Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Pricing for WAF - blocking requests

0

I have a website, served by Cloudfront.

99% of the requests to the website are to 404-error images that I no longer host (they were logos for television channels, and some naughty pirate set-top boxes found the logos were just the right size for their services). I have no control over those linking to my website. I return a heavily-cached 404 error page. But there are a lot of them. Yesterday, for example, the top 50 requested objects were requested 36.4 million times. Even serving less than 1KB in response, that means I saw 25.6 GB of data in a week from all these 404 errors.

WAF says that "Amazon CloudFront no longer charges for requests blocked by AWS WAF" but then goes on to say that "AWS WAF will continue billing for evaluating and blocking these requests."

The CloudFront price for requests is $0.60 per million requests. That's the same price for requests using AWS WAF. Do I understand it right that if I blocked these by using WAF, I would save the bandwidth portion of the CloudFront charges for these requests?

Is this the cheapest way to handle all this traffic?

Topics
Cloud Financial ManagementComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CloudFrontAWS WAFPricingNetworking & Content DeliveryWebsite Provisioning
Language
English
asked 8 months ago507 views
1 Answer
0

Yes, you're correct in your understanding. As of October 25, 2024, CloudFront no longer charges for requests that are blocked by AWS WAF - this means you would save on both the CloudFront request fees and data transfer charges for those blocked requests. However, AWS WAF will still charge you for evaluating and blocking these requests.

For your specific case with millions of 404 requests, using AWS WAF could be cost-effective. The WAF pricing includes:

  • $5.00 per month for each web ACL (for CloudFront distributions)
  • $1.00 per month for each rule you add
  • $0.80 per million requests processed

You could create a rate-based rule in AWS WAF to block these excessive 404 requests. For example, you could set up a rule that specifically targets requests for those missing TV channel logos and blocks them.

For high-volume workloads like yours, you might also want to consider AWS Shield Advanced, which can be more cost-effective as it includes AWS WAF at no additional charge - you would only pay for Shield Advanced itself. This approach can optimize costs for request-heavy workloads.

Another cost-saving strategy would be to use scope-down statements in your WAF rules to limit what gets analyzed, focusing only on the problematic request patterns.

Given the volume of requests you're dealing with (36.4 million in a day), implementing WAF to block these requests would likely be more cost-effective than continuing to serve 404 responses through CloudFront, as you would eliminate the data transfer costs associated with those responses.
Sources
Pricing - AWS WAF - Amazon Web Services (AWS)
Amazon CloudFront no longer charges for requests blocked by AWS WAF - AWS
Cost considerations - Guidelines for Implementing AWS WAF
Block IP address after rate-limit reached of requests responding with a 4xx | AWS re:Post

answered 8 months ago
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content