Why migrate to Amazon WAF? - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Why migrate to Amazon WAF?

The latest version of Amazon WAF provides many improvements over the prior version, while maintaining most of the concepts and terminology that you're accustomed to.

The following list describes the major changes in the latest Amazon WAF. Before you continue with your migration, please take some time to review this list and to familiarize yourself with the rest of the Amazon WAF guide.

  • Amazon Managed Rules for Amazon WAF – The rule groups now available through Amazon Managed Rules provide protection against common web threats. Most of these rule groups are included free of charge with Amazon WAF. For more information, see Amazon Managed Rules rule groups list and the blog post Announcing Amazon Managed Rules for Amazon WAF.

  • New Amazon WAF API – The new API allows you to configure all of your Amazon WAF resources using a single set of APIs. To distinguish between regional and global applications, the new API includes a scope setting. For more information about the API, see the Amazon WAFV2 Actions and Amazon WAFV2 Data Types.

    In the APIs, SDKs, CLIs, and Amazon CloudFormation, Amazon WAF Classic retains its naming schemes and this latest version of Amazon WAF is referred to with an added V2 or v2, depending on the context.

  • Simplified service quotas (limits) – Amazon WAF now allows more rules per web ACL and allows you to express longer regex patterns. For more information, see Amazon WAF quotas.

  • Web ACL limits are now based on computing needs – Web ACL limits are now based on web ACL capacity units (WCU). Amazon WAF calculates the WCU for a rule according to the operating capacity that's required to run the rule. The WCU of a web ACL is the sum of the WCU of all rules and rule groups in the web ACL.

    For general information about WCU, see How Amazon WAF works. For information about each rule's WCU usage, see Rule statement basics.

  • Document-based rule writing – You can now write and express rules, rule groups, and web ACLs in JSON format. You no longer need to use individual API calls to create different conditions and then associate the conditions to a rule. This greatly simplifies how you write and maintain your code. You can access a JSON format of your web ACLs through the console when you're viewing the web ACL, by choosing Download web ACL as JSON. When you are creating your own rule, you can access its JSON representation by choosing Rule JSON editor.

  • Rule nesting and full logical operation support – You can write complex combined rules by using logical rule statements and by using nesting. You can create statements such as [A AND NOT(B OR C)]. For more information, see Logical rule statements.

  • Improved rate-based rules – In the latest version of Amazon WAF, you can customize the time window that the rule evaluates and how the rule aggregates requests. You can customize aggregation using combinations of a number of web request characteristics. Additionally the latest rate-based rules react more quickly to changes in traffic. For more information, see Rate-based rule statement.

  • Variable CIDR range support for IP set – IP set specifications now have more flexibility in the IP ranges. For IPv4, Amazon WAF supports /1 to /32. For IPv6, Amazon WAF supports /1 to /128. For more information about IP sets, see IP set match rule statement.

  • Chainable text transformations – Amazon WAF can perform multiple text transformations against web request content before inspecting it. For more information, see Text transformation options.

  • Improved console experience – The new Amazon WAF console features visual rule builder and a more user intuitive console design.

  • Expanded options for Firewall Manager Amazon WAF policies – In the Firewall Manager management of Amazon WAF web ACLs, you can now create a set of rule groups that Amazon WAF processes first and a set of rule groups that Amazon WAF processes last. After you apply the Amazon WAF policy, local account owners can add their own rule groups that Amazon WAF processes in between these two sets. For more information about Firewall Manager Amazon WAF policies, see Amazon WAF policies.

  • Amazon CloudFormation support for all rule statement types – Amazon WAF in Amazon CloudFormation supports all rule statement types that the Amazon WAF console and API support. Additionally, you can easily convert the rules that you write in JSON format to YAML format.