How do I migrate from AWS WAF classic to AWS WAF and what is the downtime during the migration?

Last updated: 2022-07-25

I want to migrate my current AWS WAF classic deployment to AWS WAF. How do I do this? Is there downtime involved in the migration?

Short description

There are three options to migrate from AWS WAF Classic to AWS WAF:

  • Manual migration
  • Automated using the AWS WAF security automation
  • Automated using the AWS WAF classic migration wizard

Important: Before starting the migration, see Migration caveats and limitations.

Resolution

Manual migration

Manual migrations are suitable for simple AWS WAF deployments. A manual migration is re-creating classic AWS WAF resources using AWS WAF. The switch from the AWS WAF classic web ACL association to the new AWS WAF web ACL might cause a brief disruption.

To perform a manual migration, do the following:

  1. To create a new AWS WAF deployment, see Getting started with AWS WAF.
  2. Complete the steps in Migrating a web ACL: switchover.
  3. See Migrating a web ACL: additional considerations to optimize the new AWS WAF deployment.

AWS WAF security automation migration

Use AWS WAF security automation to automatically migrate to AWS WAF using AWS CloudFormation. Then, associate the new web ACL with a supported resource, such as:

  • Amazon CloudFront distribution
  • Amazon API Gateway REST API
  • Application Load Balancer (ALB)
  • AWS AppSync GraphQL API

There's no downtime involved in this migration process. It's a best practice to test and tune your AWS WAF protections before implementing rules in production.

Important: When migrating an AWS WAF classic deployment created by the AWS WAF security automation, you must not use the AWS WAF classic migration wizard. For additional information, see Migration caveats and limitations.

To deploy a new web ACL using AWS WAF security automation, do the following:

  1. Open the AWS WAF Automation on AWS page.
  2. Navigate to AWS Solution overview.
  3. Choose Launch in the AWS Console on the right-hand side of the diagram.
  4. For Region, choose the AWS Region where you want to create your AWS WAF resources.
  5. For Create stack, use the default settings and then choose Next.
  6. Enter a Stack name and choose the Parameters for your use case. For information on Parameters, see Launch a stack.
    Important: Be sure that you choose the correct Endpoint Type. The type must match the resource you're currently using in AWS WAF classic. If you're using Amazon API Gateway REST API or Application Load Balancer, then choose ALB.
  7. Choose Next.
  8. (Optional) Configure stack options or use the default settings. Then, choose Next.
  9. Review your configuration. Then, acknowledge that CloudFormation will create AWS Identity and Access Management (IAM) resources in your account.
  10. Choose Create Stack.

CloudFormation creates a new stack with all the resources required for the AWS security automation, including a new AWS WAF web ACL.
Important: The new AWS WAF web ACL isn't automatically associated with any AWS resources.

To complete the migration to AWS WAF, you must manually associate the AWS WAF web ACL with your AWS resource. This process automatically disassociates the AWS resource from the AWS WAF classic web ACL. After a resource is associated with this AWS WAF web ACL, requests are inspected by the rules in the new AWS WAF web ACL.

After successfully migrating to AWS WAF, it's a best practice to review Migrating a web ACL: additional considerations to optimize the new AWS WAF deployment.

Note: You might need to manually re-create existing rules that can't be automatically migrated. For more information, see Migrating a web ACL: manual follow-up.

Automated migration using the AWS WAF classic migration wizard

Use the AWS WAF Classic migration wizard to automatically migrate existing AWS WAF classic resources to AWS WAF. There are cases where the AWS WAF classic migration must not be used. For more information, see Migration caveats and limitations.

There's no downtime involved in this migration process. It's a best practice to test and tune your AWS WAF protections before implementing rules in production.

To deploy a new web ACL using automated AWS WAF classic migration wizard, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose Switch to AWS WAF Classic.
  3. In the navigation pane, choose Web ACLs.
  4. At the top of the main page, choose the migration wizard.
  5. For Web ACL, choose the AWS Region where you want to create your AWS WAF resources. Then, choose the AWS WAF classic web ACL that you want to migrate.
  6. For Migration configuration, choose Create new to create a new S3 bucket to be used by CloudFormation during the migration.
    Note:
    The S3 bucket must be in the same Region as the web ACL and its name must start with the prefix aws-waf-migration-.
    It's a best practice to use Auto apply the bucket policy required for migration to avoid permission issues.
    Choose your preferred option for Choose how to handle rules that can't be migrated.
    Note: It's a best practice to use Exclude rules that can't be migrated to continue the migration. However, you must manually create rules that can't be automatically migrated when the migration has completed.
  7. Choose Next.
  8. Choose Start creating CloudFormation template.
  9. Choose Create CloudFormation Stack to start the deployment of the AWS WAF CloudFormation stack.
  10. For Create stack, use the default settings and then choose Next.
  11. Enter a Stack name and choose the Parameters for your use case. For information on Parameters, see Launch a stack.
    Important: Be sure that you choose the correct Endpoint Type. The type must match the resource you're currently using in AWS WAF classic. If you're using Amazon API Gateway REST API or Application Load Balancer, then choose ALB.
  12. Choose Next.
  13. (Optional) Configure stack options or use the default settings. Then, choose Next.
  14. Review your configuration, then choose Create Stack.

CloudFormation creates a new stack with all the resources that are migrated from AWS WAF classic, including a new AWS WAF web ACL.
Important: The new AWS WAF web ACL isn't automatically associated with any AWS resources.

To complete the migration to AWS WAF, you must manually associate the AWS WAF web ACL with your AWS resource. This process automatically disassociates the AWS resource from the AWS WAF classic web ACL. After a resource is associated with this AWS WAF web ACL, requests are inspected by the rules in the new AWS WAF web ACL.

After successfully migrating to AWS WAF, it's a best practice to review Migrating a web ACL: additional considerations to optimize the new AWS WAF deployment.

Note: You might need to manually re-create existing rules which could not be automatically migrated. For more information, see Migrating a web ACL: manual follow-up.


Did this article help?


Do you need billing or technical support?