AWS WAF vs AWS WAF Regional

September 5, 2018 #aws #waf #security

Welcome - AWS WAF lists separate API references for AWS WAF and AWS WAF Regional.  AWS WAF is “available for protecting Amazon CloudFront distributions” and AWSWAF Regional is “available for protecting Application Load Balancers.”  These APIs are almost identical, except for Web ACL management:

AWS WAF is available globally on CloudFront but only regionally on Application Load Balancers. From AWS Regions and Endpoints - Amazon Web Services (Sept 2018):


AWS WAF for CloudFront distributions has a single endpoint: It supports HTTPS requests only.

Region Name Region Endpoint Protocol
US East (N. Virginia) us-east-1 HTTPS
Canada (Central) ca-central-1 HTTPS
EU (London) eu-west-2 HTTPS

AWS WAF for Application Load Balancers has the following endpoints:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 HTTPS
US East (N. Virginia) us-east-1 HTTPS
US West (N. California) us-west-1 HTTPS
US West (Oregon) us-west-2 HTTPS
Asia Pacific (Tokyo) ap-northeast-1 HTTPS
Asia Pacific (Sydney) ap-southeast-2 HTTPS
EU (Frankfurt) eu-central-1 HTTPS
EU (Ireland) eu-west-1 HTTPS
AWS GovCloud (US) us-gov-west-1 HTTPS

In addition to the documentation, other ways to look for supported regions are a CLI “list” operation or nslookup the DNS name.

$ aws waf-regional list-ip-sets --region eu-west-2

Could not connect to the endpoint URL: ""

$ nslookup

** server can't find NXDOMAIN

$ nslookup

Non-authoritative answer:

These waf-regional API calls will return different results based on --region.

$ aws waf-regional list-ip-sets --region us-east-1
    "NextMarker": "7ec3bad0-7b26-491e-affa-00a2718a7160",
    "IPSets": [
            "IPSetId": "777f1102-1803-4730-b666-fc22c452a366",
            "Name": "project1-dev-match-blacklisted-ips"
            "IPSetId": "7ec3bad0-7b26-491e-affa-00a2718a7160",
            "Name": "project2-dev-match-blacklisted-ips"

$ aws waf-regional list-ip-sets --region us-west-2
    "IPSets": []

But the waf API call is global and returns the same results, ignoring the CLI --region parameter

$ aws waf list-ip-sets

AWS Firewall Manager | Centralized WAF Management does not have a separate API, but likely uses PutPermissionPolicy - AWS WAF to “share a RuleGroup across accounts.”  A RuleGroup is a “collection of predefined rules that you can add to a web ACL” and “subject to the following limits:”

  • Three rule groups per account. You can request an increase to this limit by contacting customer support.
  • One rule group per web ACL.
  • Ten rules per rule group.

To use there are AWS Account level settings that need to be enabled:

Your AWS account must be part of an organization in AWS Organizations, and the account must have the full feature set enabled. Learn more

An AWS account must be set as an AWS Firewall Manager administrator. Learn more

Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2024 Kevin Hakanson (built with Gatsby)