6.1.5. Network Protection: WAF, Shield, and Network Firewall
š” First Principle: Not all threats arrive at the application layer ā some hit the network layer (volumetric DDoS), some hit the transport layer (SYN floods), and some hit the application layer (SQL injection, XSS). Defense in depth applies to networking too: different tools protect at different layers, and layering them provides the most comprehensive protection.
AWS WAF (Web Application Firewall):
WAF inspects HTTP/HTTPS requests and blocks those matching malicious patterns. It operates at Layer 7 (application layer).
| WAF Component | Description |
|---|---|
| Web ACL | The WAF policy attached to a resource |
| Rule group | A reusable set of rules |
| AWS Managed Rule Groups | Pre-built rules for common threats (OWASP Top 10, known bad IPs, bots) |
| Rate-based rules | Block IPs sending more than N requests per 5 minutes |
| Custom rules | Match on any combination of request attributes |
WAF can be attached to: ALB, CloudFront, API Gateway, AppSync, Cognito User Pool.
AWS Shield:
| Tier | Cost | Protection |
|---|---|---|
| Shield Standard | Free (all AWS customers) | Layer 3/4 DDoS protection (SYN floods, UDP reflection attacks) |
| Shield Advanced | ~$3,000/month | Enhanced L3/4/7 protection, DDoS cost protection, 24/7 DRT access, near real-time visibility |
Shield Standard protects all AWS resources automatically. Shield Advanced provides additional protections for EC2, ELB, CloudFront, Route 53, and Global Accelerator, plus financial protection (AWS credits for scaling costs incurred due to DDoS attacks).
AWS Network Firewall:
A managed, stateful network firewall for VPCs. Unlike security groups (per-instance, stateful) and NACLs (per-subnet, stateless), Network Firewall operates at the VPC perimeter level and supports:
- Stateful and stateless rule groups
- Suricata-compatible IPS rules ā deep packet inspection, intrusion detection/prevention
- Domain-based filtering (block/allow by FQDN)
- TLS inspection (decrypt, inspect, re-encrypt)
Network Firewall is deployed into dedicated firewall subnets, and traffic is routed through it via route tables. Common architecture: Internet ā IGW ā Firewall subnet (Network Firewall) ā Application subnet.
Route 53 Resolver DNS Firewall:
Blocks outbound DNS queries to malicious or unauthorized domains from within your VPC. Complements Network Firewall (which operates on IP/port) with domain-name-based blocking. Use managed domain lists (AWS-managed lists of known malicious domains) or custom domain lists.
ā ļø Exam Trap: WAF operates at Layer 7 ā it sees HTTP/HTTPS request content. Shield Standard operates at Layers 3/4 ā it sees network packets. A sophisticated application-layer attack (slow HTTP POST, credential stuffing) requires WAF; a volumetric UDP flood requires Shield. The exam tests which protection layer is appropriate for which attack type. For maximum protection, use both ā Shield Advanced with WAF.
Reflection Question: An e-commerce site is experiencing two simultaneous attacks: (1) a volumetric SYN flood from a botnet exhausting network capacity, and (2) a credential stuffing attack sending thousands of login requests per second from rotating IPs. Which AWS service addresses each attack, and what specific feature of the second service stops the credential stuffing?
