Tutorial: Implementing a DDoS-resistant website using AWS services - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Tutorial: Implementing a DDoS-resistant website using AWS services


This is AWS WAF Classic documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your resources, see Migrating your AWS WAF Classic resources to AWS WAF .

For the latest version of AWS WAF, see AWS WAF.

This tutorial provides step-by-step instructions for setting up a website that is resistant to distributed denial of service (DDoS) attacks. A DDoS attack can flood your website with traffic, prevent legitimate users from accessing the site, and even cause your site to crash due to the overwhelming traffic volume.


This tutorial shows you how to use several AWS services together to build a resilient, highly secure website. For example, you learn how to do the following:

  • Use load balancers and edge servers, which distribute traffic to multiple instances across regions and zones and help to protect your instances from SSL-based attacks

  • Mitigate infrastructure (layer 3 and layer 4) DDoS attacks with techniques like overprovisioning your capacity

  • Use a web application firewall to monitor HTTP and HTTPS requests and control access to your content

The tutorial shows how to integrate AWS services such as Amazon EC2, Elastic Load Balancing, CloudFront, Route 53, and AWS WAF Classic. Although the tutorial is designed as an end-to-end solution, you don’t have to complete every step if you’re already using some of those AWS services. For example, if you’ve already registered your website domain with Route 53 and are using Route 53 as your DNS service, you can skip those steps.

The tutorial is intended to help you launch each AWS service quickly. For that reason, it doesn't cover all possible options. For detailed information about each service, see AWS Documentation. For many of the steps, this tutorial provides specific values to enter. Generally you should use those values. However, in certain cases, such as domain name for your website, use what is appropriate for your needs.

Each main step of the tutorial briefly describes the following:

  • What you are doing

  • Why you are doing it (that is, how it contributes to your DDoS protection)

  • How to do it


You are responsible for the cost of the AWS services implemented in this tutorial. For full details, see the pricing webest-practicesage for each AWS service that you use in this solution. You can find links to each service on the Cloud Products page.


The following diagram shows the architecture deployed in this tutorial.


To get started go to Prerequisites.