Hey fellow dev, let’s tackle your three AWS WAF questions with straight, practical answers based on how the service actually works:

1. Do requests from blacklisted IPs (via IP sets) incur WAF fees? #

Yes, they do. AWS WAF charges for every request that gets evaluated by your Web ACL—regardless of whether it’s allowed or blocked. Even if a request is stopped early by an IP blacklist rule, it’s still counted as an inspected request and will show up in your billing.

2. Do blocked requests from rate-limited IPs (exceeding 5-minute limits) incur fees? #

Same logic applies here. Any request that reaches your Web ACL (including those blocked by rate-based rules) is evaluated, and thus billed. Rate-limiting rules need to track incoming request counts to enforce the limit, so every request that triggers the rule—even the blocked ones—counts towards your WAF usage.

3. Does the ALB Web ACL 25,000 requests/second quota include both allowed and blocked requests? #

Yep, this quota covers all requests that go through the Web ACL evaluation pipeline. Whether a request is allowed, blocked, counted, or redirected, it counts against the 25,000 requests-per-second limit. This is the total throughput capacity for your Web ACL attached to an ALB, so every inspected request contributes to the count.

内容的提问来源于stack exchange，提问作者Shashikumar