Overview
AWS WAF only works with Application Load Balancers (ALB), which operate at Layer 7 (HTTP/HTTPS). It does not support Network Load Balancers (NLB), as they operate at Layer 4 (TCP/UDP).
Achieving Fixed IP with WAF
If a fixed IP is required while still using WAF with an ALB, the solution is to place an AWS Global Accelerator in front of the ALB.
Architecture Flow
- AWS Global Accelerator provides one or more static IPv4 addresses that never change.
- Incoming traffic is routed via the AWS global network to the nearest edge location, then forwarded to the ALB.
- ALB hosts the application and has the WAF Web ACL attached for Layer 7 protection.
- WAF inspects and filters incoming HTTP(S) requests based on defined rules.
Benefits
- Maintains fixed public IPs for firewall whitelisting and compliance.
- Keeps Layer 7 protection from WAF.
- Improves global performance by leveraging AWS’s private network through Global Accelerator.