How does AWS WAF rule evaluation order work?

WAF evaluates rules based on their priority number — lower numbers are evaluated first. For rule groups, rules within the group have their own priority relative to each other. If a rule matches and its action is Allow or Block, evaluation stops and that action is taken. If the action is Count, evaluation continues to the next rule. The web ACL has a default action (Allow or Block) that applies if no rules match. This priority system means you should put your most specific allow rules at the lowest priority numbers.

What is the difference between WAF rate-based rules and Shield Advanced rate limiting?

WAF rate-based rules count requests per 5-minute window per IP and block IPs that exceed the threshold (minimum 100 requests). Shield Advanced provides DDoS-specific rate limiting with automatic mitigation at the network and transport layers. WAF rate-based rules are application-layer (Layer 7) controls suitable for brute-force prevention, while Shield Advanced handles volumetric attacks (Layer 3/4). For comprehensive protection, use both: WAF for application-level throttling and Shield Advanced for infrastructure-level DDoS mitigation.

How much does AWS WAF cost?

AWS WAF charges per web ACL ($5/month), per rule ($1/month), and per million requests inspected ($0.60). Managed rule groups from AWS Marketplace have additional per-rule-group fees. Rate-based rules and IP set rules count as one rule each. For high-traffic applications, the per-request cost is typically the largest component. Prices vary by region and resource type (CloudFront WAF is priced separately from regional WAF).

AWS WAF Rule Builder

IAM & SecurityAWS

Build WAF rules for rate limiting, geo-blocking, managed rule groups, and IP sets with JSON, CloudFormation, and Terraform output.

Rule Configuration

Rule Name

Rule Type

Action

Priority (0–999)

Rate Limit (requests per 5-min window): 2,000

100100,000

JSON Output

Output will appear here...

About AWS WAF

Pricing

$5.00/month per Web ACL
$1.00/month per rule
$0.60 per million requests
Bot Control and Fraud Control add-ons have additional costs

Rule Evaluation Order

Rules are evaluated in priority order (lowest number first)
Once a rule matches and takes an action (Allow/Block), evaluation stops
Count actions log the match but continue evaluation
If no rules match, the default action is applied

Managed vs Custom Rules

Managed rules are maintained by AWS and updated automatically
Start with Count mode to evaluate impact before switching to Block
Custom rules give you full control over match conditions
Combine managed and custom rules for defense in depth

Best Practices

Enable logging to S3, CloudWatch, or Kinesis Firehose
Use rate-based rules to protect against DDoS and brute force
Set managed rules to Count first, review CloudWatch metrics, then switch to Block
Regularly review and update IP sets and geo-blocking rules

About This Tool

AWS WAF (Web Application Firewall) protects CloudFront distributions, Application Load Balancers, API Gateway APIs, and AppSync GraphQL APIs from common web exploits. WAF rules can filter traffic based on IP addresses, geographic origin, request rate, HTTP headers, URI paths, query strings, and body content. This builder generates WAF rule statements for rate limiting, geo-blocking, IP set matching, and managed rule group configurations, producing output in native JSON, CloudFormation, and Terraform formats so you can deploy rules through your preferred infrastructure-as-code pipeline.

When to Use This Tool

•Building rate-limiting rules that throttle requests from individual IPs to prevent brute-force attacks on login endpoints
•Creating geo-blocking rules that restrict access to your application from countries where you do not operate
•Configuring AWS Managed Rule Groups (Core Rule Set, SQL Injection, Known Bad Inputs) with appropriate exclusions for legitimate traffic patterns
•Building IP set rules that allowlist corporate office IPs for admin endpoints while blocking all other sources

Frequently Asked Questions

How does AWS WAF rule evaluation order work?: WAF evaluates rules based on their priority number — lower numbers are evaluated first. For rule groups, rules within the group have their own priority relative to each other. If a rule matches and its action is Allow or Block, evaluation stops and that action is taken. If the action is Count, evaluation continues to the next rule. The web ACL has a default action (Allow or Block) that applies if no rules match. This priority system means you should put your most specific allow rules at the lowest priority numbers.
What is the difference between WAF rate-based rules and Shield Advanced rate limiting?: WAF rate-based rules count requests per 5-minute window per IP and block IPs that exceed the threshold (minimum 100 requests). Shield Advanced provides DDoS-specific rate limiting with automatic mitigation at the network and transport layers. WAF rate-based rules are application-layer (Layer 7) controls suitable for brute-force prevention, while Shield Advanced handles volumetric attacks (Layer 3/4). For comprehensive protection, use both: WAF for application-level throttling and Shield Advanced for infrastructure-level DDoS mitigation.
How much does AWS WAF cost?: AWS WAF charges per web ACL ($5/month), per rule ($1/month), and per million requests inspected ($0.60). Managed rule groups from AWS Marketplace have additional per-rule-group fees. Rate-based rules and IP set rules count as one rule each. For high-traffic applications, the per-request cost is typically the largest component. Prices vary by region and resource type (CloudFront WAF is priced separately from regional WAF).

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.