Should I attach WAF to ALB or to API Gateway

Question

I'm looking to implement the architecture described here : https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/.

Diagram showing an architecture that consists of Global Accelerator to Application Load Balancer to VPC Endpoint Interfaces to API Gateway

I'm wondering where the best place to attach a WAF - to the ALB or to the the API Gateway?

![Diagram showing an architecture that consists of Global Accelerator to Application Load Balancer to VPC Endpoint Interfaces to API Gateway](/media/postImages/original/IM4j5O5L9nTeSQ7jWtkb0DFA)

I'm wondering where the best place to attach a WAF - to the ALB or to the the API Gateway?

Accepted Answer

Hi,

The AWS WAF should be your first line of defense to protect web applications and APIs from attacks that  could affect their availability and performance, compromise security, or consume excessive resources.

Therefore, I will attach it to the ALB.

Should I attach WAF to ALB or to API Gateway

相关内容