AWS Network Firewall quotas - AWS Network Firewall

AWS Network Firewall quotas

AWS Network Firewall is subject to the following quotas (formerly referred to as limits). These quotas are the same for all AWS Regions in which Network Firewall is available. Each Region is subject to these quotas individually. The quotas are not cumulative across Regions.

Network Firewall has the following default quotas on the maximum number of entities you can have per account per Region. You can request an increase in these adjustable quotas through the Service Quotas console.

Resource Default quota

Maximum number of firewalls per account per Region.

5

Maximum number of firewall policies per account per Region. 20

Maximum number of stateful rule groups per account per Region.

You can't use all of these rule groups in a single firewall policy. See the immutable maximum number of stateful rule groups per firewall policy in the table that follows this one.

50

Maximum number of stateless rule groups per account per Region.

You can't use all of these rule groups in a single firewall policy. See the immutable maximum number of stateless rule groups per firewall policy in the table that follows this one.

50

Maximum number of stateful rules per firewall policy per account per Region. This is the total across all rule groups that are referenced by the policy.

30,000
Maximum number of TLS inspection configurations per account per Region. 20

Network Firewall has the following quotas that can't be changed.

Resource Quota
Maximum character length of a Suricata rule. Each variable value in the rule counts towards this limit. 8,192
Maximum size of a Suricata-compatible rules string for a rule group, in bytes. 2,000,000
Maximum stateful rule group capacity. For more information, see Setting rule group capacity in AWS Network Firewall. 30,000
Maximum number of IP set references per Suricata compatible stateful rule group. For information about IP set references, see IP set references in Suricata compatible AWS Network Firewall rule groups. 5
Maximum number of stateful rule groups per firewall policy. 20
Maximum number of stateless rule groups per firewall policy. 20
Maximum stateless rule group capacity. For more information, see Setting rule group capacity in AWS Network Firewall. 30,000
Maximum number of custom actions per stateless rule group. 10
Maximum number of stateless rules per firewall policy. This is the total across all rule groups that are referenced by the policy. 30,000
Maximum network traffic bandwidth per firewall endpoint. If you require more traffic bandwidth, you can split your resources into subnets and create a firewall in each subnet. 100 Gbps
Required number of firewall policies per firewall. 1
Maximum number of firewalls that can use the same firewall policy. 1,000
Maximum number of firewall policies that can use the same rule group. 1,000
Maximum number of TLS inspection configurations per firewall policy. 1
Maximum number of firewall policies that can use the same TLS inspection configuration. 1,000
Maximum number of certificate authority (CA) certificates per TLS inspection configuration. CA certificates are used for outbound SSL/TLS inspection. 1
Maximum number of server certificates per TLS inspection configuration. Server certificates are used for inbound SSL/TLS inspection. 10