Why migrate to AWS WAF? - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Why migrate to AWS WAF?

The latest version of AWS WAF provides many improvements over the prior version, while maintaining most of the concepts and terminology that you're accustomed to.

The following list describes the major changes in the latest AWS WAF. Before you continue with your migration, please take some time to review this list and to familiarize yourself with the rest of the AWS WAF guide.

  • AWS Managed Rules for AWS WAF – The rule groups now available through AWS Managed Rules provide protection against common web threats. Most of these rule groups are included free of charge with AWS WAF. For more information, see AWS Managed Rules rule groups list and the blog post Announcing AWS Managed Rules for AWS WAF.

  • New AWS WAF API – The new API allows you to configure all of your AWS WAF resources using a single set of APIs. To distinguish between regional and global applications, the new API includes a scope setting. For more information about the API, see the AWS WAFV2 Actions and AWS WAFV2 Data Types.

    In the APIs, SDKs, CLIs, and AWS CloudFormation, AWS WAF Classic retains its naming schemes and this latest version of AWS WAF is referred to with an added V2 or v2, depending on the context.

  • Simplified service quotas (limits) – AWS WAF now allows more rules per web ACL and allows you to express longer regex patterns. For more information, see AWS WAF quotas.

  • Web ACL limits are now based on computing needs – Web ACL limits are now based on Web ACL capacity units (WCU). AWS WAF calculates the WCU for a rule according to the operating capacity that's required to run the rule. The WCU of a web ACL is the sum of the WCU of all rules and rule groups in the web ACL.

    For general information about WCU, see How AWS WAF works. For information about each rule's WCU usage, see Rule statements list.

  • Document-based rule writing – You can now write and express rules, rule groups, and web ACLs in JSON format. You no longer need to use individual API calls to create different conditions and then associate the conditions to a rule. This greatly simplifies how you write and maintain your code. You can access a JSON format of your web ACLs through the console when you're viewing the web ACL, by choosing Download web ACL as JSON. When you are creating your own rule, you can access its JSON representation by choosing Rule JSON editor.

  • Rule nesting and full logical operation support – You can write complex combined rules by using logical rule statements and by using nesting. You can create statements such as [A AND NOT(B OR C)]. For more information, see Rule statements list.

  • Variable CIDR range support for IP set – IP set specifications now have more flexibility in the IP ranges. For IPv4, AWS WAF supports /1 to /32. For IPv6, AWS WAF supports /1 to /128. For more information about IP sets, see IP set match rule statement.

  • Chainable text transformations – AWS WAF can perform multiple text transformations against web request content before inspecting it. For more information, see Text transformations.

  • Improved console experience – The new AWS WAF console features visual rule builder and a more user intuitive console design.

  • Expanded options for Firewall Manager AWS WAF policies – In the Firewall Manager management of AWS WAF web ACLs, you can now create a set of rule groups that AWS WAF processes first and a set of rule groups that AWS WAF processes last. After you apply the AWS WAF policy, local account owners can add their own rule groups that AWS WAF processes in between these two sets. For more information about Firewall Manager AWS WAF policies, see AWS WAF policies.

  • AWS CloudFormation support for all rule statement types – AWS WAF in AWS CloudFormation supports all rule statement types that the AWS WAF console and API support. Additionally, you can easily convert the rules that you write in JSON format to YAML format.