WCU Limit for Policies in Firewall Manager
Hello,
Recently the quota for WCUs in a WAF ACL has been raised from 1500 to 5000.
https://docs.aws.amazon.com/waf/latest/developerguide/fms-limits.html claims that 5000 is the new quota for rule groups in an AWS WAF policy managed by Firewall Manager as well.
This does not seem to be the case though. I cannot go over 1500 there. The UI states that as well:
"Web ACL rule capacity units used The total capacity units used by the web ACL can't exceed 1500"
Is this expected, or is it maybe not rolled out everywhere for Firewall Manager yet?
Regards, Kai.
- Newest
- Most votes
- Most comments
Refer to this page for AWS WAF quotas: https://docs.aws.amazon.com/waf/latest/developerguide/limits.html
You can see that although the "Maximum web ACL capacity units (WCUs) per web ACL" "Quota per account per Region" is 5,000, the "Maximum WCUs per rule group" "Default quota per account per Region", is still 1,500.
You can request an increase to the default quota via Service Quotas: https://console.aws.amazon.com/servicequotas/home/services/wafv2/quotas
Now that would have been a fun coincident, if I tried just between changes. :-)
It is still showing 1500 as limit in the UI, and that's the error I get when I want to create the policy via Terraform:
Error: creating FMS Policy: InvalidInputException: Exceeded maximum limit for combined WCU of the rules in the policy. The limit is 1500, but the requested size is 1655
We'll sort this out with AWS support I guess.
WAFv2 now created using Firewall Manager can use up to 5000 WCUs
Relevant content
- asked 2 months ago
- asked 5 months ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 16 days ago
- AWS OFFICIALUpdated a year ago
I don't see what you're saying on the page. There isn't a mention of a default quota of 1500. And for WAF, the UI actually reflects the new default limit of 5000.
The announcement made this very clear:
"Now, customers can use up to 5,000 WCU in their web ACLs without the need to request a limit increase."
https://aws.amazon.com/de/about-aws/whats-new/2023/04/aws-waf-web-acl-capacity-units-limits/
And for WAF, as mentioned, that works already.
Then again, the Firewall Manager docs say:
Total web ACL capacity units (WCU) for the rule groups in an AWS WAF policy : 5000
In a policy, but that doesn't work. There is still a limit of 1500 which makes no sense.
Perfect timing; AWS updated the docs I referenced on 1st May after I wrote my answer. The change on 1st May was to remove the default quota of 1,500 WCUs per rule group per account per Region. Previously only the quota per Web ACL had been increased to 5,000. You're correct in that the Firewall Manager docs didn't / don't mention any limit, but I suspect that the issue may be related and the error message was just unclear. Is it possible that you/Firewall Manager were trying to create a rule group with more than 1,500 WCUs? It seems that until Monday, this change would have hit the above limit, which was still in place. This should now be removed according to the docs so perhaps try again or contact AWS Support if you still get the error.