- Newest
- Most votes
- Most comments
The 150 requests you are sending at the same time are most likely coming in at too high of a rate for the WAF to detect and limit them. AWS WAF will catch up and eventually trigger the rule.
Take a look at the Rate-based rule caveats for more detail.
Each time that AWS WAF estimates the rate of requests, AWS WAF looks back at the number of requests that came in during the configured evaluation window. Due to this and other factors such as propagation delays, it's possible for requests to be coming in at too high a rate for up to several minutes before AWS WAF detects and rate limits them. Similarly. the request rate can be below the limit for a period of time before AWS WAF detects the decrease and discontinues the rate limiting action. Usually, this delay is below 30 seconds.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 5 months ago
Agreed. You need to take some WAF ramp-up time into account: so, your experiment should extend over a longer period (a few minutes) to start seeing the multiple parallel requests to be blocked.