I have a CloudFront distribution for an EC2 HTTP server. I created a rate limit for my CloudFront distribution using WAF. In theory no IP address should be able to send more than 2,000 requests in any 5 minute period. But this just doesn't seem to work. I fired off 10,000 concurrent requests from my laptop (using a Go program) in <1 minute and all of them got through. I know they are reaching the EC2 origin because my HTTP server keeps a counter for requests.

Strangely, the WAF dashboard even recognizes that traffic exceeded the 5 minute limit:

Yet no IP blocking took place:

And my EC2 server registered all 10,000 hits.

Am I missing some configuration subtlety? Or is there meant to be a long delay between when CloudFront registers the traffic spike and when it implements the IP block?

EDIT: A config picture:

You probably already figured this out, but... you have to specifically select the AWS WAF Web ACL that contains the rate-limit-rule in your CloudFront distribution. You can do this in the Distribution Settings-page of your CloudFront distribution (second item - a dropdown with the label AWS WAF Web ACL).

If you don't, the two aren't connected together, which might explain why your request aren't blocked when you expect them to be blocked.