How do I use AWS WAF with AWS Global Accelerator to protect my application from malicious attacks?

4 minute read

I want to protect my application from Layer 7 DDoS attacks by using the AWS WAF rate limiting rule with the Application Load Balancer behind the Global Accelerator.

Short description

You can leverage AWS Global Accelerator, Application Load Balancer, and AWS WAF to defend against application layer Distributed Denial of Service (DDoS) attacks.

Note: Client rate limiting through the Application Load Balancer and WAF requires that you set source IP preserved=TRUE on the accelerator. For more information, see Preserve client IP addresses in AWS Global accelerator.


The AWS WAF rate limiting rule lets you automatically block clients from specific IP addresses that send an overwhelming flood of requests to your application. Your rate-based rule tracks the number of requests sent out by each IP address, based on a sliding time window. When the requests exceed the rate limit, the rule immediately blocks requests from the source IP address, until the address lowers the number of requests. 

Note: You can also configure the rule to inspect and block many components of a request, including the country originating the request.


  • Make sure that you have the following traffic flow configuration for Global Accelerator, Application Load Balancer, and AWS WAF:
    User --> Global Accelerator --> Application Load Balancer with WAF --> EC2 instance
    Note: In this setup, the user accesses the application by making a request to the accelerator. The accelerator routes user traffic to the Application Load Balancer and WAF associated with it. WAF evaluates and either blocks or allows the user request using the rate limiting rule that you create.
  • Install a load testing tool, such as loadtest from GitHub. Or, use a load testing tool of your choice that gives you the required visibility.

Create a rule-based web ACL

Create a rate-based rule in web ACL, with an aggressive rate limit of 100. Then, use the test case to check if your rule's working.

  1. Navigate to the AWS WAF Console to create a web ACL rule.
  2. Add a custom rule to your web ACL.
  3. Give it a name and set the rate-based rule as Type.
  4. Set 100 as its Rate limit.
  5. Leave all other settings as-is. Then, click Add Rule.
  6. Save web ACL.

Test the results

The test simulates an HTTP flood attack. The load testing tool shows the progress of received requests. At some stage the requests start failing because they get blocked by the rate-limiting rule you set up.

  1. Run the loadtest tool on your computer.
    Note: Or, open AWS CloudShell on your console (you might receive a prompt to switch to the Region where it's supported).

    # Install globally as root:
    npm install -g loadtest
    # On AWS CloudShell, Ubuntu or Mac OS X systems install using sudo:
    sudo npm install -g loadtest
  2. Enter the Global Accelerator's URL, as shown below:

    # Global Accelerator url

    Note: Replace your_Global_Accelerator_URL with your Global Accelerator URL.

  3. Run the command in your terminal to start the load testing simulation flood of requests.

    Note: This should take 45 seconds to run, so keep an eye on the flow.

    loadtest -n 1000 -c 1 --rps 25 $GA_URL

    The command sends a total of 1000 requests, with concurrency 1 and 25 requests per second. With this rate of requests per second you reach the limit you set by the fourth second.

  4. Analyze the output flow. Notice that at some stage the requests began to fail. The errors indicate that the WAF rule blocked all requests from your source IP address.

    [Fri Apr 21 2023 20:26:45 GMT+0000 ] INFO Requests: 0 (0%), requests per second: 0, mean latency: 0 ms
    [Fri Apr 21 2023 20:26:50 GMT+0000 ] INFO Requests: 106 (11%), requests per second: 21, mean latency: 22.9 ms
    [Fri Apr 21 2023 20:26:50 GMT+0000 ] INFO Errors: 106, accumulated errors: 106, 100% of total requests
AWS OFFICIALUpdated a year ago