Combining Shield Advanced with other Amazon Web Services services
You can use Shield Advanced to protect your resources in many types of scenarios. However, in some cases you should use other services or combine other services with Shield Advanced to offer the best protection. Following are examples of how to use Shield Advanced or other Amazon services to help protect your resources.
Goal | Suggested services | Related service documentation |
---|---|---|
Protect a web application and RESTful APIs against a DDoS attack | Shield Advanced protecting an Amazon CloudFront distribution and an Application Load Balancer | Elastic Load Balancing documentation, Amazon CloudFront Documentation |
Protect a TCP-based application against a DDoS attack | Shield Advanced protecting an Amazon Global Accelerator standard accelerator; attached to an Elastic IP address | Amazon Global Accelerator Documentation, Elastic Load Balancing documentation |
Protect a UDP-based game server against a DDoS attack | Shield Advanced protecting an Amazon EC2 instance attached to an Elastic IP address | Amazon Elastic Compute Cloud Documentation |
For example, if you use Shield Advanced to protect an Elastic IP address, Shield Advanced protects
whatever resource is associated with it. During an attack,
Shield Advanced automatically deploys your network ACLs to the border of the Amazon network.
When your network ACLs are at the border of the network, Shield Advanced can provide
protection against larger DDoS events. Typically, network ACLs are applied near your
Amazon EC2 instances within your Amazon VPC. The network ACL can mitigate attacks only as large as
your Amazon VPC and instance can handle. If the network interface attached to your Amazon EC2
instance can process up to 10 Gbps, volumes over 10 Gbps slow down and possibly block
traffic to that instance. During an attack, Shield Advanced promotes your network ACL to the
Amazon border, which can process multiple terabytes of traffic. Your network ACL is able
to provide protection for your resource well beyond your network's typical capacity. For
more information about network ACLs, see Network
ACLs