Associating or disassociating a web ACL with an Amazon resource
You can use Amazon WAF to create the following associations between web ACLS and your resources:
-
Associate a regional web ACL with any of the regional resources listed below. For this option, the web ACL must be in the same region as your resource.
Amazon API Gateway REST API
Application Load Balancer
Amazon AppSync GraphQL API
Amazon Cognito user pool
Amazon App Runner service
Amazon Verified Access instance
-
Associate a global web ACL with a Amazon CloudFront distribution. The global web ACL will have a hard-coded Region of US East (N. Virginia) Region.
You can also associate a web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see Using Amazon WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.
Restrictions on multiple associations
You can associate a single web ACL with one or more Amazon resources, according to the following restrictions:
-
You can associate each Amazon resource with only one web ACL. The relationship between web ACL and Amazon resources is one-to-many.
-
You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other Amazon resource type.
Additional restrictions
The following additional restrictions apply to web ACL associations:
-
You can only associate a web ACL to an Application Load Balancer within Amazon Web Services Regions. For example, you cannot associate a web ACL to an Application Load Balancer that is on Amazon Outposts.
-
You can't associate an Amazon Cognito user pool with a web ACL that uses the Amazon WAF Fraud Control account creation fraud prevention (ACFP) managed rule group
AWSManagedRulesACFPRuleSetAWSManagedRulesATPRuleSet
Production traffic risk
Before you deploy your web ACL for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your Amazon WAF protections.
To associate a web ACL with an Amazon resource
Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/
. -
In the navigation pane, choose Web ACLs.
-
Choose the name of the web ACL that you want to associate with a resource. The console takes you to the web ACL's description, where you can edit it.
-
On the Associated Amazon resources tab, choose Add Amazon resources.
-
When prompted, choose the resource type, select the radio button next to the resource that you want to associate, and then choose Add.
To disassociate a web ACL from an Amazon resource
Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/
. -
In the navigation pane, choose Web ACLs.
-
Choose the name of the web ACL that you want to disassociate from your resource. The console takes you to the web ACL's description, where you can edit it.
-
On the Associated Amazon resources tab, select the resource that you want to disassociate this web ACL from.
Note
You must disassociate one resource at a time. Do not choose multiple resources.
-
Choose Disassociate. The console opens a confirmation dialogue. Confirm your choice to disassociate the web ACL from the Amazon resource.