Tech Matchups: AWS WAF vs Security Groups
Overview
AWS WAF is a web application firewall that protects against Layer 7 (application-layer) attacks, such as SQL injection or cross-site scripting, for HTTP/HTTPS traffic.
Security Groups are instance-level firewalls that control Layer 3 and 4 (network and transport-layer) traffic to and from AWS resources like EC2 instances.
Both enhance security: WAF for web application threats, Security Groups for network-level access control.
Section 1 - Layer and Functionality
WAF operates at Layer 7, inspecting HTTP/HTTPS requests—e.g., blocking a SQL injection attempt in a POST request to an ALB. Configured with rules like AWS Managed Rules.
Security Groups operate at Layers 3/4, controlling IP and port access—e.g., allowing TCP 80 from 0.0.0.0/0 to an EC2 instance. Stateful, auto-allowing return traffic.
Scenario: WAF blocks malicious API requests; Security Groups restrict SSH to a bastion host.
Section 2 - Threat Protection
WAF mitigates application-layer threats—e.g., blocking XSS attacks with rules inspecting request payloads. Supports rate-limiting (e.g., 2,000 requests/5min per IP) and geo-restrictions.
Security Groups prevent unauthorized network access—e.g., denying TCP 3306 (MySQL) from public IPs. No payload inspection, focusing on IP/port filtering.
Scenario: WAF stops a DDoS flood targeting an API; Security Groups block port-scanning attempts. WAF is application-focused; Security Groups are network-focused.
Section 3 - Cost and Integration
WAF charges per web ACL ($5/month), rules ($1/month each), and requests ($0.60/million in us-east-1). Example: 1M requests/month with 5 rules costs ~$10.60.
Security Groups are free, included with VPC resources. No additional cost for rules or evaluations.
WAF integrates with ALB, CloudFront, and API Gateway; Security Groups apply to EC2, RDS, and other VPC resources.
Scenario: WAF protects a public-facing ALB; Security Groups secure internal RDS instances.
Section 4 - Use Case Scenarios
WAF suits public-facing web apps—e.g., protecting an e-commerce site from SQL injection or DDoS attacks.
Security Groups fit any VPC resource—e.g., restricting database access to specific application servers.
Scenario: WAF shields a customer portal; Security Groups lock down a backend Lambda function.
Section 5 - Comparison Table
| Aspect | AWS WAF | Security Groups |
|---|---|---|
| Layer | 7 (Application) | 3/4 (Network/Transport) |
| Protection | SQLi, XSS, DDoS | IP/Port Filtering |
| Cost | ACL + Rules + Requests | Free |
| Integration | ALB, CloudFront | EC2, RDS, Lambda |
| Best For | Web Apps | VPC Resources |
WAF for web threats, Security Groups for network control. Use both for layered security.
Conclusion
AWS WAF and Security Groups provide complementary security for AWS environments. WAF excels at protecting web applications from Layer 7 threats, ideal for public-facing APIs or websites. Security Groups offer flexible, network-level access control for any VPC resource, perfect for internal or instance-level security.
Weigh threats (application vs. network), cost (paid vs. free), and integration (web vs. VPC). Use WAF for public web apps, Security Groups for all resources—or combine: WAF for front-end protection, Security Groups for backend isolation.