CloudFront + WAF DDoS Protection
Redesigned GoGuardian's DDoS defense by placing CloudFront and WAF in front of the ALB — blocking 4 attacks over 2 years with zero production impact, including one attack peaking at 200k requests/second.
CloudFront + WAF DDoS Protection
A 90-minute production outage caused by a DDoS attack exposed a fundamental flaw in the existing architecture: WAF was deployed behind the load balancer. By the time traffic reached WAF, it had already hit the origin servers. Blocking at that layer was too late.
The Architecture Problem
Internet → ALB → WAF → ApplicationThe original setup meant the ALB and application servers absorbed every request before WAF could inspect them. A volumetric attack would exhaust the ALB’s capacity regardless of WAF rules.
The Fix
Moved to a layered model:
Internet → CloudFront + WAF → ALB → ApplicationKey changes:
- CloudFront as the entry point — absorbs volumetric traffic at AWS edge locations globally, not at the origin
- WAF at CloudFront — rate limiting and rule evaluation happens at the edge before traffic reaches the VPC
- AWS Shield Advanced — automatic DDoS detection and mitigation at the network and transport layers
Monitoring and Alerting
Built Datadog dashboards tracking CloudFront request rates, WAF block counts, and origin server traffic. PagerDuty alerts fire when request rate anomalies suggest an active attack — giving the team visibility before customer impact.
Results
| Metric | Before | After |
|---|---|---|
| DDoS-caused outages | 1 (90-min downtime) | Zero over 2 years |
| Attacks blocked | — | 4 blocked automatically |
| Largest attack | — | ~200k requests/sec |
| Origin server impact | Direct exposure | Zero |
The key insight: you can’t block a volumetric attack at the origin. You have to absorb it at the edge.