Resources that you can protect with Amazon WAF - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Resources that you can protect with Amazon WAF

You can use an Amazon WAF protection pack or web ACL to protect global or regional resource types. You do this by associating the protection pack or web ACL with the resources that you want to protect. The protection pack or web ACL and any Amazon WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia).

Amazon CloudFront distributions

You can associate an Amazon WAF protection pack or web ACL with a CloudFront distribution using the Amazon WAF console or APIs. You can also associate a protection pack or web ACL with a CloudFront distribution when you create or update the distribution itself. To configure an association in Amazon CloudFormation, you must use the CloudFront distribution configuration. For information about Amazon CloudFront, see Using Amazon WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.

Amazon WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your protection pack or web ACL and any resources used in the protection pack or web ACL, such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".

Regional resources

You can protect regional resources in all Regions where Amazon WAF is available. You can see the list at Amazon WAF endpoints and quotas in the Amazon Web Services General Reference.

You can use Amazon WAF to protect the following regional resource types:

  • Amazon API Gateway REST API

  • Application Load Balancer

  • Amazon AppSync GraphQL API

  • Amazon Cognito user pool

  • Amazon App Runner service

  • Amazon Verified Access instance

  • Amazon Amplify

You can only associate a protection pack or web ACL to an Application Load Balancer that's within Amazon Web Services Regions. For example, you cannot associate a protection pack or web ACL to an Application Load Balancer that's on Amazon Outposts.

You must create any protection pack or web ACL that you want to associate with an Amplify app in the Global CloudFront Region. You might already have a Regional protection pack or web ACL in your Amazon Web Services account, but they are not compatible with Amplify.

The protection pack or web ACL and any other Amazon WAF resources that it uses must be located in the same Region as the protected resources. When monitoring and managing web requests for a protected regional resource, Amazon WAF keeps all data in the same Region as the protected resource.

Restrictions on multiple resource associations

You can associate a single protection pack or web ACL with one or more Amazon resources, with the following restrictions:

  • You can associate each Amazon resource with only one protection pack or web ACL. The relationship between protection pack or web ACL and Amazon resources is one-to-many.

  • You can associate a protection pack or web ACL with one or more CloudFront distributions. You cannot associate a protection pack or web ACL that you have associated with a CloudFront distribution with any other Amazon resource type.