Migrating Amazon WAF Classic Web ACLs in Firewall Manager - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Migrating Web ACLs in Amazon WAF Classic PoliciesMigrating Web ACLs in Shield Advanced Policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Migrating Amazon WAF Classic Web ACLs in Firewall Manager

There are two scenarios where Firewall Manager might use Amazon WAF Classic WebACLs:

  1. With a Amazon WAF Classic policy

  2. With a Shield Advanced policy created before January 2022

Migrating Web ACLs in Amazon WAF Classic Policies

To migrate web ACLs from a Amazon WAF Classic policy, you must first migrate any Amazon WAF Classic rule groups to Amazon WAF (v2) rule groups. Then you can create a new policy using the migrated rule groups.

  1. Migrate your Amazon WAF Classic rule groups to Amazon WAF (v2) rule groups using this migration script: Amazon WAF bulk migration script.

  2. Create a new Amazon WAF policy with the following settings:

    • Use the newly migrated Amazon WAF (v2) rule groups

    • Enable automatic remediation

  3. For each account you want to migrate:

    1. Remove the account from the old Amazon WAF Classic policy

    2. Wait approximately 2-3 minutes

    3. Add the account to the scope of the new Amazon WAF policy

    4. (Optional) Use resource tag filtering to narrow the policy scope to specific resources

  4. Verify the migration:

    1. Confirm that the new Amazon WAF policy has created v2 web ACLs

    2. Verify that Firewall Manager has associated the new web ACLs with the appropriate resources

Migrating Web ACLs in Shield Advanced Policies

Automatic application layer DDoS mitigation in Firewall Manager works only with web ACLs that were created using Amazon WAF (v2). If you want to use automatic mitigation in your Firewall Manager policies, and your policies currently use Amazon WAF Classic web ACLs, you must migrate them to Amazon WAF (v2). You can either migrate all web ACLs at once or migrate them one account at a time.

Migrating All Web ACLs at Once

To migrate all web ACLs in your Shield Advanced policy at once, you can use the policy's automatic remediation feature:

  1. Open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fms.

  2. Choose your Shield Advanced policy.

  3. Enable automatic remediation and choose the option to replace Amazon WAF Classic web ACLs with Amazon WAF (v2) web ACLs.

Firewall Manager creates new Amazon WAF (v2) web ACLs as needed and manages the migration of resource associations from Classic to v2 web ACLs.

Migrating Web ACLs One Account at a Time

To migrate web ACLs one account at a time, follow these steps:

  1. Create a new Shield Advanced policy with the following settings:

    • Set automatic application layer DDoS mitigation to Disabled

    • Enable automatic remediation

  2. For each account you want to migrate:

    1. Remove the account from the old Shield Advanced policy

    2. Wait approximately 2-3 minutes

    3. Add the account to the scope of the new Shield Advanced policy

    4. (Optional) Use resource tag filtering to narrow the policy scope to specific resources

  3. Verify the migration:

    1. Confirm that the new Shield Advanced policy has created Amazon WAF (v2) web ACLs

    2. Verify that Firewall Manager has associated the new web ACLs with the appropriate resources