AWS WAF Classic

Warning

AWS WAF Classic support will end on September 30, 2025.

Note

This is AWS WAF Classic documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see Migrating your AWS WAF Classic resources to AWS WAF.

For the latest version of AWS WAF, see AWS WAF.

AWS WAF Classic is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. AWS WAF Classic also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, API Gateway, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You also can configure CloudFront to return a custom error page when a request is blocked.

Topics

• Setting up AWS WAF Classic
• How AWS WAF Classic works
• AWS WAF Classic pricing
• Getting started with AWS WAF Classic
• Creating and configuring a Web Access Control List (Web ACL)
• Working with AWS WAF Classic rule groups for use with AWS Firewall Manager
• Getting started with AWS Firewall Manager to enable AWS WAF Classic rules
• Tutorial: Creating a AWS Firewall Managerpolicy with hierarchical rules
• Logging Web ACL traffic information
• Listing IP addresses blocked by rate-based rules
• How AWS WAF Classic works with Amazon CloudFront features
• Security in AWS WAF Classic
• AWS WAF Classic quotas