Every engineering team knows the trade‑off: lock the front door of your application and someone will complain that it takes longer to open. We wanted to put a precise number on that perception by measuring how much latency Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF) introduces when it protects traffic behind an OCI Flexible Load Balancer (FLB)—Oracle’s layer‑7, HTTP(S) load balancer.

Shows Flexible Loadbalancer and Web Application firewall together with added network latency to backend systems.
Figure 1. LBaaS and WAF integration

 

A snapshot of the experiment — and why it matters

To ground the discussion in real data, we ran a short performance exercise that mirrors production behaviour: hundreds of encrypted HTTPS requests per second, three back‑end servers, and a regional WAF policy using the default “recommended” rules. A step‑by‑step build is available in the Oracle Learn tutorial *Measure OCI WAF Latency Impact on OCI Load Balancer* for anyone who wants to replicate the numbers.

The goal wasn’t to craft a corner‑case benchmark; it was to stress a typical web tier and see whether security still leaves room for a quicker user experience.

The headline number: ~10 ms

Across multiple one‑minute test runs, the additional time per request averaged just under **10 milliseconds**. That represents a 54 percent bump relative to running the same traffic through the **Flexible Load Balancer with its WAF policy disabled**, yet the absolute latency stayed comfortably below the 30 ms mark.

Throughput and transactions‑per‑second barely moved (less than one percent difference), confirming that inspection cost is paid in micro‑delays, not in lost capacity.

Reading between the numbers

  • User experience vs. security posture – Ten milliseconds is effectively invisible to human users and comfortably within standard performance budgets, so most teams can enable WAF protection without revisiting service‑level objectives.
  • Private lab vs. public internet – Our traffic never left the cloud’s private backbone. Once packets hop across the internet, the absolute latency number rises, but the percentage overhead from WAF inspection typically holds steady in the single digits.

Take aways

It’s simple: OCI’s regional WAF adds roughly ten milliseconds of protection tax—small change for the up‑front blocking of OWASP Top 10 threats.

Recommended reading

Oracle Learn tutorial, Measure OCI WAF Latency Impact on OCI Load Balancer

Learn more about Oracle Cloud Infrastructure Flexible Load Balancer