Faced my first DDOS attack on my sst API, time to integrate AWS WAF and API throttling, 😅

heck

I proxied the API domain through cloudflare and enabled under attack mode. 😂

Useful to know! WAF integration with sensible defaults would be a very cool SST feature. The config of that thing is complex

API Gateway + Lambdas are cheap so we can take a hit but if the endpoints use other resources then it can become expensive. I’ll attempt a WAF implementation next week. I’ll keep you posted here.

@Ashishkumar Pandey I was just talking about this in the help channel and here I see your issue! Looks like a sought-after guide material! @Ross Coundon this actually isn't that easy with the default apig2 constructs. You have to proxy it through Cloudfront in order to put WAF in front of it

Opened an issue for this. Most likely we won’t be able to get to this right away https://github.com/serverless-stack/serverless-stack/issues/949

quick thinking on the workaround @Ashishkumar Pandey

@Lukasz K yep, I know cloudfront needs to be involved with the API Gateway v2 to be able to implement WAF. @Frank it’s alright, such a new feature needs to be well discussed before it’s implemented. Thanks for opening the issue, I’ll update it with my findings.