Architecture options for WAF-ALB-combinations

Question

Hello,

I'm currently working on the implementation of a WAF in front of several ALBs. While the idea of a central WAF for all ALBs seems to be the most common one, I'm wondering whether having one WAF per ALB in a decentralized model could also have some perks, e.g. separate log groups and a better customization of the necessary settings.

Does anyone have experience with the decentralized model or reasons why they went with one of the options instead of the other and could help me with the evaluation of the two models?

Answer

Most configuration (like logging) is done on a per-ACL basis and not on each resource you associate the ACL to. To adopt your "decentralized" deployment, you would have to create multiple ACL's and reuse rule groups within each ACL. However, this will not buy you more resiliency or performance within a single region, since the service is region-specific. Nor will you get any cost benefits from deploying multiple ACL's, and indeed will wind up costing you more than deploying a single ACL, as part of the pricing considers the number of ACL's deployed.

I would only consider deploying multiple ACL's with the same rules in the following scenarios:

* Multi-region coverage for a given multi-region ALB/resource
* Re-using a managed rule group with different scope-down statements in each ACL
* Having a different web response and/or default action for the same ACL (even here the added cost might not be worth it, and I would consider putting the web response logic behind WAF/ALB)

Architecture options for WAF-ALB-combinations

Relevant content