Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Regional API Gateway and WAF

0

Hi Team, For CF + WAF, traffic is hitting CF before reach WAF, such that certain header info. is modified by CF (e.g. X-Forwarded-For). My customer would like to understand the behavior when using regional api + waf, does traffic hitting WAF first before API GW or vice versa. My understanding is that traffic is hitting WAF first as traffic blocked by WAF will not count toward API GW consumption.

Can I also assume that WAF is in in pass-through mode which will not modify any of the traffic header? Is that correct?

Argomenti
Sicurezza, identità e conformitàServerlessFront-end web e dispositivi mobiliNetworking e distribuzione di contenuti
Tag
AWS WAFGateway API di Amazon
Lingua
English
AWS
Eric_Lam
posta 4 anni fa370 visualizzazioni
1 Risposta
1
Risposta accettata

When you enable WAF on a resource (CloudFront, API Gateway or ALB) the endpoint does not change. This means that WAF does not front those services but rather that they invoke WAF as the first step, if so configured. You can see see this also in the WAF FAQ:

"2. How does AWS WAF block or allow traffic?

As the underlying service receives requests for your web sites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define."

Because of that, WAF doesn't modify the original request. It just return to the service an indication if to allow or reject the request.

profile pictureAWS
ESPERTO
Uri
con risposta 4 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente