AWS WAF integration design - Guidelines for Implementing AWS WAF

AWS WAF integration design

Depending on your application’s requirements, you must decide where to deploy AWS WAF. As mentioned previously, you can configure AWS WAF on Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync. For all public facing web applications, AWS recommends deploying AWS WAF with CloudFront for the best security posture, unless you have constraints that require otherwise.

CloudFront can be used for both dynamic and static content. By default, CloudFront blocks non-HTTP(S) traffic and malformed HTTP requests, and provides inline DDoS protection for attacks at network Layers 3 and 4 with sub-second time-to-mitigation. CloudFront employs advanced DDoS protections, such as stateless SYN Flood mitigation and automated traffic engineering systems that can disperse or isolate the impact of large volumetric attacks on the CloudFront Global Edge Network, most effectively when deployed in conjunction with Amazon Route 53. If your application is hosted outside of AWS, CloudFront provides a seamless way to use the AWS global network to stop threats before they reach your data centers.

For applications with an additional level of requirements, you might choose to implement a layered WAF model by using AWS WAF in conjunction with another WAF offering at the origin providing or load-balancing your service.

For example, you might want to inspect responses returned by the origin. In this case, you can use AWS WAF to inspect incoming requests to CloudFront at the edge, and use an appliance-based WAF to inspect incoming requests and outgoing responses from your origin. Some appliance-based WAFs have the ability, when they detect attack traffic, to synthesis rules for the AWS WAF and push them into your AWS WAF rule set, if configured appropriately and given an IAM role with appropriate allowed actions.

Another example, is protecting multiple applications on a single domain served by CloudFront. You can use AWS WAF on CloudFront for common IP and IP geolocation- based blocking at the edge, and deploy additional AWS WAF capability on each of your Application Load Balancers for application-specific rules.