Migration caveats and limitations - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Migration caveats and limitations

The migration doesn't carry over all of your settings, exactly as you have them in Amazon WAF Classic. A few things, like managed rules, don't map exactly between the two versions. Other settings, like the web ACL's associations with protected Amazon resources, are disabled initially in the new version so you can add them when you're ready.

The following list describes the caveats of the migration and describes any steps you might want to take in response. Use this overview to plan your migration. The detailed migration steps, later on, walk you through the recommended mitigation steps.

  • Single account – You can only migrate Amazon WAF Classic resources for any account to Amazon WAF resources for the same account.

  • Managed rules – The migration doesn't bring over any managed rules from Amazon Web Services Marketplace sellers. Some Amazon Web Services Marketplace sellers have equivalent managed rules for Amazon WAF that you can subscribe to again. Before you do this, review the Amazon Managed Rules that are provided with the latest version of Amazon WAF. Most of these are free of charge for Amazon WAF users. For information about managed rules, see Managed rule groups.

  • Web ACL associations – The migration doesn't bring over any associations between the web ACL and protected resources. This is by design, to avoid affecting your production workload. After you verify that everything is migrated correctly, associate the new web ACL with your resources.

  • Logging – Logging for the migrated web ACL is disabled by default. This is by design. Enable logging when you are ready to switch over from Amazon WAF Classic to Amazon WAF.

  • Amazon Firewall Manager rule groups – The migration doesn't handle rule groups that are managed by Firewall Manager. You can migrate a web ACL that's managed by Firewall Manager, but the migration doesn't bring over the rule group. Instead of using the migration tool for these web ACLs, recreate the policy for the new Amazon WAF in Firewall Manager.


    The rule groups that Firewall Manager managed for Amazon WAF Classic were Firewall Manager rule groups. With the new version of Amazon WAF, the rule groups are Amazon WAF rule groups. Functionally, they are the same.

  • Amazon WAF Security Automations – Don't try to migrate any Amazon WAF Security Automations. The migration doesn't convert Lambda functions, which might be in use by the automations. When a new Amazon WAF Security Automations solution is available that's compatible with the latest Amazon WAF, redeploy that solution.