Amazon Web Services provides a powerful set of security and networking services that, when properly configured and integrated, create a comprehensive defense-in-depth architecture for cloud workloads. AWS WAF (Web Application Firewall), Application Load Balancer (ALB), and Security Groups form the three pillars of AWS network security, each operating at a different layer of the network stack to provide overlapping protection against a wide range of threats. Understanding how these services work individually and how they complement each other is essential for any organization running production workloads on AWS.
AWS WAF — Intelligent Web Application Protection
AWS WAF is a managed web application firewall that protects web applications and APIs from common web exploits and bots that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns such as SQL injection and cross-site scripting, and rules that filter out specific traffic patterns you define.
AWS WAF operates through Web ACLs (Access Control Lists) — collections of rules that define the traffic inspection and filtering logic for your application. Each Web ACL can contain up to 10,000 Web ACL capacity units (WCUs), allowing for sophisticated rule combinations. Rules can be organized into rule groups for reusability across multiple Web ACLs, and AWS Managed Rules provide pre-configured protection against common threats maintained by the AWS Threat Research Team.
The AWS Managed Rules library includes rule groups for the OWASP Top 10, known bad inputs (SQL injection, XSS, command injection), Amazon IP reputation lists (known malicious IP addresses), anonymous IP lists (Tor exit nodes, VPN providers, hosting providers), and application-specific rule groups for WordPress, PHP, POSIX operating systems, and Windows. These managed rules are updated automatically as new threats emerge, providing continuous protection without requiring manual rule maintenance.
AWS WAF's bot control capability uses machine learning to distinguish between legitimate bots (search engine crawlers, monitoring tools, partner integrations) and malicious bots (scrapers, credential stuffers, inventory hoarders). The Bot Control managed rule group assigns bot scores to requests and allows you to configure different responses based on the bot type and confidence level. Common bots can be allowed with monitoring, while malicious bots are blocked or challenged with CAPTCHA.
Application Load Balancer — Layer 7 Traffic Management
AWS Application Load Balancer operates at Layer 7 of the OSI model, providing content-based routing, SSL/TLS termination, and advanced traffic management capabilities. Unlike Classic Load Balancers that operate at Layer 4, ALB can inspect the content of HTTP requests and route traffic based on URL paths, hostnames, HTTP headers, query parameters, and source IP addresses.
ALB's listener rules define how incoming requests are processed. Each rule consists of conditions and actions. Conditions can match on host headers (for virtual hosting), path patterns (for microservices routing), HTTP headers, HTTP methods, query strings, and source IP CIDR ranges. Actions can forward traffic to target groups, redirect to different URLs, return fixed responses, or authenticate users using Amazon Cognito or OIDC-compatible identity providers.
Target groups are the backend destinations for ALB traffic. A target group can contain EC2 instances, ECS containers, Lambda functions, or IP addresses. ALB performs health checks on targets and automatically routes traffic only to healthy targets. Health check configuration includes the protocol, path, port, healthy threshold, unhealthy threshold, timeout, and interval — giving you fine-grained control over how quickly the load balancer responds to backend failures.
ALB integrates natively with AWS WAF, allowing WAF Web ACLs to be associated directly with the load balancer. This integration means that WAF inspection happens before traffic reaches your application servers, blocking malicious requests at the load balancer layer. The integration also provides detailed logging of WAF decisions in ALB access logs, making it easy to correlate security events with application behavior.
Security Groups — Stateful Firewall at the Instance Level
Security Groups are virtual firewalls that control inbound and outbound traffic at the instance level. Unlike network ACLs that operate at the subnet level and are stateless, Security Groups are stateful — if you allow inbound traffic on a port, the corresponding outbound response traffic is automatically allowed, regardless of outbound rules. This stateful behavior simplifies rule management and reduces the risk of accidentally blocking legitimate response traffic.
Security Groups follow a default-deny model — all inbound traffic is denied by default, and you must explicitly allow the traffic you want to permit. Outbound traffic is allowed by default, though you can restrict it by adding outbound deny rules. Rules can reference IP CIDR ranges, individual IP addresses, or other Security Groups, allowing you to create dynamic rules that automatically update when instances are added to or removed from a referenced Security Group.
The best practice for Security Group architecture in a multi-tier application is to create separate Security Groups for each tier and reference them in rules rather than using IP addresses. The load balancer Security Group allows inbound traffic on ports 80 and 443 from the internet (0.0.0.0/0). The application tier Security Group allows inbound traffic only from the load balancer Security Group, not from the internet directly. The database tier Security Group allows inbound traffic only from the application tier Security Group. This chain of Security Group references creates a strict traffic flow that prevents any tier from being accessed directly from the internet.
Integrating All Three Services — The Complete Architecture
The complete AWS security architecture integrates WAF, ALB, and Security Groups in a layered approach. Internet traffic first hits AWS WAF, which inspects requests against your Web ACL rules and blocks malicious traffic. Requests that pass WAF inspection are forwarded to the Application Load Balancer, which terminates SSL, applies routing rules, and distributes traffic to healthy backend instances. The backend instances are protected by Security Groups that only allow traffic from the ALB Security Group, preventing direct internet access.
AWS Shield Standard, which is included at no additional cost with all AWS accounts, provides automatic protection against common DDoS attacks at the network and transport layers. For applications requiring advanced DDoS protection, AWS Shield Advanced provides additional protections including application layer DDoS mitigation, real-time attack visibility, and access to the AWS DDoS Response Team (DRT) during active attacks.
Monitoring and Incident Response
AWS provides comprehensive monitoring for all three security services. AWS WAF logs can be sent to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose for analysis and long-term retention. ALB access logs capture detailed information about every request including the client IP, request time, target response time, and WAF decision. Security Group flow logs, captured through VPC Flow Logs, record information about IP traffic going to and from network interfaces in your VPC.
AWS Security Hub aggregates findings from WAF, GuardDuty, Inspector, and other security services into a unified security dashboard, providing a comprehensive view of your security posture. Automated response workflows using AWS Lambda and AWS Systems Manager can automatically remediate common security issues — blocking an IP address that is generating excessive WAF alerts, isolating an instance that GuardDuty has flagged as compromised, or rotating credentials that have been exposed.
Cost Optimization
AWS WAF pricing is based on the number of Web ACLs, rules, and requests processed. A typical production deployment with 10 rules and 10 million requests per month costs approximately 25 dollars per month — a fraction of the cost of traditional hardware WAF appliances. ALB pricing is based on Load Balancer Capacity Units (LCUs), which measure the dimensions on which the ALB processes traffic. Security Groups are included at no additional cost with EC2 instances. The total cost of this three-tier security architecture for a medium-sized application is typically 50-150 dollars per month, providing enterprise-grade security at a fraction of the cost of on-premises alternatives.
