 50s
Start course


All AWS services have default service limits and AWS WAF is no exception. This lecture looks at the primary service limitations of AWS WAF. For example the number of Conditions per AWS account, Rules per AWS account and Web ACLs per AWS account. Which limits can and cannot be increased is also explained.


Hello and welcome to this short lecture where I shall explain the limitations of the WAF service.

Most AWS services have default service limits that can vary over time from region to region. For AWS WAF, some of the default service limits can be increased by logging a request by the AWS support center. These conditions are as follows, conditions per AWS account, rules per AWS account, and web ACLs per AWS account.

By default, the conditions and rules are currently set to a limit of 50 and the Web ACLs have a default limit of 10.

As an example within these default limits, you could have five Web ACLs, each with 10 rules and five conditions in each rule. Or 10 Web ACLs with five rules and 10 conditions configured within each rule.

It's good practice to check the service limits page on the AWS site to confirm the latest AWS WAF service limits.

For small to medium solutions, these limits will more than likely be more than adequate, especially as you can assign the same Web ACL to different CloudFront distributions without affecting these limits. If, however, you are a large enterprise, and you find you are reaching these limitations, then do be aware you can request an increase.

Unfortunately, not all the limits can be increased. The following are the static limitations that currently cannot be changed. I won't run through all these individually but feel free to pause the video and take a look at these static limits.

These limitations also make a good reason to implement a reactive rule policy to ensure you are only configuring rules and conditions that need to be configured.

That brings us to the end of this lecture. Although it was short, it is important for you to understand the AWS WAF service limitations. Knowing these limitations can influence how you architect and design your WEB ACLs. In the following lecture, we'll look at how AWS WAF works with AWS CloudFront.


About the Author
Learning paths61

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 80+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.