Hey ssters! What's your default for protecting ApiV2 endpoints against DDoS and other web threats? I start off with placing throttling mechanisms but v2 seems awfully poor in configuration options.. Read up on WAF but again, v2 doesn't support it. What I imagined so far is that I'd need to put CF in front of an Api gateway and then WAF in front of CF and perhaps do some lambda@edge to do more granular throttling (like single ip/user calls/sec or sth). Any useful pattern would be appreciated here 🙂

My first line of defense is never building anything successful enough to be DDOSd

@thdxr so you just build the tools that allow us to be successful?

Hopefully 😬

@Lukasz K typically WAF in front of your CDN (or as part of your CDN) is enough

Yeah, trying to wrap my head around the combination of Apig, S3 for static page files, CDN and WAF, optimally in a main domain -> index + subdir of main domain as api (domain.com/api/v1) pattern instead of using another subdomain (just to avoid messing with CORS) but AWS docs aren't helping at all 😅

Cloudflare is typically my goto provider for CDN/WAF. I've used Cloudfront quite a bit but Cloudflare's pricing model is amazing and I've never had any issues. I wish Cloudflare could be an integrated solution with SST (@thdxr) but understand the hurdles because CDK

Looks like a topic to write a guide about, I just visited Random and what do I see? https://serverless-stack.slack.com/archives/C01HYQRUGG6/p1634812549001700

@Lukasz K the thing is, there are plenty of guides that exist. It's not uniquely a SST problem to solve. I totally get the benefit of having some SST construct that streamlines it, but there are already tons of resources that document how to setup and protect your sites and services with a CDN and WAF. The real thing is that it shouldn't be an afterthought, especially if you are building for production/something public facing.

Opened an issue for this. Most likely we won’t be ablet to. get to this right away https://github.com/serverless-stack/serverless-stack/issues/949

@Michael Clifford Agree with the "should not be an afterthought" line 100%. It just so happened that my question aligned with a live example from another channel. My intent here was to verify whether my line of thinking/implementations so far had any semblance of sanity 😄 Already got something out of the conversation as I can try to reduce the costs of waf/cdk via CloudFlare setup instead (tho by introducing a manual step in the provisioning process so not sure which way to go yet)

Yea, that must have been funny joining slack and seeing a recent message relevant to your interests