Apply WAF Web ACL to API Gateway

Apply WAF Web ACL to API Gateway AWS_EN

Apply WAF Web ACL to API Gateway

AWS WAF can be applied to the following four types of resources

  • ALB
  • CloudFront
  • API Gateway
  • AppSync

In this article, we will check how to apply WAF to API Gateway.

For details on how to apply WAF to ALB, please refer to the following page.

For information on how to apply WAF to CloudFront, please refer to the following page.

For information on how to apply WAF to AppSync, please see the following page.


Diagram of apply WAF Web ACL to API Gateway

Restrict geography.
Specifically, create your own rule group and set a rule to block access from Japan (JP) in it.
Apply the created Web ACL to the API Gateway.

Create an API Gateway and deploy Lambda on the backend.
When an HTTP request is received from a user, the API Gateway acts as an endpoint and invokes a Lambda function instead, returning the result of the function’s invocation to the user.
The API Gateway is created as a REST API type.

The runtime environment for the Lambda function is Python 3.8.
The action of the function is simply to return the string “Hello form Awstut ! when executed.

CloudFormation template files

The above configuration is built using CloudFormation.
The CloudFormation templates are located at the following URL

Explanation of key points of the template files

This page focuses on how to apply WAF to CloudFront.

For basic information on WAF, please refer to the following page

For information on how to restrict geography with WAF, please refer to the following page

For basic information on REST API type API Gateway, please refer to the following page

(Reference) REST API type API Gateway resources

As mentioned in the following AWS official website, the type of API Gateway to which WAF can be applied is the REST API type.

Choosing between REST APIs and HTTP APIs - Amazon API Gateway
Learn the differences between REST APIs and HTTP APIs.
    Type: AWS::ApiGateway::RestApi
          - EDGE
      Name: !Ref Prefix
    Type: AWS::ApiGateway::Deployment
      - Method
      RestApiId: !Ref RestApi
    Type: AWS::ApiGateway::Resource
      ParentId: !GetAtt RestApi.RootResourceId
      PathPart: !Sub "${Prefix}-resource"
      RestApiId: !Ref RestApi
    Type: AWS::ApiGateway::Stage
      DeploymentId: !Ref Deployment
      RestApiId: !Ref RestApi
      StageName: !Sub "${Prefix}-stage"
    Type: AWS::ApiGateway::Method
      AuthorizationType: NONE
      HttpMethod: GET
        ConnectionType: INTERNET
        Credentials: !GetAtt ApiGatewayRole.Arn
        IntegrationHttpMethod: POST
        Type: AWS_PROXY
        Uri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${FunctionArn}/invocations"
      ResourceId: !Ref Resource
      RestApiId: !Ref RestApi
Code language: YAML (yaml)

No special configuration is required.
In the resource definition, set part of the URL PATH to “fa-053-resource”.
In the stage definition, set the stage name to “fa-053-stage”.


    Type: AWS::WAFv2::WebACL
        Allow: {}
      Name: !Sub "${Prefix}-WebACL"
        - Name: !Sub "${Prefix}-WebACL-GeoRestriction"
            None: {}
          Priority: 0
              Arn: !GetAtt RuleGroup.Arn
            CloudWatchMetricsEnabled: true
            MetricName: !Sub "${Prefix}-WebACL-GeoRestriction"
            SampledRequestsEnabled: true
      Scope: REGIONAL
        CloudWatchMetricsEnabled: true
        MetricName: !Ref Prefix
        SampledRequestsEnabled: true
Code language: YAML (yaml)

The Scope property is the key.
If the Web ACL is applied to CloudFront, it is “CLOUDFRONT”; for other resources, it is “REGIONAL”.
In this case, since this is an API Gateway, the latter is used.

    Type: AWS::WAFv2::WebACLAssociation
      ResourceArn: !Sub "arn:aws:apigateway:${AWS::Region}::/restapis/${RestApi}/stages/${StageName}"
      WebACLArn: !GetAtt WebACL.Arn
Code language: YAML (yaml)

Resource for applying WAF to API Gateway.
In the ResourceArn property, specify the API Gateway to which WAF is to be applied.
The following is a description of how to specify the WAF

For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name


So to meet the above requirements, we use the built-in function Fn::Sub to embed and configure the API’s ID and stage name.


Use CloudFormation to build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create a CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • API Gateway name: fa-053
  • API Gateway endpoint:
  • API Gateway stage name: fa-053-stage
  • API Gateway resource name: fa-053-resource
  • WAF name: fa-053-WebACL

We will also check the resource from the AWS Management Console.
First, check the API Gateway.

The Detail of API Gateway.

If you see the stage page, you will see that WAF is applied.

Next, check the Web ACL.

The detail of WAF Web ACL.

From the Web ACL side, you can also see that this ACL is applied to API Gateway.

Checking Action

Now that everything is ready, access CloudFront from Japan.
The URL to be accessed this time is determined by a combination of resource and stage information.
Specifically, the URL is as follows

Access to API Gateway was blocked by the WAF Web ACL.

Access denied.
Because you accessed it from Japan, it means that it was blocked by the WAF Web ACL before reaching the API Gateway.

To confirm, change the action of the geo-restriction.

Changed WAF Web ACL rules from blocking to counting.

We changed the rule action from blocking to counting, i.e., keeping the rule alive but only counting the number of traffic that corresponds to the rule.

Access the API Gateway again.

Access to API Gateway was counted by the WAF Web ACL.

The API Gateway is now accessible.
This is because the rule action has been changed from blocking to counting only, and access is now possible.


We have confirmed how to apply WAF ACLs to API Gateway.