1. AWS Network Firewall
- Purpose: Network-level protection for your VPC traffic.
- Layer: Operates at OSI Layer 3/4 (network layer).
- Works on: Traffic entering or leaving your VPC subnets (TCP/UDP, IP traffic).
-
Capabilities:
- Stateful inspection
- Intrusion detection/prevention (IDS/IPS)
- Domain filtering
- Protocol filtering
- Custom firewall rules
Typical use case:
Protecting entire VPCs or subnets, filtering all inbound/outbound traffic — similar to an on-prem network firewall.
2. AWS WAF (Web Application Firewall)
- Purpose: Application-layer protection.
- Layer: Operates at OSI Layer 7 (HTTP/HTTPS).
- Works on: Web traffic going to your application endpoints (CloudFront, ALB, API Gateway, AppSync).
-
Capabilities:
- Protection against web attacks (SQL injection, XSS, bot traffic).
- URL/path-based filtering.
- Rate limiting.
- IP whitelisting/blacklisting.
Typical use case:
Protecting web applications from application-layer attacks.
Quick analogy
- Network Firewall = a network security guard who inspects all traffic coming into/out of your building and stops suspicious connections.
- WAF = a web application security guard who checks the content of requests to your web app and blocks malicious payloads.
If the question says “traffic inspection + filtering at the VPC/network level” → AWS Network Firewall.
If it says “protect my web application from attacks” → AWS WAF.
| Feature | AWS WAF | AWS Network Firewall |
|---|---|---|
| Purpose | Web Application Firewall — protects web applications from common HTTP/S threats (SQL injection, XSS, etc.) | Network Firewall — protects entire VPC at the network level (stateful inspection, domain filtering, IP filtering, protocol control, intrusion detection) |
| Where it operates | At the application layer (Layer 7 of OSI model) — works with ALB, CloudFront, API Gateway, AppSync | At the network layer (Layer 3/4) — works as a VPC egress/ingress gateway |
| Traffic scope | HTTP/S traffic only | All IP traffic (TCP/UDP/ICMP, any port/protocol) |
| Control type | Rules on HTTP methods, headers, URIs, IP sets, rate limits, geo-restrictions | Rules on IP addresses, ports, protocols, domains (DNS/TLS SNI), stateful inspection |
| Integration | Attached to ALB, CloudFront, API Gateway, AppSync | Integrated with VPC route tables; inspects all traffic for subnets routed through it |
Top comments (0)