AWS Firewall Manager endpoints and quotas
To connect programmatically to an AWS service, you use an endpoint. AWS services offer the following endpoint types in some or all of the AWS Regions that the service supports: IPv4 endpoints, dual-stack endpoints, and FIPS endpoints. Some services provide global endpoints. For more information, see AWS service endpoints.
Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.
The following are the service endpoints and service quotas for this service.
Service endpoints
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 |
fms.us-east-2.amazonaws.com fms-fips.us-east-2.amazonaws.com |
HTTPS HTTPS |
| US East (N. Virginia) | us-east-1 |
fms.us-east-1.amazonaws.com fms-fips.us-east-1.amazonaws.com |
HTTPS HTTPS |
| US West (N. California) | us-west-1 |
fms.us-west-1.amazonaws.com fms-fips.us-west-1.amazonaws.com |
HTTPS HTTPS |
| US West (Oregon) | us-west-2 |
fms.us-west-2.amazonaws.com fms-fips.us-west-2.amazonaws.com |
HTTPS HTTPS |
| Africa (Cape Town) | af-south-1 |
fms.af-south-1.amazonaws.com fms-fips.af-south-1.amazonaws.com |
HTTPS HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 |
fms.ap-east-1.amazonaws.com fms-fips.ap-east-1.amazonaws.com |
HTTPS HTTPS |
| Asia Pacific (Hyderabad) | ap-south-2 | fms.ap-south-2.amazonaws.com | HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 | fms.ap-southeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Malaysia) | ap-southeast-5 | fms.ap-southeast-5.amazonaws.com | HTTPS |
| Asia Pacific (Melbourne) | ap-southeast-4 | fms.ap-southeast-4.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 |
fms.ap-south-1.amazonaws.com fms-fips.ap-south-1.amazonaws.com |
HTTPS HTTPS |
| Asia Pacific (Osaka) | ap-northeast-3 | fms.ap-northeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 |
fms.ap-northeast-2.amazonaws.com fms-fips.ap-northeast-2.amazonaws.com |
HTTPS HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 |
fms.ap-southeast-1.amazonaws.com fms-fips.ap-southeast-1.amazonaws.com |
HTTPS HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 |
fms.ap-southeast-2.amazonaws.com fms-fips.ap-southeast-2.amazonaws.com |
HTTPS HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 |
fms.ap-northeast-1.amazonaws.com fms-fips.ap-northeast-1.amazonaws.com |
HTTPS HTTPS |
| Canada (Central) | ca-central-1 |
fms.ca-central-1.amazonaws.com fms-fips.ca-central-1.amazonaws.com |
HTTPS HTTPS |
| Canada West (Calgary) | ca-west-1 |
fms.ca-west-1.amazonaws.com fms-fips.ca-west-1.amazonaws.com |
HTTPS HTTPS |
| Europe (Frankfurt) | eu-central-1 |
fms.eu-central-1.amazonaws.com fms-fips.eu-central-1.amazonaws.com |
HTTPS HTTPS |
| Europe (Ireland) | eu-west-1 |
fms.eu-west-1.amazonaws.com fms-fips.eu-west-1.amazonaws.com |
HTTPS HTTPS |
| Europe (London) | eu-west-2 |
fms.eu-west-2.amazonaws.com fms-fips.eu-west-2.amazonaws.com |
HTTPS HTTPS |
| Europe (Milan) | eu-south-1 |
fms.eu-south-1.amazonaws.com fms-fips.eu-south-1.amazonaws.com |
HTTPS HTTPS |
| Europe (Paris) | eu-west-3 |
fms.eu-west-3.amazonaws.com fms-fips.eu-west-3.amazonaws.com |
HTTPS HTTPS |
| Europe (Spain) | eu-south-2 | fms.eu-south-2.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | fms.eu-north-1.amazonaws.com | HTTPS |
| Europe (Zurich) | eu-central-2 | fms.eu-central-2.amazonaws.com | HTTPS |
| Israel (Tel Aviv) | il-central-1 | fms.il-central-1.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 |
fms.me-south-1.amazonaws.com fms-fips.me-south-1.amazonaws.com |
HTTPS HTTPS |
| Middle East (UAE) | me-central-1 | fms.me-central-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 |
fms.sa-east-1.amazonaws.com fms-fips.sa-east-1.amazonaws.com |
HTTPS HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 |
fms.us-gov-east-1.amazonaws.com fms-fips.us-gov-east-1.amazonaws.com |
HTTPS HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 |
fms.us-gov-west-1.amazonaws.com fms-fips.us-gov-west-1.amazonaws.com |
HTTPS HTTPS |
Service quotas
| Name | Default | Adjustable | Description |
|---|---|---|---|
| AWS WAF Classic rule groups per AWS WAF Classic policy | Each supported Region: 2 | No | The maximum number of AWS WAF Classic rule groups that you can use in a Firewall Manager AWS WAF Classic policy. |
| Accounts per Firewall Manager admin | Each supported Region: 10,000 |
Yes |
The maximum number of accounts that you can be managed by Firewall Manager under a single FMS admin. |
| Admins per organization in Firewall Manager | Each supported Region: 10 | No | The maximum number of admin accounts that you can onboard under a single organization in Firewall Manager |
| Amazon VPC instances in scope of a common security group policy | Each supported Region: 100 |
Yes |
The maximum number of Amazon VPC instances that you can have in scope per Firewall Manager common security group policy per account. This number represents the combined count of VPCs that you own and VPCs that are shared with you. |
| Applications per application list | Each supported Region: 50 |
Yes |
The maximum number of applications that you can define in an application list. |
| Audit security groups per security group content audit policy | Each supported Region: 1 |
Yes |
The maximum number of audit security groups that you can use in a Firewall Manager content audit security group policy. |
| Custom managed application lists for rules that allow all traffic | Each supported Region: 1 |
Yes |
The maximum number of managed application lists for rules that allow all traffic in a Firewall Manager content audit security group policy. |
| Custom managed application lists in any content audit security group policy setting | Each supported Region: 1 |
Yes |
The maximum number of custom managed application lists that you can use in any setting in a Firewall Manager content audit security group policy. |
| Custom managed application lists per account | Each supported Region: 10 |
Yes |
The maximum number of custom managed application lists that you can define for an account. |
| Custom managed protocol lists in any content audit security group policy setting | Each supported Region: 1 |
Yes |
The maximum number of custom managed protocol lists that you can use in any setting in a Firewall Manager content audit security group policy. |
| Custom managed protocol lists per account | Each supported Region: 10 |
Yes |
The maximum number of custom managed protocol lists that you can define for an account. |
| Explicitly included or excluded accounts per policy per Region | Each supported Region: 200 |
Yes |
The maximum number of accounts per Region that you can explicitly include in scope or explicitly exclude from scope for a Firewall Manager policy. |
| Firewall Manager policies per organization per Region | Each supported Region: 50 |
Yes |
The maximum number of Firewall Manager policies for any pair of Region and organization in AWS Organizations. |
| IPV4 CIDRs for a Network Firewall policy | Each supported Region: 50 |
Yes |
The maximum number of IPV4 CIDR ranges that you can provide in a single Firewall Manager Network Firewall policy, for use in firewall endpoint management. |
| Inbound/outbound rules per network ACL policy | Each supported Region: 5 |
Yes |
The maximum number of inbound/outbound rules that you can use in a Firewall Manager Network ACL policy. |
| Organizational units in scope per policy per Region | Each supported Region: 20 |
Yes |
The maximum number of organizational units that can be in scope of a Firewall Manager policy for any Region. |
| Partner rule groups per AWS WAF policy | Each supported Region: 1 |
Yes |
The maximum number of partner rule groups that can be applied to a single policy, limited by Web Application Firewall WebACL limits. |
| Primary security groups per common security group policy | Each supported Region: 3 |
Yes |
The maximum number of primary security groups that you can use in a Firewall Manager common security group policy. |
| Protocols per protocol list | Each supported Region: 5 |
Yes |
The maximum number of protocols that you can define in a protocol list. |
| Resource sets per Firewall Manager admin account | Each supported Region: 20 |
Yes |
The maximum number of resource sets that you can create under a single Firewall Manager admin account. |
| Resources per resource set | Each supported Region: 100 |
Yes |
The maximum number of resources that a single resource set can contain. |
| Route 53 Resolver DNS Firewall rule groups per DNS Firewall policy | Each supported Region: 2 |
Yes |
The maximum number of Route 53 Resolver DNS Firewall rule groups that you can use in a Firewall Manager DNS Firewall policy. |
| Rule groups per AWS WAF policy | Each supported Region: 50 |
Yes |
The maximum number of rule groups that you can use in a Firewall Manager AWS WAF policy. |
| Stateful rule group capacity per Network Firewall policy | Each supported Region: 30,000 |
Yes |
The maximum number of rules that can be included in a stateful rule group within a Firewall Manager Network Firewall policy. |
| Stateful rule groups per Network Firewall policy | Each supported Region: 20 | No | The maximum number of stateful rule groups that you can use in a Firewall Manager Network Firewall policy. |
| Stateless rule group capacity per Network Firewall policy | Each supported Region: 30,000 | No | The maximum number of rules that can be included in a stateless rule group within a Firewall Manager Network Firewall policy. |
| Stateless rule groups per Network Firewall policy | Each supported Region: 20 | No | The maximum number of stateless rule groups that you can use in a Firewall Manager Network Firewall policy. |
| Tags to include or exclude resources per policy | Each supported Region: 8 |
Yes |
The maximum number of tags that you can use to include or exclude resources for a Firewall Manager policy. |
| VPCs that a single Network Firewall policy can automatically remediate | Each supported Region: 1,000 | No | The maximum number of VPCs that a single Firewall Manager Network Firewall policy can automatically remediate. |
| Web ACL capacity units (WCU) used in an AWS WAF policy | Each supported Region: 5,000 | No | The maximum combined number of web ACL capacity units (WCU) for all of the rule groups used in a Firewall Manager AWS WAF policy. The WCU usage for a rule group is fixed by the rule group owner at creation time. |
For more information, see AWS Firewall Manager quotas in the AWS Firewall Manager Developer Guide.
