Regional API Gateway and WAF

0

Hi Team, For CF + WAF, traffic is hitting CF before reach WAF, such that certain header info. is modified by CF (e.g. X-Forwarded-For). My customer would like to understand the behavior when using regional api + waf, does traffic hitting WAF first before API GW or vice versa. My understanding is that traffic is hitting WAF first as traffic blocked by WAF will not count toward API GW consumption.

Can I also assume that WAF is in in pass-through mode which will not modify any of the traffic header? Is that correct?

1 個回答
1
已接受的答案

When you enable WAF on a resource (CloudFront, API Gateway or ALB) the endpoint does not change. This means that WAF does not front those services but rather that they invoke WAF as the first step, if so configured. You can see see this also in the WAF FAQ:

"2. How does AWS WAF block or allow traffic?

As the underlying service receives requests for your web sites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define."

Because of that, WAF doesn't modify the original request. It just return to the service an indication if to allow or reject the request.

profile pictureAWS
專家
Uri
已回答 4 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南