WAFPlanet
Platform Updated February 2026 by Thijs de Zoete

Best WAF for Serverless

Protect your serverless applications on AWS Lambda, Google Cloud Functions, and Azure Functions. Compare cloud-native WAFs, edge protection, and API security platforms for serverless architectures.

Serverless architectures present unique WAF challenges. There's no traditional server to install a WAF on, traffic patterns are highly variable, and applications are often composed of dozens of functions behind API gateways. Traditional WAF deployment models don't map cleanly to serverless.

The good news is that serverless platforms are typically fronted by managed services—API Gateway, Cloud Endpoints, Azure API Management—that integrate with cloud-native WAFs. Combined with edge WAFs like Cloudflare or Fastly, you can build comprehensive protection without managing any WAF infrastructure.

This guide compares WAF solutions that work with serverless architectures across AWS Lambda, Google Cloud Functions, Azure Functions, and edge compute platforms.

Top WAF Providers for Serverless

1

AWS Web Application Firewall

Best for Lambda

AWS WAF is the natural choice for Lambda-based serverless applications. It integrates natively with API Gateway, CloudFront, AppSync, and App Runner—the services that front most Lambda functions. Managed rule groups cover OWASP Top 10, bot protection, and account fraud prevention, all with pay-per-request pricing that matches serverless economics.

Key Benefits:

  • Native API Gateway and CloudFront integration
  • Pay-per-request pricing matches serverless costs
  • Managed rule groups for common threats
  • Bot Control and Fraud Prevention add-ons
Rating: 4.3/5
Pricing: Pay-per-use (rules + requests)
Read Full Review Visit Website
2

Cloudflare Web Application Firewall

Multi-Cloud Edge

Cloudflare provides edge WAF protection for any serverless backend regardless of cloud provider. The free tier includes basic WAF and DDoS protection. For serverless applications exposed via custom domains, Cloudflare is the easiest way to add WAF protection with zero infrastructure management.

Key Benefits:

  • Works with any serverless provider
  • Free tier with WAF and DDoS
  • Zero infrastructure to manage
  • Global edge network for performance
Rating: 4.5/5
Pricing: Per domain / Per feature tier
Free Tier
Read Full Review Visit Website
3

Google Cloud Armor

Best for GCP Serverless

Google Cloud Armor protects Cloud Functions and Cloud Run when exposed via a global external Application Load Balancer. Adaptive Protection provides ML-based DDoS defense, and preconfigured WAF rules cover the OWASP Top 10. Native GCP integration means no external routing needed.

Key Benefits:

  • Protects Cloud Functions and Cloud Run
  • ML-powered Adaptive Protection
  • Native GCP load balancer integration
  • Preconfigured OWASP rules
Rating: 4.2/5
Pricing: Pay-per-use (policies + rules + requests)
Read Full Review Visit Website
4

Fastly Next-Gen WAF (Signal Sciences)

Edge Compute

Fastly Next-Gen WAF protects serverless applications at the edge with SmartParse technology that reduces false positives by over 90%. Its edge compute platform (Compute@Edge) can also run custom security logic alongside your serverless application, blurring the line between WAF and application security.

Key Benefits:

  • SmartParse for low false positives
  • Edge compute for custom security logic
  • Real-time attack visibility
  • Serverless-native deployment
Rating: 4.5/5
Pricing: Custom pricing based on requests and features
Read Full Review Visit Website

What to Look For in a WAF for Serverless

Key factors for serverless WAF selection:

  • API Gateway Integration - Most serverless functions sit behind an API gateway. Your WAF must integrate with API Gateway (AWS), Cloud Endpoints (GCP), or API Management (Azure) without adding architectural complexity.
  • Pay-Per-Request Pricing - Serverless billing is usage-based. Your WAF pricing should match—avoid fixed monthly costs for WAFs protecting low-traffic serverless functions.
  • API-Specific Protection - Serverless applications are predominantly API-driven. Look for JSON/GraphQL inspection, schema validation, and API-aware rules beyond generic WAF protection.
  • Cold Start Compatibility - Serverless functions have cold starts. Ensure your WAF doesn't add significant latency on top of cold start delays.
  • Multi-Function Coverage - Serverless applications often consist of many functions. Your WAF should protect all functions behind a single policy without per-function configuration.
  • Rate Limiting - Protect against function invocation abuse. Rate limiting at the WAF level prevents runaway costs from malicious traffic hitting your serverless functions.

Serverless Considerations

Serverless-specific WAF considerations:

  • No Server to Install On - Traditional WAF modules (ModSecurity, NGINX App Protect) require a server. Serverless WAF protection must happen at the edge, API gateway, or as a managed service.
  • Cost Amplification - Without WAF protection, malicious traffic still invokes your functions and incurs costs. A WAF at the API gateway or edge level blocks bad traffic before it reaches your functions.
  • Event Sources - WAFs protect HTTP-triggered functions. For event-driven functions (SQS, EventBridge, Pub/Sub), input validation must happen within the function code.
  • Function URLs - AWS Lambda Function URLs and similar direct invocation endpoints bypass API Gateway and its WAF. Ensure all public traffic routes through your WAF-protected gateway.
  • Edge Functions - Platforms like Cloudflare Workers, Fastly Compute, and Lambda@Edge run at the CDN edge. These can act as lightweight WAFs themselves or be protected by the platform's native WAF.

Frequently Asked Questions

Can I use ModSecurity with serverless?

Not directly—ModSecurity requires a web server to run on, which serverless architectures don't have. However, you can place an NGINX reverse proxy with ModSecurity in front of your API Gateway, though this partially defeats the purpose of serverless. Cloud-native WAFs (AWS WAF, Cloud Armor) or edge WAFs (Cloudflare) are better fits for serverless.

How do I protect AWS Lambda functions with a WAF?

Route Lambda traffic through API Gateway or CloudFront, then attach AWS WAF to the API Gateway stage or CloudFront distribution. Avoid exposing Lambda via Function URLs without WAF protection, as these bypass API Gateway entirely.

Will a WAF add latency to my serverless functions?

Cloud-native WAFs like AWS WAF add minimal latency (typically under 2ms) when integrated with API Gateway or CloudFront. Edge WAFs like Cloudflare may actually reduce latency through CDN caching. The latency overhead is negligible compared to typical cold start times.

How do I prevent cost overruns from attacks on serverless?

Deploy a WAF at the API Gateway or edge level to block malicious traffic before it invokes your functions. Additionally, set concurrency limits on your Lambda functions, use API Gateway throttling, and set up billing alerts. A WAF is your first line of defense against serverless cost attacks.