Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Regional API Gateway and WAF

0

Hi Team, For CF + WAF, traffic is hitting CF before reach WAF, such that certain header info. is modified by CF (e.g. X-Forwarded-For). My customer would like to understand the behavior when using regional api + waf, does traffic hitting WAF first before API GW or vice versa. My understanding is that traffic is hitting WAF first as traffic blocked by WAF will not count toward API GW consumption.

Can I also assume that WAF is in in pass-through mode which will not modify any of the traffic header? Is that correct?

Temas
Seguridad, identidad y cumplimientoSin servidorWeb y móvil front-endRedes y entrega de contenido
Etiquetas
AWS WAFAmazon API Gateway
Idioma
English
AWS
Eric_Lam
preguntada hace 4 años370 visualizaciones
1 Respuesta
1
Respuesta aceptada

When you enable WAF on a resource (CloudFront, API Gateway or ALB) the endpoint does not change. This means that WAF does not front those services but rather that they invoke WAF as the first step, if so configured. You can see see this also in the WAF FAQ:

"2. How does AWS WAF block or allow traffic?

As the underlying service receives requests for your web sites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define."

Because of that, WAF doesn't modify the original request. It just return to the service an indication if to allow or reject the request.

profile pictureAWS
EXPERTO
Uri
respondido hace 4 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante