WAF Sizing Guide

Typically, CPU is the main resource constraint for a WAF, since a WAF’s primary function is to inspect/parse large amounts of HTTP/HTTPS traffic. This guide uses CPU count as a unit for sizing. CPU performance may vary between environments, particularly in virtualized environments. This guide assumes that the CPUs are dedicated to the WAF.

This guide is intended to provide some general rules-of-thumb to assist in initially size WAFs. Website design vary significantly, so this guide can only provide high-level estimates. Once a WAF is up and running, you can monitor actual WAF utilization using the Check WAF Utilization documentation.

There are 2 general ways to size a WAF appliance, depending on which metric is most readily available to you: Bandwidth Usage or Requests Per Second.

Bandwidth Usage

This metric refers to the bandwidth used by a website. For WAF sizing purposes, we combine the inbound and outbound traffic (inbound + outbound) into a single metric. This also assumes the traffic represents typical website traffic patterns.

Note that Bandwidth Usage is not a particularly accurate metric, since bandwidth usage varies significantly between websites. Also, bandwidth usage does not necessarily translate to increased load on the WAF. For example, a graphics intensive website would use a large amount of bandwidth, but the WAF does not need to inspect the graphics data. However, the following table may be useful as an initial sizing guide:

# of CPUs Bandwidth
(inbound + outbound)
AWS Instance Type Azure VM Size
2 80Mbps c5.large Standard_F2s_v2
4 160Mbps c5.xlarge Standard_F4s_v2
8 320Mbps c5.2xlarge Standard_F8s_v2
16 640Mbps c5.4xlarge Standard_F16s_v2

Requests Per Second

This metric refers to the number of HTTP/HTTPS requests per second processed by a website. This is typically a more difficult to obtain metric, but more accurately reflect the WAF load.

For WAF sizing purposes, we assume typical HTTP/HTTPS requests. Websites with complex requests or large number of parameters would increase the load on the WAF, reducing the WAF’s capacity.

# of CPUs Requests Per Second AWS Instance Type Azure VM Size
2 400 c5.large Standard_F2s_v2
4 800 c5.xlarge Standard_F4s_v2
8 1600 c5.2xlarge Standard_F8s_v2
16 3200 c5.4xlarge Standard_F16s_v2