Regional API Gateway and WAF
Hi Team, For CF + WAF, traffic is hitting CF before reach WAF, such that certain header info. is modified by CF (e.g. X-Forwarded-For). My customer would like to understand the behavior when using regional api + waf, does traffic hitting WAF first before API GW or vice versa. My understanding is that traffic is hitting WAF first as traffic blocked by WAF will not count toward API GW consumption.
Can I also assume that WAF is in in pass-through mode which will not modify any of the traffic header? Is that correct?
- Newest
- Most votes
- Most comments
When you enable WAF on a resource (CloudFront, API Gateway or ALB) the endpoint does not change. This means that WAF does not front those services but rather that they invoke WAF as the first step, if so configured. You can see see this also in the WAF FAQ:
"2. How does AWS WAF block or allow traffic?
As the underlying service receives requests for your web sites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define."
Because of that, WAF doesn't modify the original request. It just return to the service an indication if to allow or reject the request.
Relevant content
- asked 4 years ago
- asked 2 years ago
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated 4 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
