How to Configure AWS WAF with Application Load Balancer
Learn how to protect your AWS applications by attaching AWS WAF to an Application Load Balancer with managed rule groups.
AWS WAF integrates natively with Application Load Balancer (ALB) to protect your web applications from common exploits and attacks.
This guide covers creating a Web ACL, attaching it to your ALB, and configuring managed rule groups for comprehensive protection.
Prerequisites
- An AWS account with appropriate IAM permissions
- An existing Application Load Balancer
- Basic familiarity with AWS Console
Step-by-Step Guide
Navigate to AWS WAF Console
Open the AWS Console and navigate to WAF & Shield:
- Sign into the AWS Console
- Search for "WAF" in the services search bar
- Select "AWS WAF" from the results
Create a Web ACL
Create a new Web ACL to contain your firewall rules:
- Click "Create web ACL"
- Enter a name (e.g., "production-web-acl")
- Select "Regional resources (ALB, API Gateway)" for resource type
- Select your region
- Click "Next"
Add AWS Managed Rules
Add managed rule groups for immediate protection:
- Click "Add rules" > "Add managed rule groups"
- Expand "AWS managed rule groups"
- Enable "Core rule set" (protects against OWASP Top 10)
- Enable "Known bad inputs" (blocks requests with known malicious patterns)
- Enable "SQL database" if your app uses SQL
- Click "Add rules"
Configure Default Action
Set what happens to requests that don't match any rules:
- For "Default web ACL action for requests that don't match any rules", select "Allow"
- This means only explicitly blocked traffic is denied
- Click "Next"
Set Rule Priority
Rules are evaluated in order. AWS processes them top to bottom:
- Drag rules to set priority (highest priority at top)
- Generally, put block rules before allow rules
- Click "Next"
Associate ALB Resources
Attach the Web ACL to your Application Load Balancer:
- Click "Add AWS resources"
- Select "Application Load Balancer"
- Check the box next to your ALB
- Click "Add"
- Click "Next" and then "Create web ACL"
Enable Logging (Recommended)
Enable logging to monitor blocked requests:
- Select your Web ACL
- Go to the "Logging and metrics" tab
- Click "Enable logging"
- Choose a destination (CloudWatch Logs, S3, or Kinesis)
- Click "Save"
# Example CloudWatch Logs group name
aws-waf-logs-production-web-acl
Conclusion & Next Steps
Your ALB is now protected by AWS WAF with managed rule groups. The WAF will inspect all incoming HTTP/HTTPS traffic and block known attack patterns.
Next steps:
- Monitor the WAF dashboard for blocked requests
- Set up CloudWatch alarms for high block rates
- Consider adding rate-limiting rules to prevent DDoS
- Review and tune rules based on your application's needs
Troubleshooting
Legitimate traffic being blocked
Check CloudWatch Logs or S3 logs to identify the rule causing blocks. You can set specific rules to "Count" mode instead of "Block" while you investigate.
Can't find my ALB when associating
Make sure you're in the same AWS region as your ALB. Web ACLs are regional resources.
High costs after enabling WAF
Review the number of rules and request volume. Consider consolidating rules or using capacity units more efficiently.
Frequently Asked Questions
What's the difference between Web ACL and rule groups?
A Web ACL is a container that holds rules and rule groups. Rule groups are reusable collections of rules that you can add to multiple Web ACLs. AWS managed rule groups are pre-configured by AWS and updated automatically.
How much does AWS WAF cost?
AWS WAF charges based on Web ACLs ($5/month each), rules ($1/month each), and requests ($0.60 per million). Managed rule groups may have additional costs. Monitor your usage with AWS Cost Explorer.