Waf Charm



AWS WAF Classic Explained: Part 1 Basic Structure

*This entry was originally written in Japanese in the past based on AWS WAF Classic.

Table of Contents

  1. Introduction
  2. Basic structure of AWS WAF
  3. How to protect web application with AWS WAF
  4. Requests you can allow/block in AWS WAF
  5. How to block on AWS WAF
  6. Conclusion


We have introduced specific settings and procedures of AWS WAF in the blog posts before, but it is important to understand how AWS WAF works for advanced usage. In this three-part series, we will look at topics from basic structure to ways to utilize Condition and Filters to block requests on AWS WAF.

Basic structure of AWS WAF

First, let’s take a look at the big picture. AWS WAF’s structure is shown in the figure below.

Structure of AWS WAF


  • Web Application Firewall provided by AWS
  • Protect L7 (HTTP/HTTPS) application layer
  • Regulate accesses by Web ACL
  • Protects against web application specific attacks like SQL injection and XSS


  • Apply rules with web access control list
  • 10 rules can be attached to one web ACL
  • CloudFront, ALB and API Gateway can be attached to Web ACL for usage


  • Apply Conditions that indicate specific requirements
  • Up to 10 conditions can be applied to one rule


  • Define specific conditions of attacks you want to prevent
  • Conditions for SQL injection and XSS are provided by AWS
  • Conditions for application-specific attacks have to be stated separately

How to protect web application with AWS WAF

By following the AWS WAF Classic Explained posts, you can achieve five points in AWS WAF explained below.

  1. Create a condition based on the purpose of access control
  2. Create a rule that includes the created condition
  3. Create a Web ACL to apply rules
  4. Apply rules to the created Web ACL
  5. Apply Web ACL to either CloudFront, ALB, or API Gateway

This post is an introduction to AWS WAF, so if you can picture the nested relationships of each element, you’ll be good to go.

Requests you can allow/block in AWS WAF

In AWS WAF, you can allow or block the types of requests explained below.
It is important to select the rules according to your website’s purposes because there is a limit to the number of rules you can apply to one Web ACL in AWS WAF.
For the limitations, refer to the official document: AWS WAF Classic quotas

  • Requester’s IP address matches a specific IP address or range of IP addresses
  • Requester’s IP address is from a certain country
  • Matching string in certain part of the request (regex is available)
  • Length of specified parts of requests exceeds the set limit
  • SQL injections or XSS is contained in requests

How to block on AWS WAF

For specific procedures to block requests, refer to the blog posts below.


We hope you can deepen your understanding of AWS WAF Classic.
In the next post, we will focus on Conditions and Filters, the core elements of blocking attacks, to explain AWS WAF’s structure.

Next post:

Next post: AWS WAF Classic Explained: Part 2 Relationship between Conditions and Filters