Example Shield Advanced use cases
You can use Shield Advanced to protect your resources in many types of scenarios. However, in some cases you should use other services or combine other services with Shield Advanced to offer the best protection. Following are examples of how to use Shield Advanced or other AWS services to help protect your resources.
| Goal | Suggested services | Related service documentation |
|---|---|---|
| Protect a web application and RESTful APIs against a DDoS attack | Shield Advanced protecting an Amazon CloudFront distribution and an Application Load Balancer | Elastic Load Balancing documentation, Amazon CloudFront Documentation |
| Protect a TCP-based application against a DDoS attack | Shield Advanced protecting an AWS Global Accelerator standard accelerator; attached to an Elastic IP address | AWS Global Accelerator Documentation, Elastic Load Balancing documentation |
| Protect a UDP-based game server against a DDoS attack | Shield Advanced protecting an Amazon EC2 instance attached to an Elastic IP address | Amazon Elastic Compute Cloud Documentation |
For example, if you use Shield Advanced to protect an Elastic IP address, Shield Advanced protects whatever resource is associated with it. During an attack, Shield Advanced automatically deploys your network ACLs to the border of the AWS network. When your network ACLs are at the border of the network, Shield Advanced can provide protection against larger DDoS events. Typically, network ACLs are applied near your Amazon EC2 instances within your Amazon VPC. The network ACL can mitigate attacks only as large as your Amazon VPC and instance can handle. If the network interface attached to your Amazon EC2 instance can process up to 10 Gbps, volumes over 10 Gbps slow down and possibly block traffic to that instance. During an attack, Shield Advanced promotes your network ACL to the AWS border, which can process multiple terabytes of traffic. Your network ACL is able to provide protection for your resource well beyond your network's typical capacity. For more information about network ACLs, see Network ACLs.
