Protecting the application layer (layer 7) with Amazon Shield Advanced and Amazon WAF - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Protecting the application layer (layer 7) with Amazon Shield Advanced and Amazon WAF

This page explains how Shield Advanced and Amazon WAF work together to protect resources at the application layer (layer 7).

To protect your application layer resources with Shield Advanced, you start by associating an Amazon WAF web ACL with the resource and adding one or more rate-based rules to it. You can additionally enable automatic application layer DDoS mitigation, which causes Shield Advanced to automatically create and manage web ACL rules on your behalf in response to DDoS attacks.

When you protect an application layer resource with Shield Advanced, Shield Advanced analyzes traffic over time to establish and maintain baselines. Shield Advanced uses these baselines to detect anomalies in traffic patterns that might indicate a DDoS attack. The point at which Shield Advanced detects an attack depends on the traffic that Shield Advanced has been able to observe prior to the attack and on the architecture you use for your web applications. The architectural variations that can affect Shield Advanced behavior include the type of instance you use, your instance size, and whether the instance type supports enhanced networking. You can also configure Shield Advanced to automatically place mitigations for application layer attacks.

Shield Advanced subscriptions and Amazon WAF costs

Your Shield Advanced subscription covers the costs of using standard Amazon WAF capabilities for resources that you protect with Shield Advanced. The standard Amazon WAF fees that are covered by your Shield Advanced protections are the cost per web ACL, the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

Enabling Shield Advanced automatic application layer DDoS mitigation adds a rule group to your web ACL that uses 150 web ACL capacity units (WCUs). These WCUs count against the WCU usage in your web ACL. For more information, see Automating application layer DDoS mitigation with Shield Advanced , Protecting the application layer with the Shield Advanced rule group, and Web ACL capacity units (WCUs) in Amazon WAF.

Your subscription to Shield Advanced does not cover the use of Amazon WAF for resources that you do not protect using Shield Advanced. It also does not cover any additional non-standard Amazon WAF costs for protected resources. Examples of non-standard Amazon WAF costs are those for Bot Control, for the CAPTCHA rule action, for web ACLs that use more than 1,500 WCUs, and for inspecting the request body beyond the default body size. The full list is provided on the Amazon WAF pricing page.

For full information and pricing examples, see Shield Pricing and Amazon WAF Pricing.