DEV Community

Wakeup Flower
Wakeup Flower

Posted on • Edited on

AWS Network Firewall Vs AWS WAF

1. AWS Network Firewall

  • Purpose: Network-level protection for your VPC traffic.
  • Layer: Operates at OSI Layer 3/4 (network layer).
  • Works on: Traffic entering or leaving your VPC subnets (TCP/UDP, IP traffic).
  • Capabilities:

    • Stateful inspection
    • Intrusion detection/prevention (IDS/IPS)
    • Domain filtering
    • Protocol filtering
    • Custom firewall rules
  • Typical use case:

    Protecting entire VPCs or subnets, filtering all inbound/outbound traffic — similar to an on-prem network firewall.


2. AWS WAF (Web Application Firewall)

  • Purpose: Application-layer protection.
  • Layer: Operates at OSI Layer 7 (HTTP/HTTPS).
  • Works on: Web traffic going to your application endpoints (CloudFront, ALB, API Gateway, AppSync).
  • Capabilities:

    • Protection against web attacks (SQL injection, XSS, bot traffic).
    • URL/path-based filtering.
    • Rate limiting.
    • IP whitelisting/blacklisting.
  • Typical use case:

    Protecting web applications from application-layer attacks.


Quick analogy

  • Network Firewall = a network security guard who inspects all traffic coming into/out of your building and stops suspicious connections.
  • WAF = a web application security guard who checks the content of requests to your web app and blocks malicious payloads.

If the question says “traffic inspection + filtering at the VPC/network level” → AWS Network Firewall.
If it says “protect my web application from attacks” → AWS WAF.

Feature AWS WAF AWS Network Firewall
Purpose Web Application Firewall — protects web applications from common HTTP/S threats (SQL injection, XSS, etc.) Network Firewall — protects entire VPC at the network level (stateful inspection, domain filtering, IP filtering, protocol control, intrusion detection)
Where it operates At the application layer (Layer 7 of OSI model) — works with ALB, CloudFront, API Gateway, AppSync At the network layer (Layer 3/4) — works as a VPC egress/ingress gateway
Traffic scope HTTP/S traffic only All IP traffic (TCP/UDP/ICMP, any port/protocol)
Control type Rules on HTTP methods, headers, URIs, IP sets, rate limits, geo-restrictions Rules on IP addresses, ports, protocols, domains (DNS/TLS SNI), stateful inspection
Integration Attached to ALB, CloudFront, API Gateway, AppSync Integrated with VPC route tables; inspects all traffic for subnets routed through it

Top comments (0)