Refer to this page for AWS WAF quotas: https://docs.aws.amazon.com/waf/latest/developerguide/limits.html
You can see that although the "Maximum web ACL capacity units (WCUs) per web ACL" "Quota per account per Region" is 5,000, the "Maximum WCUs per rule group" "Default quota per account per Region", is still 1,500.
You can request an increase to the default quota via Service Quotas: https://console.aws.amazon.com/servicequotas/home/services/wafv2/quotas
Now that would have been a fun coincident, if I tried just between changes. :-)
It is still showing 1500 as limit in the UI, and that's the error I get when I want to create the policy via Terraform:
Error: creating FMS Policy: InvalidInputException: Exceeded maximum limit for combined WCU of the rules in the policy. The limit is 1500, but the requested size is 1655
We'll sort this out with AWS support I guess.
WAFv2 now created using Firewall Manager can use up to 5000 WCUs
- asked 2 months ago
- asked 5 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a month ago
- How can I manage resources for my organization with multiple Firewall Manager administrator accounts?AWS OFFICIALUpdated 16 days ago
- What is the web ACL association behavior for AWS Firewall Manager AWS WAF and AWS WAF classic policies?AWS OFFICIALUpdated a year ago
- EXPERTpublished 2 months ago
- EXPERTpublished 3 months ago
I don't see what you're saying on the page. There isn't a mention of a default quota of 1500. And for WAF, the UI actually reflects the new default limit of 5000.
The announcement made this very clear:
"Now, customers can use up to 5,000 WCU in their web ACLs without the need to request a limit increase."
And for WAF, as mentioned, that works already.
Then again, the Firewall Manager docs say:
Total web ACL capacity units (WCU) for the rule groups in an AWS WAF policy : 5000
In a policy, but that doesn't work. There is still a limit of 1500 which makes no sense.
Perfect timing; AWS updated the docs I referenced on 1st May after I wrote my answer. The change on 1st May was to remove the default quota of 1,500 WCUs per rule group per account per Region. Previously only the quota per Web ACL had been increased to 5,000. You're correct in that the Firewall Manager docs didn't / don't mention any limit, but I suspect that the issue may be related and the error message was just unclear. Is it possible that you/Firewall Manager were trying to create a rule group with more than 1,500 WCUs? It seems that until Monday, this change would have hit the above limit, which was still in place. This should now be removed according to the docs so perhaps try again or contact AWS Support if you still get the error.