AWS offers three distinct network security services that protect different layers of your infrastructure: WAF filters application-layer HTTP(S) traffic, Shield defends against volumetric DDoS attacks at layers 3 and 4, and Network Firewall inspects VPC traffic for threats across all network layers. You need to understand which layer you’re protecting—and often you’ll use more than one—to build effective defense in depth.
Key Takeaways
- AWS WAF operates at layer 7 (application) and inspects HTTP(S) requests for web exploits like SQL injection and XSS; attach it to CloudFront, ALB, or API Gateway
- AWS Shield protects against layers 3 and 4 volumetric DDoS attacks (SYN floods, UDP reflection); Shield Standard is free and automatic, Shield Advanced adds DDoS response team support
- AWS Network Firewall is a stateful layer 3–7 firewall for VPC traffic that inspects all protocols, not just HTTP—use it for east-west traffic and egress filtering
- WAF and Shield work together: Shield absorbs the bandwidth flood, WAF blocks the malicious application-layer requests that slip through
- Network Firewall and WAF serve different scopes: Network Firewall sits inside your VPC and sees all traffic flows; WAF sits in front of specific web services
- You cannot replace one with another—they’re complementary, not alternatives
What Each Service Actually Does
AWS WAF: Application-Layer Web Filtering
AWS WAF inspects HTTP and HTTPS requests. It attaches to three AWS resources: CloudFront distributions, Application Load Balancers, and API Gateway APIs. Every request passes through a Web ACL—a set of rules that match on IP addresses, headers, URIs, query strings, or request bodies. When a rule matches, WAF allows, blocks, counts, or challenges the request.
WAF sees inside the HTTP payload. It can detect SQL injection patterns in a form submission, block cross-site scripting in a query parameter, or rate-limit clients hammering your login endpoint. It operates at layer 7—the application layer. It knows nothing about TCP handshakes or UDP packets. If the traffic isn’t HTTP or HTTPS, WAF won’t touch it.
AWS Shield: Volumetric DDoS Protection
AWS Shield protects against distributed denial-of-service attacks at the network and transport layers—layers 3 and 4. Think SYN floods, UDP amplification, DNS reflection. These attacks don’t care about your application logic. They just flood your infrastructure with packets until legitimate traffic can’t get through.
Shield Standard is enabled by default on CloudFront and Route 53 at no extra cost. It absorbs most common DDoS attacks automatically. You don’t configure it. You don’t see its rules. It just works in the background, scrubbing malicious traffic before it reaches your origin.
Shield Advanced costs $3,000 per month per organization and adds:
- Protection for Elastic IPs, Application Load Balancers, Network Load Balancers, and Global Accelerator endpoints
- 24/7 access to the AWS DDoS Response Team (DRT)
- Advanced real-time metrics and attack diagnostics
- Cost protection—AWS credits back charges incurred from scaling during a DDoS attack
Shield doesn’t inspect application payloads. It can’t tell the difference between a legitimate POST request and one carrying a SQL injection. It only cares about packet volume and transport-layer anomalies.
AWS Network Firewall: Stateful VPC Traffic Inspection
AWS Network Firewall is a managed stateful firewall for your VPC. It sits at the edge of your VPC or between subnets and inspects all traffic—inbound, outbound, and east-west. Unlike WAF, which only sees HTTP(S) attached to specific services, Network Firewall sees everything: SSH, RDP, database connections, custom protocols, DNS queries.
You define rule groups with allow/deny logic, domain filtering, intrusion prevention signatures (Suricata-compatible), and protocol-specific inspection. Network Firewall enforces these rules on every packet crossing the inspection boundary. It’s stateful, so it tracks connections and can block return traffic for sessions you never initiated.
Use Network Firewall when you need:
- Centralized egress filtering—blocking outbound connections to known-bad domains or IPs
- East-west traffic inspection between VPCs or between application tiers
- IDS/IPS signatures for non-HTTP protocols
- Fine-grained control over which internal services can talk to each other
Network Firewall does not attach to CloudFront or ALB. It lives in your VPC routing path. You send traffic to it via route tables and gateway endpoints.
Layer-by-Layer Breakdown
Understanding which OSI layer each service protects clarifies when to use what.
- Layer 7 (Application): AWS WAF. Inspects HTTP(S) requests, headers, bodies. Blocks web exploits, bot traffic, application-layer DDoS.
- Layers 3–4 (Network & Transport): AWS Shield. Absorbs SYN floods, UDP reflection, volumetric attacks. No configuration required for Standard; Advanced adds DRT and cost protection.
- Layers 3–7 (Full stack): AWS Network Firewall. Stateful inspection of all IP traffic in your VPC. Protocol-agnostic, works for SSH, databases, custom apps, and HTTP if needed.
Real-world scenario: An attacker launches a multi-vector attack. They flood your ALB with 50 Gbps of SYN packets (layer 4) and simultaneously send thousands of HTTP requests with SQL injection payloads (layer 7). Shield absorbs the SYN flood before it saturates your network. WAF inspects the HTTP requests that make it through and blocks the injection attempts. Neither service alone stops both attack vectors.
When to Use AWS WAF
Choose AWS WAF when you need to protect internet-facing web applications and APIs from application-layer threats.
- You’re running a web app behind CloudFront, ALB, or API Gateway
- You need to block SQL injection, cross-site scripting, or other OWASP Top 10 exploits
- You want to rate-limit specific endpoints (login pages, API routes) to prevent brute-force or credential stuffing
- You need bot detection and mitigation—distinguishing Googlebot from malicious scrapers
- You want centralized logging of HTTP requests for security analytics and compliance
Do not use WAF for:
- Non-HTTP traffic (SSH, RDP, DNS, database protocols)
- Volumetric layer 3/4 DDoS defense—that’s Shield’s job
- Filtering traffic between VPCs or internal subnets—that’s Network Firewall
When to Use AWS Shield
Use Shield Standard (automatic and free) for baseline DDoS protection on CloudFront and Route 53. You don’t opt in—it’s already running.
Upgrade to Shield Advanced when:
- You need DDoS protection for Elastic IPs, ALBs, NLBs, or Global Accelerator (Standard only covers CloudFront and Route 53)
- Your application is mission-critical and downtime from a DDoS attack costs more than $3,000/month
- You want 24/7 access to the AWS DDoS Response Team to help mitigate sophisticated attacks
- You need cost protection—AWS credits back scaling charges incurred during a verified DDoS event
- You require advanced metrics, attack forensics, and integration with AWS Firewall Manager for centralized policy
Shield does not:
- Inspect HTTP payloads or block application-layer attacks
- Provide stateful firewall rules or egress filtering
- Protect non-AWS resources (on-premises servers, other cloud providers)
Gotcha: Shield Advanced’s cost protection only applies if AWS confirms the traffic spike was a DDoS attack. Normal traffic surges from a product launch or viral content won’t trigger credits. Read the fine print.
When to Use AWS Network Firewall
Choose Network Firewall when you need to inspect and filter VPC traffic that WAF cannot see.
- You want to control egress—blocking outbound connections to known-bad domains, cryptomining pools, or entire geographic regions
- You need east-west filtering between application tiers, between VPCs, or across Transit Gateway attachments
- You require IDS/IPS signatures for protocols other than HTTP (SSH brute-force detection, database exploit signatures)
- You want centralized logging and inspection for all VPC traffic in one place, not just web traffic
- You’re replacing third-party virtual firewall appliances (Palo Alto, Fortinet) with a managed AWS service
Do not use Network Firewall for:
- Protecting CloudFront distributions—WAF is the right tool
- Layer 3/4 DDoS mitigation—Shield handles that
- Deep HTTP payload inspection and web exploit blocking—WAF’s managed rules do this better and more efficiently
Network Firewall charges per firewall endpoint per hour plus data processing fees. For high-throughput workloads, costs add up fast. Budget accordingly and use it where you genuinely need stateful inspection across all protocols.
How They Work Together
Defense in depth means layering these services, not choosing one.
Common architecture: Internet-facing web application
- Shield Standard (automatic): Absorbs volumetric DDoS at the CloudFront edge. Scrubs SYN floods, UDP reflection, DNS amplification.
- AWS WAF (attached to CloudFront): Inspects HTTP requests. Blocks SQL injection, XSS, malicious bots, and rate-limits abusive clients. Managed OWASP rules provide baseline protection.
- CloudFront → ALB → EC2/ECS: Legitimate traffic that passes WAF reaches your Application Load Balancer. Security groups limit which ports and IPs can connect.
- Network Firewall (optional, in VPC): Inspects outbound traffic from your application tier. Blocks connections to known-bad IPs, filters DNS queries, logs all egress flows.
Shield stops the flood. WAF stops the application-layer exploits. Network Firewall stops your compromised instance from phoning home to a command-and-control server.
Example: Multi-vector attack mitigation
An attacker sends 100 Gbps of spoofed UDP traffic to your CloudFront distribution (layer 3/4 attack) and simultaneously launches 50,000 HTTP requests per second with crafted payloads targeting a known vulnerability in your CMS (layer 7 attack).
- Shield scrubs the UDP flood at the edge. CloudFront never sees it. Your origin bandwidth stays clean.
- WAF inspects the HTTP flood. Managed OWASP rules detect the CMS exploit patterns. Rate-based rules throttle the source IPs. Legitimate users experience no impact.
Without both, you’re exposed. Shield alone lets the exploit through. WAF alone gets overwhelmed by the volumetric flood.
Decision Matrix
Use this table to quickly identify which service(s) you need.
| Your requirement | Use this | Not this |
|---|---|---|
| Block SQL injection in web forms | AWS WAF | Shield, Network Firewall |
| Absorb 50 Gbps SYN flood | Shield (Standard or Advanced) | WAF, Network Firewall |
| Filter outbound SSH from EC2 instances | Network Firewall | WAF, Shield |
| Rate-limit API login endpoint | AWS WAF | Shield, Network Firewall |
| Inspect east-west database traffic | Network Firewall | WAF, Shield |
| Detect and block bots scraping your site | AWS WAF (Bot Control) | Shield, Network Firewall |
| Protect against DNS amplification attack | Shield Standard (automatic) | WAF, Network Firewall |
| Block outbound connections to known-bad domains | Network Firewall | WAF, Shield |
| Get DDoS cost protection and DRT support | Shield Advanced | WAF, Network Firewall |
Cost Considerations
AWS WAF: Pay per Web ACL ($5/month), per rule ($1/month), and per million requests ($0.60). Managed rule groups have additional fees. Bot Control’s basic tier is free for the first 10 million requests per month. Logging to Kinesis or S3 adds data transfer and storage costs.
AWS Shield Standard: Free. Enabled automatically on CloudFront and Route 53.
AWS Shield Advanced: $3,000/month per organization, plus data transfer fees. Includes cost protection and DRT access. Expensive, but justifiable for mission-critical apps where downtime costs exceed the subscription fee.
AWS Network Firewall: Pay per firewall endpoint per hour (~$0.395/hour per AZ) plus data processing ($0.065 per GB). A multi-AZ deployment processing 10 TB/month costs roughly $1,000/month. High-throughput workloads (100+ TB) can run into thousands per month in data processing fees alone.
Start with Shield Standard (free) and WAF with managed rules (low cost, high value). Add Shield Advanced only if you’ve experienced costly DDoS incidents or run revenue-critical services. Deploy Network Firewall when security groups and NACLs are insufficient for your egress or east-west filtering requirements.
Common Mistakes
Assuming WAF protects against DDoS. WAF helps with application-layer DDoS (HTTP floods), but it won’t stop a 100 Gbps SYN flood. That’s Shield’s job. Use both.
Deploying Network Firewall for HTTP filtering. Network Firewall can inspect HTTP, but WAF does it better, faster, and cheaper. Use Network Firewall for non-HTTP protocols and VPC-level inspection. Use WAF for web traffic attached to CloudFront, ALB, or API Gateway.
Paying for Shield Advanced without using it. Shield Advanced requires you to associate protected resources and configure health checks. If you subscribe but never associate your ALB or Elastic IP, you’re paying $3,000/month for nothing. The DRT can’t help if they don’t know what to protect.
Not enabling logging. All three services support logging. Without logs, you can’t tune WAF rules, investigate DDoS events, or prove compliance. Enable CloudWatch, Kinesis, or S3 logging from day one.
Frequently Asked Questions
Can I use Network Firewall instead of WAF for my web application?
Technically yes—Network Firewall can inspect HTTP traffic—but you shouldn’t. WAF is purpose-built for web exploits with managed OWASP rules, bot detection, and pay-per-request pricing that scales efficiently. Network Firewall charges per GB processed and lacks WAF’s application-specific protections. Use Network Firewall for VPC-level filtering and WAF for HTTP(S) services.
Do I need Shield Advanced if I already have WAF?
It depends on your risk tolerance and budget. WAF protects against application-layer attacks. Shield Advanced adds layer 3/4 DDoS protection for ALB, NLB, Elastic IPs, and Global Accelerator, plus 24/7 DRT support and cost protection. If a DDoS outage costs you more than $36,000/year, Shield Advanced pays for itself. If your app runs behind CloudFront only and you’re comfortable with Shield Standard’s automatic protections, skip Advanced.
Can Network Firewall replace security groups and NACLs?
No. Security groups and NACLs are stateful/stateless layer 3/4 firewalls that run at the instance and subnet level with no additional cost. Network Firewall adds stateful inspection, IDS/IPS signatures, and centralized logging across your VPC. Use security groups for basic instance-level allow/deny rules. Add Network Firewall when you need deep inspection, domain filtering, or centralized egress control across multiple VPCs.
How do I protect an on-premises web server with AWS WAF?
Place CloudFront in front of your on-premises origin (via public IP or AWS Direct Connect). Attach a WAF Web ACL to the CloudFront distribution. WAF inspects traffic at the CloudFront edge before forwarding clean requests to your data center. This works well for hybrid architectures but requires CloudFront as the entry point—WAF cannot attach directly to on-prem servers.
Conclusion
We covered the core differences between AWS WAF, Shield, and Network Firewall. WAF operates at layer 7 to block web exploits in HTTP(S) traffic attached to CloudFront, ALB, and API Gateway. Shield defends against volumetric layers 3 and 4 DDoS attacks—Standard is automatic and free, Advanced adds DRT support and cost protection for $3,000/month. Network Firewall provides stateful inspection for all VPC traffic across layers 3 through 7, ideal for egress filtering and east-west traffic control. You cannot replace one with another—they’re complementary layers of defense. Start with Shield Standard and WAF with managed rules for internet-facing apps, add Shield Advanced if DDoS downtime costs justify the subscription, and deploy Network Firewall when security groups and NACLs are insufficient for your VPC-level filtering and IDS/IPS needs.