0Pricing
AWS Solutions Architect · Lesson

WAF, Shield, and Network Firewall

Block OWASP top-10 attacks with AWS WAF, protect against DDoS with Shield Standard and Advanced, and deploy a stateful Network Firewall in your VPC.

Network Security Defence in Depth

Protecting your applications from network-based attacks requires multiple layers of defence. AWS provides three complementary services: AWS WAF (Web Application Firewall) filters layer-7 HTTP traffic based on rules to block application-layer attacks. AWS Shield protects against DDoS (Distributed Denial of Service) attacks at layers 3 and 4. AWS Network Firewall is a stateful network firewall for VPC-level traffic inspection and filtering. Together, they address different threat vectors and are typically deployed together for comprehensive protection.

# Layer coverage:
# Network Firewall: Layer 3-7 VPC traffic (stateful)
# Shield Standard: Layer 3-4 DDoS (automatic, free)
# Shield Advanced: Layer 3-7 DDoS + response team
# WAF: Layer 7 HTTP/HTTPS (application attacks)

# Typical deployment:
# Internet -> CloudFront+WAF -> ALB+WAF -> EC2/ECS
# Network Firewall in VPC for egress/lateral inspection
# Shield protects all traffic automatically

AWS WAF: Web Application Firewall

AWS WAF filters HTTP/HTTPS requests based on rules you define. WAF integrates with CloudFront, ALB, API Gateway, AppSync, and Cognito. Rules can match on: IP address sets (block/allow specific IPs), geo-match (block requests from specific countries), rate-based rules (block IPs exceeding a request rate — flood protection), managed rule groups (pre-built rules for OWASP top 10, AWS Threat Intel, Bot Control), and custom rules (match on any HTTP component). WAF ACLs (Web ACL) contain rules and apply to one or more resources.

# Create WAF Web ACL
aws wafv2 create-web-acl \
  --name 'prod-web-acl' \
  --scope CLOUDFRONT \
  --region us-east-1 \
  --default-action Allow={} \
  --rules '[{
    "Name": "AWSManagedRulesCommonRuleSet",
    "Priority": 1,
    "OverrideAction": {"None": {}},
    "Statement": {
      "ManagedRuleGroupStatement": {
        "VendorName": "AWS",
        "Name": "AWSManagedRulesCommonRuleSet"
      }
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "CommonRuleSet"
    }
  }]' \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=web-acl-metrics

All lessons in this course

  1. KMS, ACM, and Encryption Patterns
  2. GuardDuty, Inspector, and Macie
  3. Secrets Manager and Parameter Store
  4. WAF, Shield, and Network Firewall
← Back to AWS Solutions Architect