WAF

web application firewall

Overview

• Protect web app from web attacks(Layer 7 - HTTP and HTTPS), so WAF does not support NLB (Layer 4).

Integration

Can be deployed on

• ALB (protect the origin web server running behind ALB)

• API Gateway (protect REST APIs)

• CloudFront (protect content on Edge location)

• AppSync (protect GraphQL API)

• Cognito User Pool

Web ACL rule

• IP Set

• Protect from common attacks: SQL Injection, XSS (Cross-site scripting)

• Size constraints

• Geo-match (block countries)

• Rate-based rules (for DDoS protection)

Features

Custome error pages

You can configure CloudFront to present a custom error page when requests are blocked.

Rate-based rules

For DDoS protection.

Cost

• No upfront.

• Charges based on number of web ACLs rule that you create, and the number of requests you receive.

Trivia

• Can inspect both IPv4 and IPv6.

• Web ACL is regional, except for CloudFront.