What do I do if I exceed my resource quota in AWS WAF?

4 minuto de leitura
0

When I try to create new resources in AWS WAF, I receive an error that I exceeded the quota. I want to resolve this issue.

Short description

Resources have different quotas in AWS WAF and AWS WAF Classic. It's a best practice to consolidate or revise your existing resources. If you can't consolidate your resources, then you can submit a quota increase.

Note: Some resources have fixed quotas that you can't change.

This resolution focuses the following resources as examples of what to do when you exceed your quota:

  • Web access control lists (web ACLs)
  • Regex pattern sets
  • IP sets

Resolution

Web ACL

If you exceed your web ACL quota, then you receive the following errors:

  • AWS WAF Classic: Operation would result in exceeding resource limits.
  • AWS WAF: WAFLimitsExceededException: AWS WAF couldn't perform the operation because you exceeded your resource limit NUM_WEBACLS_BY_ACCOUNT

To consolidate your web ACLs and reduce the number in your AWS WAF instance, create one web ACL to use for different resources. It's not a best practice to create a web ACL for each resource.

Some resources, such as Amazon CloudFront distributions, create new web ACLs as part of the creation process. If the new web ACL exceeds your current quota, then associate your distributions to existing web ACLs.

Note: When you add a web ACL to existing resources, AWS WAF or WAF Classic removes and replaces the resource's previous web ACL connection.

Associate your CloudFront distributions to existing web ACLs for AWS WAF Classic

Complete the following steps:

  1. Open the AWS WAF console.
  2. Choose Switch to AWS WAF Classic.
  3. Choose Web ACLs.
  4. For Filter, choose the AWS Region where your web ACL is located. For web ACLs that protect CloudFront distributions, choose Global (CloudFront).
  5. Select your AWS WAF Classic web ACL.
  6. Under Rules, for AWS resources using this web ACL, choose Add association.
  7. Choose the resource type, and then select the resource that you want to connect to the web ACL.
  8. Choose Add.

Associate your CloudFront distributions to existing web ACLs for AWS WAF

Complete the following steps:

  1. Open the AWS WAF console.
  2. Choose Web ACLs.
  3. For Region, choose the Region where your web ACL is located. For web ACLs that protect CloudFront distributions, choose Global (CloudFront).
  4. Select your web ACL.
  5. Under Associated AWS resources, choose Add AWS resources.
  6. Choose the resource type, and then select the resource that you want to connect to the web ACL.

If you still exceed your quota, then submit a quota increase for AWS WAF Classic or AWS WAF.

Regex pattern sets

If you exceed your regex pattern set quota, then you receive the following errors:

  • AWS WAF Classic: Operation would result in exceeding resource limits.
  • AWS WAF: WAFLimitsExceededException: AWS WAF couldn't perform the operation because you exceeded your resource limit NUM_REGEX_PATTERN_SETS_BY_ACCOUNT

You can't change the default maximum quota for regex pattern sets. When you exceed your quota, expand or consolidate your existing regex pattern sets

IP sets

If you exceed your IP set quota, then you receive the following errors:

  • In AWS WAF Classic: Operation would result in exceeding resource limits.
  • In AWS WAF: WAFLimitsExceededException: AWS WAF couldn't perform the operation because you exceeded your resource limit NUM_IP_SETS_BY_ACCOUNT

It's a best practice to consolidate your IP sets. IP sets can support multiple IP addresses in CIDR notation. You can use IP sets for any web ACLs in your Region.

To add CIDR ranges to your existing IP sets, complete the following steps:

  1. Open the AWS WAF console.
  2. Choose Web ACLs.
  3. For Region, choose the Region where your IP set is located. For IP sets that protect CloudFront distributions, choose Global (CloudFront).
  4. Select your IP set.
  5. Choose Add IP address.
  6. Enter your IP address CIDR range. You can add multiple IP address CIDR ranges at the same time. Enter one IP address on each line.
  7. Choose Add.

If you can't consolidate your IP sets, then you can submit a quota increase for AWS WAF Classic or AWS WAF. Provide your use case and relevant Region.

Related information

IP sets and regex pattern sets in AWS WAF

Why am I getting a limit exceeded error when adding more rules to a rule group in AWS WAF?

AWS OFICIAL
AWS OFICIALAtualizada há 2 meses