Search code examples
amazon-web-servicesapigatewayrate-limitingweb-application-firewall

How to exclude certain IP for AWS WAF rate limit?

I am new to AWS WAF, I set up the AWS WAF for the api gateway to limit the 5k requests in 5 minutes window. However, the internal IPs would exceed the 5k limit and get blocked, so is there a way to exclude internal IPs from this rate limit (let them request unlimited times)?

Solution

  • I understand that you would like to know if there is a way to exclude certain IPs from a WAF rate limit rule inspection.

    This can be done by using a Scope Down statement on the rate limit rule.

    There is an excellent article on the AWS Knowledge Center about this.

    Section 2 of the article above contains the necessary steps. I've also written them out below. The most important steps to review are 8, 9, and 10.

    Use the following steps to exclude an IP set from a rate-based-rule:

    1. Open the AWS WAF console.
    2. Select Web ACLs.
    3. Select the web ACL and then select the Rules tab.
    4. Select Add rules.
    5. Select Add my own rules and rule groups.
    6. Select Rule builder for the Rule type.
    7. Enter a Name and select Rate-based rule as the Type.
    8. Enter the following parameters for the Request rate details:
      • Rate limit: Enter a number between 100 and 20,000,000. This is the maximum number of requests allowed for every IP in a 5-min period.
      • IP address to use for rate limiting: If you want the rate limit based on the client IP field, select Source IP address. Or, if you want the rate limit based on the IP address in the header, select IP address in header. For example, X-Forwarder-for.
      • Criteria to count request towards rate limit: Select Only consider requests that match the criteria in a rule statement.
    9. In the If a request dropdown list, select Doesn’t match the statement (NOT).
    10. Complete the following fields in the Statement details section:
      • Inspect: Originates from an IP address in.
      • IP set: Select the IP set from the dropdown list.
      • IP address to use as the originating address: If you want the rate limit based on the client IP field, then select Source IP address . Or, if you want the rate limit based on the IP address in the header, select IP address in header. For example, X-Forwarder-for.
    11. In the Action section, select Block.
    12. Select Add rule. Move the rule to the correct priority for your use case and then select Save.

    Here are some additional resources for working with rate based rules.

    I hope this helps!