Rate Limiting

Implementing Rate Limiting for Specific URLs Using AWS WAFv2

by: Aravind Sankar

May 01, 2024


In this blog, we will explore how to implement rate limiting for specific URLs using AWS WAFv2. We'll walk through the process of setting up a rate-based rule to protect your application endpoints from excessive requests, ensuring better security and performance.

Why Rate Limiting?

Rate limiting is crucial for protecting your web application from abuse and overuse. It helps mitigate denial-of-service (DoS) attacks, ensures fair usage, and improves overall performance. AWS WAFv2 allows you to define rate-based rules to limit the number of requests from a single IP address to your application.


  1. An AWS account with access to AWS WAF.
  2. A web application deployed on an AWS service such as an Application Load Balancer (ALB) or API Gateway.
  3. Basic understanding of AWS WAFv2 and regex patterns.

Step 1: Define a Regex Pattern Set

First, define a regex pattern set to match the specific URL paths you want to rate limit. In this example, we'll limit requests to URLs starting with /api/v1/resources/.

  1. Navigate to the AWS WAF console.
  2. Go to Regex Pattern Sets and create a new regex pattern set.
  3. Add the following regex pattern to match the desired URL path:

Step 2: Create a Web ACL with a Rate-Based Rule

Next, create a Web ACL and add a rate-based rule that references the regex pattern set.

  1. Go to Web ACLs in the AWS WAF console and create a new Web ACL.
  2. Add a rule with the following configuration:
      "Name": "waf-regex-pattern-set-prod-v2-rule",
      "Priority": 0,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "EvaluationWindowSec": 60,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "RegexPatternSetReferenceStatement": {
              "ARN": "arn:aws:wafv2:REGION:ACCOUNT_ID:regional/regexpatternset/waf-regex-pattern-set-prod/PATTERN_SET_ID",
              "FieldToMatch": {
                "UriPath": {}
              "TextTransformations": [
                  "Priority": 0,
                  "Type": "NONE"
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 403
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "waf-regex-pattern-set-prod-v2-rule"
  3. Replace REGION, ACCOUNT_ID, and PATTERN_SET_ID with your respective AWS region, account ID, and pattern set ID.

Step 3: Associate the Web ACL with Your Resource

Associate the Web ACL with your application resource (e.g., ALB or API Gateway).

  1. In the AWS WAF console, go to Web ACLs.
  2. Select your Web ACL and go to Associations.
  3. Choose the resource you want to protect and associate the Web ACL with it.

Step 4: Monitor and Test

To ensure your rate limiting rule is working as expected, monitor CloudWatch metrics and logs.

  1. Go to CloudWatch in the AWS Management Console.
  2. Check the metrics for the rule named waf-regex-pattern-set-prod-v2-rule.
  3. Enable logging for the Web ACL to capture detailed request logs.

Debugging Common Issues

If the rate limiting rule is not working as expected, consider the following steps:

  1. Verify Regex Pattern: Ensure that the regex pattern correctly matches the intended URL path. Use an online regex tester with sample URLs to confirm the match.
  2. Check Rule Configuration: Review the rule configuration in the AWS WAF console. Ensure the rate limit and evaluation window are set correctly.
  3. Monitor CloudWatch Metrics: Check CloudWatch metrics to see if the rule is being triggered. Look for any anomalies or issues in the metrics.
  4. Review WAF Logs: Enable and review WAF logs to see detailed logs of the requests being evaluated against the rules.
  5. Adjust Limits: Temporarily reduce the rate limit to a lower value to see if it triggers more easily during testing.


Implementing rate limiting for specific URLs using AWS WAFv2 helps protect your application from excessive requests and potential abuse. By following the steps outlined in this blog, you can set up effective rate limiting rules tailored to your application's needs. Monitor and adjust the configurations as needed to ensure optimal performance and security.

By staying vigilant and proactive, you can safeguard your web application and provide a better user experience.

contact us

Get started now

Get a quote for your project.


Edstem Technologies LLC
254 Chapman Rd, Ste 208 #14734
Newark, Delaware 19702 US


Edstem Technologies Pvt Ltd
Office No-2B-1, Second Floor
Jyothirmaya, Infopark Phase II
Ernakulam, Kerala 682303

© 2024 — Edstem All Rights Reserved

Privacy PolicyTerms of Use