[Project - Implementing AWS WAF]

AWS WAF Cloud Security AWS Shield CloudFront Route 53 Network Firewall

This architecture diagram shows a secure and resilient AWS web application design — specifically one that uses AWS WAF, Shield, CloudFront, Route 53, and Network Firewall to protect resources (like EC2 instances) inside a VPC from DDoS and web attacks.

Let’s break it down by layer:

🧱 1. Core Infrastructure (VPC and EC2)

AWS East Region (VPC): Your application runs on an EC2 instance inside a VPC. The EC2 is protected by a Security Group, which acts as the first network-level filter (allowing only required ports, e.g., 443/80).
AWS Network Firewall: Controls traffic entering and leaving the VPC at the subnet level. Can inspect packets for malicious patterns before traffic reaches the EC2 instance.
Internet Gateway: Connects your VPC to the internet so CloudFront (and users) can reach your EC2 backend.

🌐 2. Edge Protection (CloudFront + WAF + Shield + Route 53)

This section provides global edge security and DDoS protection.

AWS Route 53: Acts as your DNS layer. Integrates with AWS Shield for DDoS detection and mitigation. Routes traffic from users and bad actors to CloudFront.
AWS CloudFront: A global CDN that caches content and terminates SSL/TLS connections. Integrates with AWS WAF and Shield Advanced to mitigate attacks before traffic reaches your origin (EC2). Hides your origin’s IP to reduce the attack surface.
AWS WAF: Protects against application-layer (Layer 7) attacks such as SQL injection, XSS, and malicious inputs. Uses Managed Rule Sets such as:
- AWSManagedRulesCommonRuleSet
- AWSManagedRulesKnownBadInputsRuleSet
- AWSManagedRulesAdminProtectionRuleSet
- AWSManagedRulesWindowsRuleSet
- AWSManagedRulesSQLiRuleSet
- AWSManagedRulesAmazonIpReputationList
These detect and block common exploits, known bad IPs, and admin path abuse.
AWS Shield: Provides DDoS protection at multiple layers:
- Layer 3: UDP reflection attacks
- Layer 4: SYN floods
- Layer 6: TLS-based attacks
- Layer 7: Application-layer floods
Offers geographic isolation, auto-scaling, and attack surface reduction to keep applications available during massive DDoS events.

⚔️ 3. Combined Protection Workflow

Users (or attackers) resolve your domain via Route 53.
Requests hit CloudFront, where AWS Shield and WAF provide the first line of defense.
Legitimate traffic is forwarded securely to the origin (EC2) through the Network Firewall and Internet Gateway.
Security Groups enforce final per-instance access control.