What are folks generally doing for WAF? I believe the HTTP type APIGW endpoints (v2) don't support WAF like the REST (v1). I've heard one can use CloudFront to enable WAF in front of v2 APIGW but I understand CloudFront to be more for CDN use case. We have an API that we expect to receive a high volume of requests and it's only marginally serving up responses. Also, Cloudflare isn't an option for this (client doesn't want). Just curious. Thanks ya'll!

We implemented a rate limiter into our Authorizer. This gives us a bit more control for the specific use case of DDOS, since we know things WAF doesnt, but we lose other items, like Bot Control. Since this is for an API and not the frontend, we were OK with this tradeoff. Note that the authorizer runs outside the throttling for API Gateway and can cache the refused response, which makes it pretty nice for this purpose, although you need to also do the rate limiting count in the actual API, since the cache will prevent the authorizer from running every request.

We are also facing similar issue, Cloud Front didn't work for use case as our API is not content driven. And our client is insisting on using WAF to whitelist the IPs, So looking for alternative solutions as we don't want to use V1. Any help appreciated.

API Gateway itself also has burst and rate limits that can be set. Obviously not a replacement for a WAF, but still better than nothing.

Thank you Adrian, @Frank please suggest if we have any other alternatives in this case to convince the client