Why do I get a limit exceeded error when I add rules to AWS WAF?

5 minute read
0

I can't add rules to my web access control list (web ACL) or to an existing rule group in AWS WAF. I receive a limit exceeded error.

Resolution

Error when you add a rule to an existing rule group in a web ACL

If you exceed your rule group capacity, then you can't add a new rule to AWS WAF or AWS WAF Classic. In AWS WAF, you receive a You exceeded the capacity limit error. In AWS WAF Classic, you receive an Operation would result in exceeding resource limits error.

AWS WAF

In AWS WAF, you set the capacity of a rule group when you create it. You can't change the capacity after you create the rule group.

To add a new rule to your web ACL, you must create a new rule group. It's a best practice to configure a rule group capacity that allows you to add more rules later. For estimates of web ACL capacity units used by different types of rules, see AWS WAF web ACL capacity units (WCUs).

To add the rule group to the web ACL, complete the following steps:

  1. Open the AWS WAF console.
  2. Choose AWS WAF, and then choose Web ACLs.
  3. Select your web ACL.
  4. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
  5. To set up your rule, configure the following settings:
    For Rule Type, select Rule group.
    For Name, enter the rule name.
    For Rule Group, choose your new rule group.
  6. Choose Add rule.
  7. Choose Save.

AWS WAF Classic

In AWS WAF Classic, there's a maximum quota of rules per rule group. You can't exceed this quota for an individual rule group. To set up more rules than the rule group quota allows, you must first create a new rule group. Then, you can add that new rule group to the web ACL:

  1. Open the AWS WAF console.
  2. Choose Switch to AWS WAF Classic.
  3. Choose Web ACLs.
  4. Select your web ACL.
  5. Choose Rules, and then choose Edit web ACL.
  6. For Rules, choose your new rule group.
  7. Choose Add rule to web ACL.
  8. Choose Update.

Note: There's a maximum quota for the number of rule groups that you can add to a web ACL in AWS WAF Classic. To add more rule groups than the quota allows, you must migrate to AWS WAF.

Error when you add a new rate-based rule

If you exceed the maximum rate-based rule quota in AWS WAF or AWS WAF Classic, then you can't create a new rate-based rule. In AWS WAF, you receive an AWS WAF couldn't perform the operation because you exceeded your resource limit error. In AWS WAF Classic, you receive an Operation would result in exceeding resource limits error.

AWS WAF

If you exceed the maximum rate-based rules in AWS WAF, then you must consolidate your existing rate-based rules. One rate-based rule can cover multiple criteria. Where possible, use Match, AND, OR, and NOT logic to link multiple statements in a web ACL rule.

To modify your existing rate-based rules, complete the following steps:

  1. Open the AWS WAF console.
  2. Choose Web ACLs.
  3. For Region, choose the AWS Region where your web ACL is located. To view web ACLs that protect Amazon CloudFront distributions, choose Global (CloudFront).
  4. Select your web ACL.
  5. Choose Rules, and then select the rate-based rule that you want to modify.
  6. Choose Edit.
  7. Under Rate Limiting Criteria, choose Scope of inspection and rate limiting. Select Only consider requests that match the criteria in a rule statement.
  8. From the If a request dropdown list, select a logical operator.
  9. Add your statements, and then choose your Rule Action.
  10. Choose Save.

Note: When you modify a rule group that's attached to a web ACL, AWS WAF automatically applies the modifications to the web ACL.

AWS WAF Classic

It's a best practice to review and consolidate your existing rate-based rules. One rate-based rule can cover multiple criteria. Where possible, add multiple conditions to a single rate-based rule.

To modify your existing rate-based rules, complete the following steps:

  1. Open the AWS WAF console.
  2. Choose Switch to AWS WAF Classic.
  3. Choose Rules.
  4. For Filter, choose the Region where you store the rule. To modify a rule in web ACLs that protect CloudFront distributions, choose Global (CloudFront).
  5. Choose Rules, and then select the rate-based rule that you want to modify.
  6. Choose Edit.
  7. Choose Add Conditions.
  8. Choose Save.

If you still exceed your quota, then submit a quota increase request.

Error when you add rules to a web ACL or rule group that references rule groups, IP sets, or regex pattern sets

AWS WAF has maximum quotas for rule groups, IP sets, and regex pattern sets. If you exceed this quota, then you receive the AWS WAF couldn't perform the operation because you exceeded your resource limit error. It's a best practice to avoid single-use rule groups, IP sets, or regex pattern sets.

To reduce the number of references in your web ACL, consolidate your rule groups. Each rule group can contain multiple WCUs. You can also use a single rule group within multiple web ACLs. Also, use nesting statements to reduce the number of references in your web ACL rules. To create more sophisticated nesting statements, use the JSON rule editor.

Also, consolidate your IP sets, and regex pattern sets.

Related information

AWS WAF rule groups

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago