AWS Network Firewall to protect against DDoS layer 7 attacks


Hello, We have a public API (many of them) and I am looking into how we can protect against large scale layer 7 DDoS type attacks, for example a HTTP GET. The proposed architecture that we have come up with involves asynchronously detecting bad IP addresses based on signals (web server logs), and blocking by IP at network level (osi 3). We want to block at network level as it’s likely to be much more performant and cost effective than attempting to do it at application/compute level.

We already have AWS Shield Advanced.

We have identified the AWS Network Firewall as a possible place to enforce the blocking of these bad IPs. However, I have a question about the scale in which the AWS Network Firewall can block bad IP addresses. In the FAQ ( it says:

Q: Can I use AWS Network Firewall for protection against DDoS attacks?

AWS Network Firewall is designed to protect and control access to and from your VPC, but not to mitigate volumetric attacks, like distributed denial of service (DDoS), that can impact the availability of your application. To protect against DDoS attacks and ensure application availability, we recommend customers review and adhere to our AWS Best Practices for DDoS Resiliency, and also explore AWS Shield Advanced, which offers managed DDoS protection customized to your specific application traffic.

My question is this: is this recommendation based on the AWS Network Firewalls inability to apply rules (I.e. block by IP address’) at a large scale, or is this specifically the volumetric attacks.

To clear some things up:

  • We have AWS shield advanced - so I expect that we have most volumetric type attacks covered
  • The DDoS attacks we are trying to protect against are mostly layer 7 targeted (e.g. HTTP GET index.html)
  • Ability to detect bad IP addresses based on signals is out of scope, assume we have a 3rd party OTT product that can detect bad IP’s from our web server logs and apply custom rules managed by us
  • We cannot use cloudflare/fastly etc
  • Scale of layer 7 DDoS that we are likely to want to protect against: ~10k source ip addresses each doing around 1k HTTP requests per second, (total ~10M http requests p/s) - typically any ip doing over 1k requests per second would be a strong signal and we would likely want to block that IP for some time. Sorry, I don’t know how to translate the volume of http layer 7 requests into volume of layer 3 packets I can only comprehend it in http requests per second.
3 Answers


For layer-7 protection for an API the recomended service is Web Application Firewall, WAF protection is improved when integrated with Shield Advanced.

For using WAF (L7) with Shield Standard (L3-4) I would suggest you check the WAF Security Automation solution that using WAF and integrating other serverless technologies has bot protection, https-flood prevention and ease use of block/allow ip-lists. Deployment is straight forward following the deployment guided and using CloudFormation

To read about Shield Advanced (L7 plus other features) protections with WAF you can look at this page.

Addingt to my response: There are several layers of protection you can use, Network Firewall is not designed for large DDoS as AWS Shield Advanced is pre-existing service for this purpose and has other important benefits as incident response team. Customers can take advantage of Shield Advanced even when choosing other firewall or perimeter protection solutions from recognized security partners.

profile pictureAWS
answered a year ago

its primary purpose is not to mitigate large-scale DDoS attacks, especially volumetric attacks that can impact the availability of your application. AWS Network Firewall is designed to provide fine-grained control over network traffic, and it can be used to block specific IP addresses.

For Layer 7 DDoS protection, you can consider a combination of AWS Shield Advanced and AWS WAF (Web Application Firewall). AWS Shield Advanced provides DDoS protection at the network and transport layers (Layers 3 and 4). AWS WAF, on the other hand, offers Layer 7 protection by allowing you to create custom web access control rules based on various parameters such as IP addresses, HTTP headers, query strings, etc.

profile picture
answered a year ago
  • Hello, I appreciate your answer, however I don’t think it answers the question being asked. My question is specifically around the recommendation from the FAQ.


The answer is that while you can use Amazon Network Firewall (ANF) for IP blocking, be aware that it does have a per-AZ maximum capacity.

We would recommend using AWS WAF with one of the services it integrates with for this purpose, however you may have requirements that do not lend themselves to using AWS WAF, such as TLS termination.

I see you have Shield Advanced and your main worry is layer 7 attacks - I would recommend that instead of using Network Firewall you instead place Global Accelerator in front of the endpoints and protect AGA with a Shield Advanced custom mitigation that blocks traffic from our "Layer 7 known offenders" list (which is same list that the AWS WAF IPDDosList is sourced from). To inquire about working with SRT to build custom mitigations, create a support case under AWS Shield.

If you have reasons for instead using ANF, you can still contact SRT to discuss a custom mitigation appropriate for your use-case.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions