AWS WAF is a web application firewall that helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions

AWS WAF helps protects from common attack techniques like SQL injection and Cross-Site Scripting (XSS).

Conditions based include IP addresses, HTTP headers, HTTP body, URI strings

"AWS WAF tightly integrates with Amazon CloudFront" and the "Application Load Balancer (ALB)", services used to deliver content for their websites and applications.

AWS WAF with Amazon CloudFront: AWS WAF rules run in all AWS Edge Locations, located around the world close to the end users. Blocked requests are stopped before they reach the web servers. Helps support custom origins outside of AWS.

AWS WAF with Application Load Balancer; WAF rules run in region and can be used to protect internet-facing as well as internal load balancers.

AWS WAF with API Gateway: Can help secure and protect the REST APIs.

AWS WAF helps protect applications and can inspect web requests transmitted over HTTP or HTTPS.

AWS WAF provides Managed Rules which are pre-configured rules to protect applications common threats like application vulnerabilities like OWASP, bots, or Common Vulnerabilities and Exposures (CVE).

AWS WAF allows the following behaviors: Allow all requests except the ones specified , Block all requests except the ones specified and Count the requests that match the specified properties .

We have conditions; Malicious script – XSS (Cross Site Scripting) , IP addresses , Malicious SQL – SQL injection and Strings that appear in the request .

Manage Rules: Rules are basically Combination of Conditions with AND.

Web ACLs provides; Combination of Rules. When a web request matches all of the conditions in a rule, WAF immediately takes the action—allow or block—and doesn’t evaluate the request against the remaining rules in the web ACL, if any.

The ACL contains a Default action, and determines whether WAF allows or blocks a request that does not match all of the conditions in any of the rules

Additional protection against web attacks using specified conditions

Conditions can be defined by using characteristics of web requests such as the following:

• IP addresses that the requests originate from

• Values in request headers

• Strings that appear in the requests

• Length of requests

• Presence of SQL code that is likely to be malicious (this is known as SQL injection)

• Presence of a script that is likely to be malicious (this is known as cross-site scripting)

Managed Rules to get you started quickly

Rules that you can reuse for multiple web applications

Real-time metrics and sampled web requests

Automated administration using the WAF API

In the “WAF sandwich,” the EC2 instance running the WAF software (not the AWS WAF) is included in an Auto Scaling group and placed in between two ELB load balancers. Basic load balancer in the default VPC will be the frontend, public facing load balancer that will distribute all incoming traffic to the WAF EC2 instance.

Not recommended now

WAF Introduction

WAF - Load Balancer Example