WAF Sizing Guide
Typically, CPU is the main resource constraint for a WAF, since a WAF’s primary function is to inspect/parse large amounts of HTTP/HTTPS traffic. This guide uses CPU count as a unit for sizing. CPU performance may vary between environments, particularly in virtualized environments. This guide assumes that the CPUs are dedicated to the WAF.
This guide is intended to provide some general rules-of-thumb to assist in initially size WAFs. Website design vary significantly, so this guide can only provide high-level estimates. Once a WAF is up and running, you can monitor actual WAF utilization using the Check WAF Utilization documentation.
There are 2 general ways to size a WAF appliance, depending on which metric is most readily available to you: Bandwidth Usage or Requests Per Second.
Bandwidth Usage
This metric refers to the bandwidth used by a website. For WAF sizing purposes, we combine the inbound and outbound traffic (inbound + outbound) into a single metric. This also assumes the traffic represents typical website traffic patterns.
Note that Bandwidth Usage is not a particularly accurate metric, since bandwidth usage varies significantly between websites. Also, bandwidth usage does not necessarily translate to increased load on the WAF. For example, a graphics intensive website would use a large amount of bandwidth, but the WAF does not need to inspect the graphics data. However, the following table may be useful as an initial sizing guide:
| # of CPUs | Bandwidth (inbound + outbound) |
AWS Instance Type | Azure VM Size |
|---|---|---|---|
| 2 | 80Mbps | c5.large | Standard_F2s_v2 |
| 4 | 160Mbps | c5.xlarge | Standard_F4s_v2 |
| 8 | 320Mbps | c5.2xlarge | Standard_F8s_v2 |
| 16 | 640Mbps | c5.4xlarge | Standard_F16s_v2 |
Requests Per Second
This metric refers to the number of HTTP/HTTPS requests per second processed by a website. This is typically a more difficult to obtain metric, but more accurately reflect the WAF load.
For WAF sizing purposes, we assume typical HTTP/HTTPS requests. Websites with complex requests or large number of parameters would increase the load on the WAF, reducing the WAF’s capacity.
| # of CPUs | Requests Per Second | AWS Instance Type | Azure VM Size |
|---|---|---|---|
| 2 | 400 | c5.large | Standard_F2s_v2 |
| 4 | 800 | c5.xlarge | Standard_F4s_v2 |
| 8 | 1600 | c5.2xlarge | Standard_F8s_v2 |
| 16 | 3200 | c5.4xlarge | Standard_F16s_v2 |