AWS WAF Security Automations
AWS WAF Security Automations

Deployment Considerations

The AWS WAF Security Automations solution is designed to protect web applications deployed with Amazon CloudFront or with an Application Load Balancer. The following sections provide other constraints and considerations for implementing this solution.

AWS WAF Limits

Web ACL Rules

The web ACL that this solution generates is designed to offer comprehensive protection for web applications. The default configuration adds eight AWS WAF rules to the solution’s web ACL. You can manually modify the web ACL to add further rules, but note that there is a 10-rule limit for individual web ACLs.

IP Match Conditions

AWS WAF can block a maximum of 10,000 IP address ranges (in CIDR notation) per IP match condition. Each list that this solution creates is subject to this limit. The whitelist and blacklist sets (manual IP lists component) are separate lists, each with a 10,000 IP address limit. The third-party IP block list (IP list parsing component) uses two IP match conditions to offer a combined limit of 20,000 IP addresses. See Limits in the AWS WAF Developer Guide for more information.

AWS Regions and Multiple Deployments

Customers can deploy the AWS WAF Security Automations solution in any AWS Region that supports AWS Lambda and the Amazon API Gateway. For the most current AWS Lambda availability by region, see AWS service offerings by region. Once deployed, customers can associate the solution’s web ACL with Amazon CloudFront distributions or Application Load Balancers in any AWS Region of their account. At the time of publication, this does not include AWS GovCloud (US) or the China (Beijing) Region.

Customers can deploy the AWS WAF Security Automations solution in different AWS Regions, or deploy it multiple times in the same AWS Region. If you plan to configure multiple instances of the solution in the same region, you must use a unique AWS CloudFormation stack name and Amazon S3 bucket name for each deployment.

Note that each unique deployment will incur the costs described in the Cost section.