Migrating a web ACL: manual follow-up - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Migrating a web ACL: manual follow-up

After the automated migration is complete, review the newly created web ACL and fill in the components that the migration doesn't bring over for you. The following procedure covers the aspects of web ACL management that the migration doesn't handle. For the list, see Migration caveats and limitations.

To finish the basic migration - manual steps

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

  2. The console should automatically use the latest version of Amazon WAF. To verify this, in the navigation pane, check that you can see the option Switch to Amazon WAF Classic. If you see Switch to new Amazon WAF, choose that to switch to the latest version.

  3. In the navigation pane, choose Web ACLs.

  4. In the Web ACLs page, locate your new web ACL in the list for the Region where you created it. Choose the web ACL's name to bring up the settings for the web ACL.

  5. Review all of the settings for the new web ACL against your prior Amazon WAF Classic web ACL. By default, logging and protected resource associations are disabled. You enable those when you're ready to switch over.

  6. If your Amazon WAF Classic web ACL had a rate-based rule with a condition, the condition wasn't brought over in the migration. You can add conditions to the rule in the new web ACL.

    1. In your web ACL settings page, choose the Rules tab.

    2. Locate your rate-based rule in the list, select it, and choose Edit.

    3. For Criteria to count request towards rate limit, select Only consider requests that match the criteria in a rule statement, then provide your additional criteria. You can add the criteria using any rule statement that can be nested, including logical statements. For information about your choices, see Rate-based rule statement.

  7. If your Amazon WAF Classic web ACL had a managed rule group, the rule group inclusion wasn't brought over in the migration. You can add managed rule groups to the new web ACL. Review the information about managed rule groups, including the list of Amazon Managed Rules that are available with the new version of Amazon WAF, at Managed rule groups. To add a managed rule group, do the following:

    1. In your web ACL settings page, choose the web ACL Rules tab.

    2. Choose Add rules, then choose Add managed rule groups.

    3. Expand the listing for the vendor of your choice and select the rule groups that you want to add. For Amazon Web Services Marketplace sellers, you might need to subscribe to the rule groups. For more information about using managed rule groups in your web ACL, see Managed rule groups and Web ACL rule and rule group evaluation.

After you finish the basic migration process, we recommend that you review your needs and consider additional options, to be sure that the new configuration is as efficient as possible and that it's using the latest available security options. See Migrating a web ACL: additional considerations.