DDoS resiliency example for common web applications - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

DDoS resiliency example for common web applications

You can build a web application in any Amazon Region and receive automatic DDoS protection from the detection and mitigation capabilities that Amazon provides in the Region.

This example is for architectures that route users to a web application using resources like Classic Load Balancers, Application Load Balancers, Network Load Balancers, Amazon Marketplace solutions, or your own proxy layer. You can improve DDoS resiliency by inserting Amazon Route 53 hosted zones, Amazon CloudFront distributions, and Amazon WAF web ACLs between these web application resources and your users. These insertions can obfuscate the application origin, serve requests closer to your end users, and detect and mitigate application layer request floods. Applications that serve static or dynamic content to your users with CloudFront and Route 53 are protected by an integrated, fully inline DDoS mitigation system that mitigates infrastructure layer attacks in real time.

With these architectural improvements in place, you can then protect your Route 53 hosted zones and your CloudFront distributions with Shield Advanced. When you protect CloudFront distributions, Shield Advanced prompts you to associate Amazon WAF web ACLs and create rate-based rules for them, and gives you the option of enabling automatic application layer DDoS mitigation or proactive engagement. Proactive engagement and automatic application layer DDoS mitigation use Route 53 health checks that you associate with the resource. To learn more about these options, see Resource protections in Amazon Shield Advanced.

The following reference diagram depicts this DDoS resilient architecture for a web application.

The diagram shows a rectangle titled Amazon cloud, with a group of users to its left. Inside the cloud rectangle are two other rectangles, side by side. The left rectangle is titled Amazon Shield Advanced and the right rectangle is titled VPC. The left, Amazon Shield Advanced triangle contains three Amazon icons, stacked vertically. From top to bottom, the icons are Amazon Route 53, Amazon CloudFront, and Amazon WAF. The icon for CloudFront has arrows that go to and from the icon for Amazon WAF. The user group has an arrow coming out horizontally to its right that splits to point to the icons for Route 53 and CloudFront. To the right of the Shield Advanced rectangle, the VPC rectangle contains two icons that are side by side. From left to right, these icons are Elastic Load Balancing and Amazon Elastic Compute Cloud. The CloudFront icon has an arrow coming out horizontally to its right that goes to the Elastic Load Balancing icon. The Elastic Load Balancing icon has an arrow coming out horizontally to its right that goes to the Amazon EC2 icon. So user requests are sent to Route 53 and CloudFront. CloudFront interacts with Amazon WAF and also sends requests on to the load balancer, which in turn sends requests on the Amazon EC2.

The benefits that this approach provides to your web application include the following:

  • Protection against frequently used infrastructure layer (layer 3 and layer 4) DDoS attacks, without detection delay. In addition, if a resource is frequently targeted, Shield Advanced places mitigations for longer periods of time. Shield Advanced also uses application context inferred from Network ACLs (NACLs) to block unwanted traffic further upstream. This isolates failures closer to their source, minimizing the effect on legitimate users.

  • Protection against TCP SYN floods. The DDoS mitigation systems that are integrated with CloudFront, Route 53, and Amazon Global Accelerator provide a TCP SYN proxy capability that challenges new connection attempts and only serves legitimate users.

  • Protection against DNS application layer attacks, because Route 53 is responsible for serving authoritative DNS responses.

  • Protection against web application layer request floods. The rate-based rule that you configure in your Amazon WAF web ACL blocks source IPs when they are sending more requests than the rule allows.

  • Automatic application layer DDoS mitigation for your CloudFront distributions, if you choose to enable this option. With automatic DDoS mitigation, Shield Advanced maintains a rate-based rule in the distribution's associated Amazon WAF web ACL that limits the volume of requests from known DDoS sources. Additionally, when Shield Advanced detects an event that affects the health of your application, it automatically creates, tests, and manages mitigating rules in web ACL.

  • Proactive engagement with the Shield Response Team (SRT), if you choose to enable this option. When Shield Advanced detects an event that affects the health of your application, the SRT responds and proactively engages with your security or operations teams using the contact information that you provide. The SRT analyzes patterns in your traffic and can update your Amazon WAF rules to block the attack.