Why am I getting a limit exceeded error when adding more rules to a rule group in AWS WAF?

4 minute read
0

When trying to add more rules to a rule group, I'm getting the error that I've exceeded a limit. What is reason for this error?

Short description

If adding additional rules results in exceeding the rule group capacity, you get a limit exceeded error when saving the changes:

  • In AWS WAF Classic, the error appears as "Operation would result in exceeding resource limits."
  • In AWS WAF, the error appears as "WAFInvalidParameterException: Error reason: You exceeded the capacity limit for a rule group or web ACL., field: RULE_GROUP, parameter: xx".

The following limits apply in AWS WAF Classic or AWS WAF:

  • In AWS WAF classic, the rule groups that you create have a quota of 10 rules per rule group.
  • In AWS WAF, the capacity of a rule group is set when it's created. This capacity can't be changed after the rule group is created.

Resolution

To resolve the limit exceeded errors, perform the following steps in AWS WAF Classic or AWS WAF:

AWS WAF Classic

You can't add more rules to rule group that has reached capacity. You must create a new rule group, and then add the rule group to the web ACL.

  1. Open the AWS WAF console.
  2. In the navigation pane, choose Switch to AWS WAF Classic.
  3. In the navigation pane, choose Rule groups.
  4. For Filter, choose the AWS Region where you want to store the IP set. To use an IP set in web ACLs that protect Amazon CloudFront distributions, you must use Global (CloudFront).
  5. Choose Create rule group.
  6. Choose Use existing rules for this group.
  7. Choose Next.
  8. Enter a Rule group name.
  9. Select a rule, and then choose Add rule. Repeat this step for all rules that you want to add.
  10. Choose Create.
  11. In the navigation pane, choose Web ACLs.
  12. Select the web ACL where you want to add the new rule group.
  13. On the Rules tab, choose Edit web ACL.
  14. For Rules, choose the new rule group.
  15. Select Add rule to web ACL.
  16. Choose Update.

Note: You can only add two rule groups to a web ACL in AWS WAF Classic. If you need to add more rule groups, you must migrate to AWS WAF.

AWS WAF

The capacity of the rule group can't be changed after it's created. You must create a new rule group, and then add it to the web ACL.

  1. Open the AWS WAF console.
  2. In the navigation pane, choose Rule groups.
  3. For Region, choose the AWS Region where you want to store the rule group. To use a rule group in web ACLs that protect Amazon CloudFront distributions, you must use Global (CloudFront).
  4. Choose Create rule group.
  5. Enter a Name for the rule group.
  6. Be sure the correct region is selected, and then choose Next.
  7. For Rules, add the rules for your web ACL.
  8. For Capacity, set an appropriate capacity for the rule group that allows for adding more rules later. Then, choose Next.
  9. (Optional) For Set Rule Priority, select your rules and move the priority order. The rules are processed in the order that they appear. For more information, see Processing order of rules and rule groups in a web ACL. Then, choose Next.
  10. Review the settings for the rule group. If it matches your specifications, choose Create rule group.
  11. In the navigation pane, under AWS WAF, choose Web ACLs.
  12. Select your web ACL.
  13. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
  14. For Rule Type, select Rule group.
  15. Enter a Name for the rule.
  16. For Rule Group, add your new rule group to the web ACL.
  17. Choose Add rule.
  18. Choose Save.

The capacity set on the rule group is an estimation of the number and type of rules that will be added to the rule group later. For estimates of web ACL capacity units used by different types of rules, see Rule statements list.


Related information

Rule groups

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago