How AWS WAF works - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

How AWS WAF works

You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect.

AWS WAF components

The following are the central components of AWS WAF:

  • Web ACLs – You use a web access control list (ACL) to protect a set of AWS resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed.

  • Rules – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges.

  • Rules groups – You can use rules individually or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups.

AWS WAF Web ACL capacity units (WCU)

AWS WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs. AWS WAF enforces WCU limits when you configure your rule groups and web ACLs. WCUs don't affect how AWS WAF inspects web traffic.

AWS WAF calculates capacity differently for each rule type, to reflect each rule's relative cost. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. For example, a size constraint rule statement uses fewer WCUs than a statement that inspects against a regex pattern set.

AWS WAF manages capacity for rules, rule groups, and web ACLs:

  • Rule capacity – AWS WAF calculates rule capacity when you create or update a rule. For some basic guidelines for rule capacity requirements, see the listings for the various rule statements at AWS WAF rule statements. You can also get an idea of the capacity required for the various rule types in the AWS WAF console by creating a web ACL or rule group and adding individual rules to it. The console displays the capacity units used as you add the rules.

  • Rule group capacity – AWS WAF requires that each rule group is assigned an immutable capacity at creation. This is true for managed rule groups and rule groups that you create through AWS WAF. When you modify a rule group, your changes must keep the rule group's WCU within its capacity. This ensures that web ACLs that are using the rule group remain within their maximum capacity.

  • Web ACL capacity – The maximum capacity for a web ACL is 1,500, which is sufficient for most use cases. If you need more capacity, contact the AWS Support Center.

Resources that you can protect with AWS WAF

You can use an AWS WAF web ACL to protect global or regional resource types. You do this by associating the web ACL with the resources that you want to protect.

Amazon CloudFront distribution

You can associate an AWS WAF web ACL with a CloudFront distribution using the AWS WAF console or APIs. You can also associate a web ACL with a CloudFront distribution when you create or update the distribution itself. To configure an association in AWS CloudFormation, you must use the CloudFront distribution configuration. For information about Amazon CloudFront, see Using AWS WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.

AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".

Regional resources

You can protect regional resources in all Regions where AWS WAF is available. You can see the list at AWS WAF endpoints and quotas in the Amazon Web Services General Reference.

You can use AWS WAF to protect the following regional resource types:

  • Amazon API Gateway REST API

  • Application Load Balancer

  • AWS AppSync GraphQL API

  • Amazon Cognito user pool

You can only associate a web ACL to an Application Load Balancer that's within AWS Regions. For example, you cannot associate a web ACL to an Application Load Balancer that's on AWS Outposts.

Restrictions on multiple resource associations

You can associate a single web ACL with one or more AWS resources, with the following restrictions:

  • You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many.

  • You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.