**Introducing a new console experience for AWS WAF** You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). # Building basic DDoS resilient architectures with Shield Advanced Building DDoS resilient architectures This page explains Distributed Denial of Service (DDoS) resiliency and introduces two example architectures. DDoS resiliency is the ability of your application architecture to withstand DDoS attacks while continuing to serve legitimate end users. An application that is highly resilient can remain available during an attack with minimal impact on performance metrics such as errors or latency. This section shows some common example architectures and describes how to use the DDoS detection and mitigation capabilities that are provided by AWS and Shield Advanced to increase their DDoS resiliency. The example architectures in this section highlight the AWS services that provide the greatest DDoS resiliency benefits for your deployed applications. The benefits of the highlighted services include the following: + **Access to globally distributed network capacity** – The services Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 provide you with access to internet and DDoS mitigation capacity across the AWS global edge network. This is useful in mitigating larger volumetric attacks, which can reach terabits in scale. You can run your application in any AWS Region and use these services to protect availability and optimize performance for your legitimate users. + **Protection against web application layer DDoS attack vectors** – Web application layer DDoS attacks are best mitigated using a combination of application scale and a web application firewall (WAF). Shield Advanced uses web request inspection logs from AWS WAF to detect anomalies that can be mitigated either automatically or via engagement with the AWS Shield Response Team (SRT). Automatic mitigation is available through deployed AWS WAF rate-based rules and also through the Shield Advanced automatic application layer DDoS mitigation. In addition to reviewing these examples, review and follow the applicable best practices at [AWS Best Practices for DDoS Resiliency](https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency). **Topics** + [ # Example Shield Advanced DDoS resiliency architecture for common web applications ](ddos-resiliency-example-web.md) + [ # Example Shield Advanced DDoS resiliency architecture for TCP and UDP applications ](ddos-resiliency-example-tcp-udp.md) # Example Shield Advanced DDoS resiliency architecture for common web applications DDoS resiliency architecture for web applications This page provides an example architecture for maximizing resiliency against DDoS attacks with AWS web applications. You can build a web application in any AWS Region and receive automatic DDoS protection from the detection and mitigation capabilities that AWS provides in the Region. This example is for architectures that route users to a web application using resources like Classic Load Balancers, Application Load Balancers, Network Load Balancers, AWS Marketplace solutions, or your own proxy layer. You can improve DDoS resiliency by inserting Amazon Route 53 hosted zones, Amazon CloudFront distributions, and AWS WAF web ACLs between these web application resources and your users. These insertions can obfuscate the application origin, serve requests closer to your end users, and detect and mitigate application layer request floods. Applications that serve static or dynamic content to your users with CloudFront and Route 53 are protected by an integrated, fully inline DDoS mitigation system that mitigates infrastructure layer attacks in real time. With these architectural improvements in place, you can then protect your Route 53 hosted zones and your CloudFront distributions with Shield Advanced. When you protect CloudFront distributions, Shield Advanced prompts you to associate AWS WAF web ACLs and create rate-based rules for them, and gives you the option of enabling automatic application layer DDoS mitigation or proactive engagement. Proactive engagement and automatic application layer DDoS mitigation use Route 53 health checks that you associate with the resource. To learn more about these options, see [Resource protections in AWS Shield Advanced](ddos-resource-protections.md). The following reference diagram depicts this DDoS resilient architecture for a web application. ![\[The diagram shows a rectangle titled AWS cloud, with a group of users to its left. Inside the cloud rectangle are two other rectangles, side by side. The left rectangle is titled AWS Shield Advanced and the right rectangle is titled VPC. The left, AWS Shield Advanced triangle contains three AWS icons, stacked vertically. From top to bottom, the icons are Amazon Route 53, Amazon CloudFront, and AWS WAF. The icon for CloudFront has arrows that go to and from the icon for AWS WAF. The user group has an arrow coming out horizontally to its right that splits to point to the icons for Route 53 and CloudFront. To the right of the Shield Advanced rectangle, the VPC rectangle contains two icons that are side by side. From left to right, these icons are Elastic Load Balancing and Amazon Elastic Compute Cloud. The CloudFront icon has an arrow coming out horizontally to its right that goes to the Elastic Load Balancing icon. The Elastic Load Balancing icon has an arrow coming out horizontally to its right that goes to the Amazon EC2 icon. So user requests are sent to Route 53 and CloudFront. CloudFront interacts with AWS WAF and also sends requests on to the load balancer, which in turn sends requests on the Amazon EC2.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-resilient-web-app-arch.png) The benefits that this approach provides to your web application include the following: + Protection against frequently used infrastructure layer (layer 3 and layer 4) DDoS attacks, without detection delay. In addition, if a resource is frequently targeted, Shield Advanced places mitigations for longer periods of time. Shield Advanced also uses application context inferred from Network ACLs (NACLs) to block unwanted traffic further upstream. This isolates failures closer to their source, minimizing the effect on legitimate users. + Protection against TCP SYN floods. The DDoS mitigation systems that are integrated with CloudFront, Route 53, and AWS Global Accelerator provide a TCP SYN proxy capability that challenges new connection attempts and only serves legitimate users. + Protection against DNS application layer attacks, because Route 53 is responsible for serving authoritative DNS responses. + Protection against web application layer request floods. The rate-based rule that you configure in your AWS WAF web ACL blocks source IPs when they are sending more requests than the rule allows. + Automatic application layer DDoS mitigation for your CloudFront distributions, if you choose to enable this option. With automatic DDoS mitigation, Shield Advanced maintains a rate-based rule in the distribution's associated AWS WAF web ACL that limits the volume of requests from known DDoS sources. Additionally, when Shield Advanced detects an event that affects the health of your application, it automatically creates, tests, and manages mitigating rules in web ACL. + Proactive engagement with the Shield Response Team (SRT), if you choose to enable this option. When Shield Advanced detects an event that affects the health of your application, the SRT responds and proactively engages with your security or operations teams using the contact information that you provide. The SRT analyzes patterns in your traffic and can update your AWS WAF rules to block the attack. # Example Shield Advanced DDoS resiliency architecture for TCP and UDP applications DDoS resiliency architecture for TCP and UDP applications This example shows a DDoS resilient architecture for TCP and UDP applications in an AWS Region that uses Amazon Elastic Compute Cloud (Amazon EC2) instances or Elastic IP (EIP) addresses. You can follow this general example to improve DDoS resiliency for the following application types: + TCP or UDP applications. For example, applications used for gaming, IoT, and voice over IP. + Web applications that require static IP addresses or that use protocols that Amazon CloudFront doesn't support. For example, your application might require IP addresses that your users can add to their firewall allow lists, and that aren't used by any other AWS customers. You can improve DDoS resiliency for these application types by introducing Amazon Route 53 and AWS Global Accelerator. These services can route users to your application and they can provide your application with static IP addresses that are anycast routed across the AWS global edge network. Global Accelerator standard accelerators can improve user latency by up to 60%. If you have a web application, you can detect and mitigate web application layer request floods by running the application on an Application Load Balancer, and then protecting the Application Load Balancer with an AWS WAF web ACL. After you've built your application, protect your Route 53 hosted zones, Global Accelerator standard accelerators, and any Application Load Balancers with Shield Advanced. When you protect your Application Load Balancers, you can associate AWS WAF web ACLs and create rate-based rules for them. You can configure proactive engagement with the SRT for both your Global Accelerator standard accelerators and your Application Load Balancers by associating new or existing Route 53 health checks. To learn more about the options, see [Resource protections in AWS Shield Advanced](ddos-resource-protections.md). The following reference diagram depicts an example DDoS resilient architecture for TCP and UDP applications. ![\[The diagram shows users connected to Route 53 and to an AWS Global Accelerator. The accelerator is connected to an Elastic Load Balancing icon that's protected by AWS Shield Advanced and AWS WAF. The Elastic Load Balancing is itself connected to an Amazon EC2 instance. This Elastic Load Balancing instance and the Amazon EC2 instance are in Region 1. The AWS Global Accelerator is also directly connected to another Amazon EC2 instance, which isn't behind a protected Elastic Load Balancing intsance. This second Amazon EC2 instance is in Region n.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-resilient-tcp-udp-app-arch.png) The benefits that this approach provides to your application include the following: + Protection against the largest known infrastructure layer (layer 3 and layer 4) DDoS attacks. If the volume of an attack causes congestion upstream from AWS, the failure will be isolated closer to its source and will have a minimized effect on your legitimate users. + Protection against DNS application layer attacks, because Route 53 is responsible for serving authoritative DNS responses. + If you have a web application, this approach provides protection against web application layer request floods. The rate-based rule that you configure in your AWS WAF web ACL blocks source IPs while they are sending more requests than the rule allows. + Proactive engagement with the Shield Response Team (SRT), if you choose to enable this option for eligible resources. When Shield Advanced detects an event that affects the health of your application, the SRT responds and proactively engages with your security or operations teams using the contact information that you provide.