What are folks generally doing for WAF? I believe ...
# help
What are folks generally doing for WAF? I believe the HTTP type APIGW endpoints (v2) don't support WAF like the REST (v1). I've heard one can use CloudFront to enable WAF in front of v2 APIGW but I understand CloudFront to be more for CDN use case. We have an API that we expect to receive a high volume of requests and it's only marginally serving up responses. Also, Cloudflare isn't an option for this (client doesn't want). Just curious. Thanks ya'll!
We implemented a rate limiter into our Authorizer. This gives us a bit more control for the specific use case of DDOS, since we know things WAF doesnt, but we lose other items, like Bot Control. Since this is for an API and not the frontend, we were OK with this tradeoff. Note that the authorizer runs outside the throttling for API Gateway and can cache the refused response, which makes it pretty nice for this purpose, although you need to also do the rate limiting count in the actual API, since the cache will prevent the authorizer from running every request.
Its a bit hacky, but decent enough for a use case that is pretty far outside the norm, at least until AWS figures out that people actually are using HTTP APIs. 😉
Other options considered: • Cloudfront in front of API Gateway: Didnt like as much due to the fact we couldnt use the cache (we use GraphQL), so we would be paying for nothing. • Cloudfront and use lambda function url instead of API Gateway: Currently, there is not a good way to lock down the function URL to only running when Cloudfront hits it, so a DDOS attack on the function url directly would succeed in grand fashion. • AppSync: Lose too much in the process, and very expensive comparably.
We are also facing similar issue, Cloud Front didn't work for use case as our API is not content driven. And our client is insisting on using WAF to whitelist the IPs, So looking for alternative solutions as we don't want to use V1. Any help appreciated.
API Gateway itself also has burst and rate limits that can be set. Obviously not a replacement for a WAF, but still better than nothing.
Defaults seem to be 5000 burst and 10000 rate
it can also be changed on a per route basis
Of course, this doesn't help against denial of service, just against cost attacks
Thank you Adrian, @Frank please suggest if we have any other alternatives in this case to convince the client