complete.systems logo
Contact

Dec 17, 2025

CloudFront + WAF Basics: Reducing Impact During Traffic Spikes

A practical baseline for protecting public endpoints with CloudFront and WAF without overcomplicating the setup.

aws cloudfront waf security ddos

Traffic spikes are not always attacks — but you should build as if they could be.

This post covers a practical baseline for public websites and APIs: CloudFront in front, WAF at the edge, and a few rules that usually pay off immediately.

Why edge protection helps

With CloudFront:

  • the edge absorbs a lot of load before it reaches your origin
  • caching reduces repeat traffic
  • TLS, HTTP/2/3, and global PoPs are handled automatically

With WAF:

  • you can block bad patterns before they touch your infrastructure
  • rate limiting can reduce brute force and noisy bots
  • managed rules can catch common exploit attempts

A simple baseline configuration

1) Put CloudFront in front of your origin

Typical origins:

  • ALB
  • API Gateway
  • S3 (static)
  • ECS/EKS behind ALB

2) Enable WAF on the CloudFront distribution

Start with:

  • AWS Managed Rules (common vulnerabilities)
  • Bot control (if you need it)
  • Rate-based rules (for login, search, expensive endpoints)

3) Rate limit the “expensive” paths first

Common candidates:

  • /login
  • /auth/*
  • /search
  • /graphql
  • /api/* endpoints that call external systems

Even a basic rate rule can reduce noise significantly.

4) Use allowlists carefully

Allowlisting is powerful, but dangerous if it becomes permanent. Use it for:

  • internal admin endpoints
  • integration partners with static IPs
  • temporary mitigation during incidents

Always keep an expiry date for incident-based allowlists.

What to monitor

  • WAF blocked requests over time
  • CloudFront 4xx/5xx rates
  • Origin latency and error rate
  • Top client countries / ASNs (if relevant)
  • Cache hit ratio

A realistic “first week” plan

  1. CloudFront in front of origin
  2. WAF attached with managed rules in COUNT mode for 24 hours
  3. Review logs, then switch key rules to BLOCK
  4. Add rate limiting to login and the most expensive endpoint
  5. Add dashboards and alerting on 5xx spikes

Photo source

Cover image: Unsplash — https://unsplash.com/photos/close-up-photo-of-black-network-cables-1K9T5YiZ2WU