WAF
web application firewall
Overview
Protect web app from web attacks(Layer 7 - HTTP and HTTPS), so WAF does not support NLB (Layer 4).
Integration
Can be deployed on
ALB (protect the origin web server running behind ALB)
API Gateway (protect REST APIs)
CloudFront (protect content on Edge location)
AppSync (protect GraphQL API)
Cognito User Pool
Web ACL rule
IP Set
Protect from common attacks: SQL Injection, XSS (Cross-site scripting)
Size constraints
Geo-match (block countries)
Rate-based rules (for DDoS protection)
Features
Custome error pages
You can configure CloudFront to present a custom error page when requests are blocked.
Rate-based rules
For DDoS protection.
Cost
No upfront.
Charges based on number of web ACLs rule that you create, and the number of requests you receive.
Trivia
Can inspect both IPv4 and IPv6.
Web ACL is regional, except for CloudFront.
Last updated