How do I migrate from AWS WAF Classic to AWS WAF and what is the downtime during the migration?

Resolution

Prerequisite: Review the migration caveats and limitations.

Use one of the following options to migrate from AWS WAF Classic to AWS WAF.

There's no downtime when you use the following migration processes. After the migration, it's a best practice to test and tune your AWS WAF protections before you implement the rules in production.

Manual migration

Use manual migration for simple AWS WAF deployments. A manual migration recreates AWS WAF Classic resources in AWS WAF. The migration might cause inconsistencies in request handling until it's complete.

To perform a manual migration, complete the following:

1. Set up AWS WAF.
2. Migrate your protection pack (web ACL).
3. Review your new web ACL and update its configuration as needed.

Security Automations for AWS WAF (automated)

To automatically migrate to AWS WAF, use security Automations for AWS WAF. This solution uses AWS CloudFormation.

Note: When you use Security Automations for AWS WAF to migrate from AWS WAF Classic, don’t use the AWS WAF Classic migration wizard.

To use Security Automations for AWS WAF to deploy a new web ACL, complete the steps in Launch the stack.

Note: You must choose an Endpoint Type that matches the resource that's currently in AWS WAF Classic. If you use API Gateway REST API or Application Load Balancer, then choose ALB.

AWS CloudFormation creates a new stack with all the resources required for the Security Automation, including a new AWS WAF web ACL. The new web ACL isn't automatically associated with any AWS resources. To complete the migration to AWS WAF, you must manually associate the AWS WAF web ACL with your AWS resources. This process automatically disassociates the AWS resource from the AWS WAF Classic web ACL. After you associate the resource with the new AWS WAF web ACL, the web ACL's rules inspect inbound requests.

After you migrate to AWS WAF, it's a best practice to review your new web ACL and update its configuration as needed.

Note: You might need to manually recreate existing rules that can't be automatically migrated. For more information, see Migrating a protection pack (web ACL): manual follow-up.

AWS WAF Classic migration wizard (automated)

Use the AWS WAF Classic migration wizard to automatically migrate existing AWS WAF Classic resources to AWS WAF. There are cases where you must not use the AWS WAF Classic migration wizard. For more information, see Migration caveats and limitations.

To use the AWS WAF Classic migration wizard to deploy a new web ACL, complete the steps in Migrating a protection pack (web ACL): automated migration.

AWS CloudFormation creates a new stack with all the resources that are migrated from AWS WAF Classic, including a new AWS WAF web ACL. The new web ACL isn't automatically associated with any AWS resources. To complete the migration to AWS WAF, you must manually associate the AWS WAF web ACL with your AWS resources. This process automatically disassociates the AWS resource from the AWS WAF Classic web ACL. After you associate the resource with the new AWS WAF web ACL, the web ACL's rules inspect inbound requests.

After you migrate to AWS WAF, it's a best practice to review your new web ACL and update its configuration as needed.

Note: You might need to manually recreate existing rules that can't be automatically migrated. For more information, see Migrating a protection pack (web ACL): manual follow-up.

Related information

Migrating your rules from AWS WAF Classic to the new AWS WAF