One of our clients was highly concerned about DDoS attacks, as this had brought down their site before and apparently it took them days to fully recover. There is an architectural best practice known as the “WAF Sandwich” that can be used to protect you EC2 instances from being overwhelmed by malicious traffic. The below diagram shows how this works:


As you can see, there is an EC2 instance running the WAF software placed in an Auto Scaling group between 2 Elastic Load Balancers. The first load balancer (on the left) is public-facing and will accept internet traffic. The second one (on the right) is used to send traffic to the EC2 instance once it has been deemed the non-malicious.

Since the WAF EC2 instance is in an auto-scaling group behind the first load balancer, it can grow into as many instances as it needs in order to handle the incoming traffic. Each request will then be sent to the WAF for filtering.

If the request has passed the inspection and filtering tests, it will be forwarded to the second load-balancer which will distribute it amongst the EC2 instances in the private subnet (presumably the web server instances).

By using the WAF Sandwich, your can protect your applications from being overwhelmed by malicious traffic, while scaling to meet capacity demands.

Please note that this configuration does not work with the AWS WAF, since it doesn’t run on a configurable EC2 instances as shown in the diagram. To create a true WAF Sandwich, we recommend web application firewalls that you can install on an instance, such as New Relic.