AWS WAF integration design
Depending on your application’s requirements, you must decide where to deploy AWS WAF. As mentioned previously, you can configure AWS WAF on Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync. For all public facing web applications, AWS recommends deploying AWS WAF with CloudFront for the best security posture, unless you have constraints that require otherwise.
CloudFront can be used for both dynamic
For applications with an additional level of requirements, you might choose to implement a layered WAF model by using AWS WAF in conjunction with another WAF offering at the origin providing or load-balancing your service.
For example, you might want to inspect responses returned by the origin. In this case, you can use AWS WAF to inspect incoming requests to CloudFront at the edge, and use an appliance-based WAF to inspect incoming requests and outgoing responses from your origin. Some appliance-based WAFs have the ability, when they detect attack traffic, to synthesis rules for the AWS WAF and push them into your AWS WAF rule set, if configured appropriately and given an IAM role with appropriate allowed actions.
Another example, is protecting multiple applications on a single domain served by CloudFront. You can use AWS WAF on CloudFront for common IP and IP geolocation- based blocking at the edge, and deploy additional AWS WAF capability on each of your Application Load Balancers for application-specific rules.