Migration caveats and limitations - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Migration caveats and limitations

The migration only handles web ACL configurations, and the web ACL migration doesn't bring over all settings exactly as you have them in Amazon WAF Classic. Some configuration items require manual configuration in Amazon WAF (v2). A few things don't map exactly between the two versions, and you'll need to decide how you want to configure the functionality in Amazon WAF (v2). Some settings, like the web ACL's associations with Amazon resources, are disabled initially in the new version so you can add them when you're ready.

The following list describes the caveats of the migration and describes any steps you might want to take in response. Use this overview to plan your migration. The detailed migration steps, later on, walk you through the recommended mitigation steps.

  • Single account migration – You can only migrate Amazon WAF Classic resources for any account to Amazon WAF resources for the same account.

  • Web ACL configurations only – The migration only migrates web ACLs and resources that the web ACLs are using. To migrate a resource, such as a rule group or IP set, that's not used by any migrated web ACL, manually create the resource in Amazon WAF (v2).

  • No Amazon Web Services Marketplace managed rules – The migration doesn't bring over any managed rules from Amazon Web Services Marketplace sellers. Some Amazon Web Services Marketplace sellers have equivalent managed rules for Amazon WAF that you can subscribe to again. Before you do this, review the Amazon Managed Rules that are provided with the latest version of Amazon WAF. Most of these are free of charge for Amazon WAF users. For information about managed rules, see Using managed rule groups in Amazon WAF.

  • No web ACL associations – The migration doesn't bring over any associations between the web ACL and protected resources. This is by design, to avoid affecting your production workload. After you verify that everything is migrated correctly, associate the new web ACL with your resources.

  • Logging disabled – Logging for the migrated web ACL is disabled by default. This is by design. Enable logging when you are ready to switch over from Amazon WAF Classic to Amazon WAF.

  • No Amazon Firewall Manager rule groups – The migration doesn't handle rule groups that are managed by Firewall Manager. You can migrate a web ACL that's managed by Firewall Manager, but the migration doesn't bring over the rule group. Instead of using the migration tool for these web ACLs, recreate the policy for the new Amazon WAF in Firewall Manager.

    Note

    The rule groups that Firewall Manager managed for Amazon WAF Classic were Firewall Manager rule groups. With the new version of Amazon WAF, the rule groups are Amazon WAF rule groups. Functionally, they are the same.

  • Amazon WAF Security Automations caveat – Don't try to migrate any Amazon WAF Security Automations. The migration doesn't convert Lambda functions, which might be in use by the automations. Consider deploying the automations for the latest version instead. For information, see Amazon WAF Security Automations.