Lambda URL CloudFront WAF Jets Blanket Rate Limiter Testing

Here’s an example of the Jets Blanket Rate Limiter in action. We’ve configured the limit to 100, the lowest permitted WAF setting for testing.


Jets.deploy.configure do
  config.waf.custom_rules.blanket_rate_limiter.enable = true # default is true
  config.waf.custom_rules.blanket_rate_limiter.limit = 100 # default 1000

Test with ab and curl

You can use a simple tool like ab to get the rate limit.

ab -n 100 -c 10

After running it twice, you should have exceeded the WAF rate limit of 100.

Then, if you hit it again with curl, you’ll get a 403 response.

$ curl -sv ""
# ...
< HTTP/2 403
< server: CloudFront
< date: Sun, 19 May 2024 22:51:51 GMT
< content-type: text/html
< content-length: 919
< x-cache: Error from cloudfront
< via: 1.1 (CloudFront)
< x-amz-cf-pop: HIO52-P2
< x-amz-cf-id: oLkHaOtOhO4fjqdHAgN-T0YHrtv-C7tAGPT_j05znkYW7Zu8L4kPSw==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
Generated by cloudfront (CloudFront)
Request ID: oLkHaOtOhO4fjqdHAgN-T0YHrtv-C7tAGPT_j05znkYW7Zu8L4kPSw==

After a few minutes, your IP’s rate limit resets, and the request will again return 200 response codes.

$ curl -sv "" 2>&1 | grep '< HTTP'
< HTTP/2 200

Check CloudWatch Logs

You can also use CloudWatch Insights to confirm that the WAF blocked the request using the Jets-BlanketRateLimit rule. Here’s a query to help.

fields @timestamp, @message, action, httpRequest.clientIp, httpRequest.uri, httpRequest.httpMethod, webaclId
| filter action = 'BLOCK'
| sort @timestamp desc
| limit 20

You should find a log entry that looks like this:

  "timestamp": 1716159111979,
  "formatVersion": 1,
  "webaclId": "arn:aws:wafv2:us-east-1:112233445566:global/webacl/dev/d8ebd2fe-ddcd-4830-a240-6ac3786a9407",
  "terminatingRuleId": "Jets-BlanketRateLimit",
  "terminatingRuleType": "RATE_BASED",
  "action": "BLOCK",
  "terminatingRuleMatchDetails": [],
  "httpSourceName": "CF",
  "httpSourceId": "E2PPB3A2M07L7U",
  "ruleGroupList": [],
  "rateBasedRuleList": [
      "rateBasedRuleId": "arn:aws:wafv2:us-east-1:112233445566_MANAGED:global/ipset/d8ebd2fe-ddcd-4830-a240-6ac3786a9407_0439adc1-7fc6-4e79-ba7f-2baa80ef7e8e_IPV4/0439adc1-7fc6-4e79-ba7f-2baa80ef7e8e",
      "rateBasedRuleName": "Jets-BlanketRateLimit",
      "limitKey": "IP",
      "maxRateAllowed": 100,
      "evaluationWindowSec": 300,
      "limitValue": ""
  "nonTerminatingMatchingRules": [],
  "requestHeadersInserted": null,
  "responseCodeSent": null,
  "httpRequest": {
    "clientIp": "",
    "country": "US",
    "headers": [
        "name": "host",
        "value": ""
        "name": "user-agent",
        "value": "curl/7.81.0"
        "name": "accept",
        "value": "*/*"
    "uri": "/",
    "args": "",
    "httpVersion": "HTTP/2.0",
    "httpMethod": "GET",
    "requestId": "oLkHaOtOhO4fjqdHAgN-T0YHrtv-C7tAGPT_j05znkYW7Zu8L4kPSw=="
  "ja3Fingerprint": "4ea056e63b7910cbf543f0c095064dfe"