Web Application Firewall (WAF)

Question

Hi. I've designed an architecture diagram for an application that has 7 EC2 instances. Each of those EC2s has an application load balancer (ALB) sending traffic. At the level of each ALB, I have a WAF. 
So the question is: should the WAF be put at the level of the EC2 or at the level of the ALB? And does it make any difference whether it's a web server or API server?
Thank you.

Accepted Answer

**Q**. Should the WAF be put at the level of the EC2 or at the level of the ALB?

A. See below from [FAQ](https://aws.amazon.com/waf/faqs/), as you already have, WAF is deployed at the ALB layer not EC2.

What services does AWS WAF support?

AWS WAF can be deployed on Amazon **CloudFront**, the Application Load Balancer (**ALB**), Amazon **API Gateway**, and AWS AppSync. As part of Amazon CloudFront it can be part of your Content Distribution Network (CDN) protecting your resources and content at the Edge locations. As part of the Application Load Balancer it can protect your origin web servers running behind the ALBs. As part of Amazon API Gateway, it can help secure and protect your REST APIs. As part of AWS AppSync, it can help secure and protect your GraphQL APIs.

Web Application Firewall (WAF)

関連するコンテンツ