By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I use AWS WAF to apply rate-based rules on an API Gateway REST API?

4 minute read
0

I want to use AWS WAF to implement rate-based rules on an Amazon API Gateway REST API.

Resolution

Note: AWS WAF currently supports only API Gateway REST APIs.

To use AWS WAF to apply rate-based rules on a REST API, first create a web access control list (web ACL). Then, create your rate-based rules, and associate the web ACL to the REST API.

Create a web ACL

Complete the following steps.

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
  3. Choose Create web ACL.
  4. To set up your web ACL, configure the following values:
    For Resource type, choose Regional resources.
    For Region, select the same AWS Region that your REST API is in.
    For Name, enter a name for the web ACL.
    (Optional) For Description, enter a description for the web ACL.
    (Optional) For CloudWatch metric name, enter an Amazon CloudWatch metric name. By default, the CloudWatch metric name is the same as the web ACL name.
    For Associated AWS resources, if you already created the REST API, then select your API. Otherwise, skip this field and then update it after you create your REST API.
    Note: You can keep the default settings for all other fields and modify them later as needed.
  5. Choose Next.
  6. Choose Create web ACL.

Create the rate-based rule

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
  3. For Region, select the Region where you created your web ACL.
    Note: If your web ACL is set up for Amazon CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose Add rules, and then choose Add my own rules and rule groups.
  6. To set up your rule, configure the following values:
    For Rule type, choose Rule Builder.
    For Name, enter a name for the rule.
    For Type, choose Rate-based rule.
    Under Rate-limiting criteria, configure the following values:
    For Rate limit, enter a number between 100 and 20,000,000.
    For Evaluation window, enter your evaluation window.
    For Request aggregation, to set a rate limit based on the client IP field, select Source IP address. Or, to set a rate limit based on the IP address in the header, select IP address in header
    Note: If your traffic goes through a proxy or a content delivery network (CDN), then use IP address in header. For more information, see Forwarded IP address.
    For Scope of inspection and rate limiting, to create a rule for all requests that the web ACL inspects, select Consider all requests. Or, to apply a scope-down statement, select Only consider request that match the criteria in a rule statement.
  7. For Action, choose Block.
  8. Choose Add rule.
  9. Choose Save.

Associate the web ACL with a REST API

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
  3. Select your web ACL.
  4. Choose Associated AWS resources.
  5. Choose Add AWS resources.
  6. Choose Amazon API Gateway REST API, and then select your API. 
    Note: If you don't see your REST API, then verify that the API and web ACL are in the same Region.
  7. Choose Add.

Related information

Rate-based rule aggregation options and keys

The three most important AWS WAF rate-based rules

How do I use an aggregation key to configure a rate limit rule in AWS WAF?

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 23 days ago
No comments

Relevant content