What is our primary use case?
We primarily use the solution for load balancing.
We have some microsites exposed through the AWS cloud. These are some sort of pilot and we are using WAF to learn how this new product fits with us, and are mostly in the testing phase with a limited impact application. We are obviously not migrating core applications or those which have a significant impact on availability or on integrity and confidentiality. Mostly we have it on microsites where we don't see a significant risk, and it is more of a learning exercise for us.
What is most valuable?
The most important aspect for us is that AWS WAF is easy to deploy. The ease of implementation, ease of management, and flexibility are great. We like the potential for pay as you grow as you have instant deployment, infrastructure as a code, or any other automation tools that can leverage these deployments. The most important thing for us is that it stays flexible and scalable. That is true not only with WAF but with all the cloud services where you can provision any product in minutes.
With the cloud, you have these integrated tools that provide a single glass pane.
You have automation, ease of export, or ease of seeing the logs and exporting to a SIEM; these aspects are also great. The agility is great for us in terms of cloud services in general.
Usually, if we're talking about standard WAF, this is easy to deploy and is good at protecting low to medium applications.
What needs improvement?
As of now, regarding WAF, I'm not sure what the minuses or pluses are. You have the native WAF, which you can deploy directly on the load balancer. However, you also have that store where you can actually deploy some other vendors' specifics. At this point, feature-wise, I don't see anything lacking, more or less. Obviously, if we want to migrate, which is not yet the case, there might be a significant impact.
For uniformity, AWS has a well-accepted framework. However, it'll be better for us if we could have some more documented guidelines on how the specific business should be structured and the roles that the cloud recommends. If every company is building its own framework based on their experience or their past experience, this might be subjective, and it'll end up with each company having its own framework, which can be good. However, it'll be better to have a standardized baseline that every company could build on.
For how long have I used the solution?
We've been using the solution for more than a year at this point.
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: June 2023.
709,643 professionals have used our research since 2012.
What do I think about the stability of the solution?
You have multiple availability zones and regions. The availability or durability is not something that we need to concern ourselves with very much here. Regarding the availability, I don't think this is something that the average company could match. They have a lot of availability zones, redundancy, and all the other things like that.
What do I think about the scalability of the solution?
It's scalable. Mostly, what I would look into is having cloud resiliency in the sense that we want multiple vendors, so if something happens with AWS, you'll need some sort of strategy and you'll need some other vendor to provide you with similar services.
We have a number of users per application. It's hard to quantify how many users are on the solution in general.
How are customer service and support?
For us, it's a bit of a different model where we have services provided by one central team or central entity. The others will have some sort of hub and spoke with the central entity providing or re-providing services to the other network units. The relationship with AWS is maintained by our central unit, and we somehow take services from the central unit and customize them per our needs. However, if we have some issues, this will be raised by the group. Issues may be resolved by AWS or an SME that works with us.
How was the initial setup?
In terms of the initial setup, from what I heard, it initially being a new technology, you want to deploy it in a correct manner. Therefore, it will need more diligence in the first deployment as security is not something you can learn and adjust. You need to make it right from day one in order to avoid breaches. However, after that, with infrastructure as a code and the automatic deployment, it's easier. You just create your setup, and you use the rules and go. You have network access to a security group, which provides you with very general filtering for problematic traffic.
From my experience, the cloud provides everything we need; however, we still lack the knowledge and framework in terms of who is doing what, et cetera.
It's quite different between on-premise and cloud. In the cloud, DevOps is doing a lot of things. On-premise, you have someone from infrastructure, someone installing the OS, and someone doing the vulnerability and patch management.
Depending on how you deploy, the activities need to be revised. You need to have this framework to work in the cloud, and it's more of a challenge in company philosophy rather than technical capabilities. Companies can find it challenging to migrate to new tools. Sometimes existing teams need to be re-educated.
We have multiple applications, so usually, it takes a while to refine the framework with the responsibility inside the company. It's to be optimized. However, in terms of actual deployment, security-wise, it takes some time to do the security checks, including the scanning and vulnerability asset inventory. It might take two or three months per application.
What other advice do I have?
I definitely recommend not only AWS. I also recommend Azure as an option. We have the integration with Office and the entire portfolio. The cloud, in general, it's a new thing to consider. For example, you have this GDPR with data in Europe. However, in the case of most of the clouds, you can select your regions and you have some control.
I'd rate the solution nine out of ten.
There are a huge amount of products. I'm not saying it's a bad or a good thing. However, it can be quite confusing. There are VPC, EC2, and other instances, and there are a lot of other services that you can use like Macie, where you can filter sensitive information. There are a lot of tools that require hands-on and new capabilities. For me, being at the beginning of this journey for cloud migration, I've been mostly quite happy with the results.
Which deployment model are you using for this solution?
Disclosure: I am a real user, and this review is based on my own experience and opinions.