Build WAF rules for rate limiting, geo-blocking, managed rule groups, and IP sets with JSON, CloudFormation, and Terraform output.
Last verified: May 2026
Output will appear here...AWS WAF (Web Application Firewall) protects CloudFront distributions, Application Load Balancers, API Gateway APIs, and AppSync GraphQL APIs from common web exploits. WAF rules can filter traffic based on IP addresses, geographic origin, request rate, HTTP headers, URI paths, query strings, and body content. This builder generates WAF rule statements for rate limiting, geo-blocking, IP set matching, and managed rule group configurations, producing output in native JSON, CloudFormation, and Terraform formats so you can deploy rules through your preferred infrastructure-as-code pipeline.
WAF evaluates rules based on their priority number — lower numbers are evaluated first. For rule groups, rules within the group have their own priority relative to each other. If a rule matches and its action is Allow or Block, evaluation stops and that action is taken. If the action is Count, evaluation continues to the next rule. The web ACL has a default action (Allow or Block) that applies if no rules match. This priority system means you should put your most specific allow rules at the lowest priority numbers.
WAF rate-based rules count requests per 5-minute window per IP and block IPs that exceed the threshold (minimum 100 requests). Shield Advanced provides DDoS-specific rate limiting with automatic mitigation at the network and transport layers. WAF rate-based rules are application-layer (Layer 7) controls suitable for brute-force prevention, while Shield Advanced handles volumetric attacks (Layer 3/4). For comprehensive protection, use both: WAF for application-level throttling and Shield Advanced for infrastructure-level DDoS mitigation.
AWS WAF charges per web ACL ($5/month), per rule ($1/month), and per million requests inspected ($0.60). Managed rule groups from AWS Marketplace have additional per-rule-group fees. Rate-based rules and IP set rules count as one rule each. For high-traffic applications, the per-request cost is typically the largest component. Prices vary by region and resource type (CloudFront WAF is priced separately from regional WAF).
Your e-commerce login endpoint is being hit with credential stuffing — 50,000 attempts/hour from rotating IPs. You build a rate-based rule limiting POST /login to 100 requests per IP per 5 minutes. Within an hour, the rate of successful logins from new IPs (a proxy for stuffing) drops 95%. You also turn on the AWS Managed Rules anonymous IP list to block requests from known VPN/proxy services, cutting attack volume by another 60%. Total monthly cost: under $30 for the rules + request inspection.
The builder generates AWS WAFv2 rule statements by composing the appropriate Statement type (RateBasedStatement, GeoMatchStatement, IPSetReferenceStatement, ManagedRuleGroupStatement) with your selected match conditions, action (Allow/Block/Count/Captcha), priority, and visibility config. It outputs the same rule definition in three formats: native WAFv2 JSON for AWS CLI, AWS::WAFv2::WebACL CloudFormation, and aws_wafv2_web_acl Terraform — using identical priorities and labels so you can switch IaC tools without behavior drift.
Always start new managed rule groups in Count mode for at least 1-2 weeks before switching to Block. The AWS Core Rule Set has well-known false positives on legitimate JSON payloads, file uploads, and base64 strings. Counting first lets you build exclusions before users get blocked.
WAF rate-based rules count requests in a 5-minute trailing window — they cannot block in real-time. An attacker hitting 1000 req/sec for 30 seconds may complete the attack before WAF reacts. For burst protection, layer Shield Advanced or use CloudFront's response headers to fail-fast for known abusive patterns.
Web ACLs cost $5/month each, but rules cost $1/month per rule. A common mistake is creating one rule per attacker IP — instead, use a single IP set rule with thousands of IPs in it. Same protection, $1/month total instead of $1/month × N.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.