I am new to AWS WAF, I set up the AWS WAF for the api gateway to limit the 5k requests in 5 minutes window. However, the internal IPs would exceed the 5k limit and get blocked, so is there a way to exclude internal IPs from this rate limit (let them request unlimited times)?
I understand that you would like to know if there is a way to exclude certain IPs from a WAF rate limit rule inspection.
This can be done by using a Scope Down statement on the rate limit rule.
There is an excellent article on the AWS Knowledge Center about this.
Section 2 of the article above contains the necessary steps. I've also written them out below. The most important steps to review are 8, 9, and 10.
Use the following steps to exclude an IP set from a rate-based-rule:
Here are some additional resources for working with rate based rules.
I hope this helps!