Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Do requests which were not blocked by WAF rate limit rule considered as "ALLOW"ed and stop processing of other rules in the ACL?

0

My main goal is to understand how priority works with rate liming rules.

I would like some help understanding this article in the context of rate limiting rules.

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-actions.html#:~:text=Interaction%20between%20actions%20and%20priority,rules%20in%20the%20web%20ACL.

So for example if I have a rule with higher priority that aggregates header "foo" and a rule with lower priority that aggregates header "bar". The higher priority rule did not reach it's limit so it allows requests to pass (that also how I see it in "Sampled Requests" tab, the action is "ALLOW") The rule with "bar" header have reached it's limit and is blocking requests. Now a request with both "foo" and "bar" headers arrive. The first rule will allow it, it's in the scope of the second rule, but according to the article, it will not be blocked by it because processing is terminated. Am I correct in understanding this?

Another similar question. Do requests allowed by the first rule, counts toward the quota of the second? So if I have 10 requests per minute rule and sent 9 requests with both "foo" and "bar" and then 9 requests with "bar", will these requests be blocked (9+9=18 > 10) requests with bar.

Does it matter for the answer if the request is not is scoped vs not scoped in the rules?

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
asked 9 months ago184 views
2 Answers
1
Accepted Answer

The docs that you have linked to regarding terminating and non-terminating rules are referencing the rule Action, as specified when you create the rule. So for your rate-based rules, I'm assuming that you have applied the action of "Block" to the rule. What's important to understand is that when a request does not match a rule, that does not mean that it is applying an action of "Allow". The "Allow" that you are seeing in your sampled logs is likely for the default action for your WebACL, i.e. the request has not matched any of your rules and so the default action applies. For your first rate-based rule, if the request is not hitting the rate-limit in rule 1 it is not being "Allowed", it is simply passing through to the next rule.

AWS
answered 9 months ago
1

Rate-based rules in AWS WAF work differently than standard rules when it comes to action handling and priority.

When a request doesn't trigger the rate limit threshold in a rate-based rule, it doesn't actually apply an "Allow" action that terminates processing. Instead, the request continues to be evaluated against subsequent rules in the web ACL. This is similar to how the "Count" action works - it's non-terminating.

Regarding your example with two rate-based rules (one aggregating header "foo" with higher priority and one aggregating header "bar" with lower priority):

  1. If a request with both "foo" and "bar" headers arrives, and the "foo" rule hasn't reached its limit, the request will continue to be evaluated by the "bar" rule. If the "bar" rule has reached its limit, the request will be blocked.

  2. For your second question about counting: Yes, requests that pass through the first rule do count toward the quota of the second rule if they match the scope of that rule. So in your example, if you send 9 requests with both "foo" and "bar" headers, and then 9 requests with only "bar" headers, the "bar" rule would count all 18 requests and would block requests once the limit is exceeded.

The scope-down statement in a rate-based rule is critical here. It determines which requests are counted toward the rate limit. If a request doesn't match the scope-down statement of a rule, it won't be counted toward that rule's limit, regardless of priority.

To effectively use rate-based rules with labels, you would typically:

  1. Add rules that apply labels to requests (with non-terminating actions like Count)
  2. Add rate-based rules with higher priority numbers (evaluated later) that use scope-down statements to match specific labels
  3. Configure the rate-based rules to aggregate and limit requests based on those labels

This approach ensures that your labeling happens first, and then rate limiting is applied based on those labels.
Sources
How AWS WAF handles rule and rule group actions in a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Rate limit the requests with specific labels - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
AWS WAF Rules not working | AWS re:Post

answered 9 months ago
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content