Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CloudFront rate limit rule doesn't work

Tags:

amazon-web-services

amazon-cloudfront

I have a CloudFront distribution for an EC2 HTTP server. I created a rate limit for my CloudFront distribution using WAF. In theory no IP address should be able to send more than 2,000 requests in any 5 minute period. But this just doesn't seem to work. I fired off 10,000 concurrent requests from my laptop (using a Go program) in <1 minute and all of them got through. I know they are reaching the EC2 origin because my HTTP server keeps a counter for requests.

Strangely, the WAF dashboard even recognizes that traffic exceeded the 5 minute limit:

enter image description here

Yet no IP blocking took place: enter image description here

And my EC2 server registered all 10,000 hits.

Am I missing some configuration subtlety? Or is there meant to be a long delay between when CloudFront registers the traffic spike and when it implements the IP block?

EDIT: A config picture: enter image description here

like image 425
rampatowl Avatar asked Jul 05 '18 15:07

rampatowl

People also ask

How many requests per second can Amazon CloudFront handle?

A single shard can handle no more than 1 MB per second and 1,000 requests (log records) per second.

Can WAF be used with CloudFront?

Using AWS WAF with CloudFront for applications running on your own HTTP server. When you use AWS WAF with CloudFront, you can protect your applications running on any HTTP webserver, whether it's a webserver that's running in Amazon Elastic Compute Cloud (Amazon EC2) or a webserver that you manage privately.

Which AWS WAF option should be used to test hits against rule sets?

If the web request matches all the conditions in that rule, AWS WAF Classic increments a counter for that rule. Then AWS WAF Classic inspects the web request based on the conditions in the next rule. If the request matches all the conditions in that rule, AWS WAF Classic increments a counter for the rule.

1 Answers

You probably already figured this out, but... you have to specifically select the AWS WAF Web ACL that contains the rate-limit-rule in your CloudFront distribution. You can do this in the Distribution Settings-page of your CloudFront distribution (second item - a dropdown with the label AWS WAF Web ACL).

If you don't, the two aren't connected together, which might explain why your request aren't blocked when you expect them to be blocked.

like image 154
mrcl Avatar answered Sep 29 '22 20:09

mrcl
Sign in to Comment

Related questions

Setting path parameters in AWS API Gateway JavaScript SDK
AWS MQTT on OSX
How to write from DynamoDB to ElasticSearch using Lambda?
AWS S3 static site with HTTPS and VPN-only access
How to specify SQS message attributes when used as CloudWatch Events target?
Amazon AWS Machine Learning HTTP request
AWS Lambda RDS too many connections
DynamoDB concurrent write
Amazon Kinesis: Caught exception while sync'ing Kinesis shards and leases
Connecting AWS Api Gateway and private ALB
Is it possible to define a task timeout on AWS ECS?
UrlFetchApp.fetch on Google Spreadsheets cannot connect AWS backend webservice
Amazon ELB - Sticky session lost of cookie
Periodic tasks in Django on Elastic Beanstalk (possibly with celery beat)
getting error "[BucketAlreadyOwnedByYou] Your previous request to create the named bucket succeeded and you already own it" in amazon server
How to connect elasticache and dynamoDb from aws-lambda without using NAT Gateway
Request header does not include HTTP_X_CSRF_TOKEN when using AWS JS SDK
How to make instagram login with AWS Cognito Federated Identities
AWS: ssm:GetParameters AccessDeniedException
AWS API Gateway: Log Query String in Access Log

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!