AWS App Runner will no longer be open to new customers starting April 30, 2026. If you would like to use App Runner, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS App Runner availability change](https://docs.aws.amazon.com/apprunner/latest/dg/apprunner-availability-change.html).
# Associating an AWS WAF web ACL with your service
AWS WAF is a web application firewall that you can use to secure your App Runner service. With AWS WAF web access control lists (web ACLs), you can guard your App Runner service endpoints against common web exploits and unwanted bots.
A web ACL provides you with fine-grained control over all incoming web requests to your App Runner service. You can define rules in a web ACL to allow, block, or monitor web traffic, to ensure that only authorized and legitimate requests reach your web applications and APIs. You can customize the web ACL rules based on your specific business and security needs. To learn more about infrastructure security and best practices for applying network ACLs, see [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) in the *Amazon VPC User Guide*.
**Important**
Source IP rules for App Runner private services that are associated with WAF web ACLs *do not adhere to IP based rules*. This is because we currently don't support forwarding request source IP data to App Runner private services associated with WAF. If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use [security group rules for private endpoints](network-pl-manage.md) instead of WAF web ACLs.
## Incoming web request flow
When an AWS WAF web ACL is associated with an App Runner service, incoming web requests go through the following process:
1. App Runner forwards the contents of the origin request to AWS WAF.
1. AWS WAF inspects the request and compares its contents to the rules that you specified in your web ACL.
1. Based on its inspection, AWS WAF returns an `allow` or `block` response to App Runner.
+ If an `allow` response is returned, App Runner forwards the request to your application.
+ If a `block` response is returned, App Runner blocks the request from reaching your web application. It forwards the `block` response from AWS WAF to your application.
**Note**
By default App Runner blocks the request if no response is returned from AWS WAF.
For more information about AWS WAF web ACLs, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF Developer Guide*.
**Note**
You pay standard AWS WAF pricing. You don't incur any additional costs for using AWS WAF web ACLs for your App Runner services.
For more information about pricing, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing).
## Associating WAF web ACLs to your App Runner service
The following is the high-level process to associate an AWS WAF web ACL with your App Runner service:
1. Create a web ACL in the AWS WAF console. For more information, see [Creating a web ACL](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html) in the *AWS WAF Developer Guide*.
1. Update your AWS Identity and Access Management (IAM) permissions for AWS WAF. For more information, see [Permissions](#waf.permissions).
1. Associate the web ACL with the App Runner service using one of the following methods:
+ **App Runner console**: Associate an existing web ACL using App Runner console when you [create](manage-create.md) or [update](manage-configure.md) an App Runner service. For instructions, see [Managing AWS WAF web ACLs](waf-manage.md).
+ **AWS WAF console**: Associate the web ACL using the AWS WAF console for an existing App Runner service. For more information, see [Associating or disassociating a web ACL with an AWS resource](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html) in the *AWS WAF Developer Guide*.
+ **AWS CLI**: Associate the web ACL using the AWS WAF public APIs. For more information about AWS WAF public APIs, see [AssociateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html) in the *AWS WAF API Reference Guide*.
## Considerations
+ Source IP rules for App Runner private services that are associated with WAF web ACLs *do not adhere to IP based rules*. This is because we currently don't support forwarding request source IP data to App Runner private services associated with WAF. If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use [security group rules for private endpoints](network-pl-manage.md) instead of WAF web ACLs.
+ An App Runner service can be associated with only one web ACL. However, you can associate one web ACL with multiple App Runner services and with multiple AWS resources. Examples include Amazon Cognito user pools and Application Load Balancer resources.
+ When you create a web ACL, a small amount of time passes before the web ACL fully propagates and is available to App Runner. The propagation time can be from a few seconds to a number of minutes. AWS WAF returns a `WAFUnavailableEntityException` when you try to associate a web ACL before it has fully propagated.
If you refresh the browser or navigate away from the App Runner console before the web ACL is fully propagated, the association fails to occur. However, you can navigate within the App Runner console.
+ AWS WAF returns a `WAFNonexistentItemException` error when you call one of the following AWS WAF APIs for an App Runner service which is in an invalid state:
+ `AssociateWebACL`
+ `DisassociateWebACL`
+ `GetWebACLForResource`
The invalid states for your App Runner service include:
+ `CREATE_FAILED`
+ `DELETE_FAILED`
+ `DELETED`
+ `OPERATION_IN_PROGRESS `
**Note**
`OPERATION_IN_PROGRESS` state is invalid only if your App Runner service is being deleted.
+ Your request might result in a payload that is larger than the limits of what AWS WAF can inspect. For more information about how AWS WAF handles oversize requests from App Runner, see [Oversize request component handling](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) in the *AWS WAF Developer Guide* to learn how AWS WAF handles oversize requests from App Runner.
+ If you don’t set appropriate rules or your traffic patterns change, a web ACL might not be as effective at securing your application.
## Permissions
To work with a web ACL in AWS App Runner, add the following IAM permissions for AWS WAF:
+ `apprunner:ListAssociatedServicesForWebAcl`
+ `apprunner:DescribeWebAclForService`
+ `apprunner:AssociateWebAcl`
+ `apprunner:DisassociateWebAcl`
For more information about IAM permissions, see [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
The following is an example of the updated IAM policy for AWS WAF. This IAM policy includes the necessary permissions to work with an App Runner service.
**Example**
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"wafv2:ListResourcesForWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"apprunner:ListAssociatedServicesForWebAcl",
"apprunner:DescribeWebAclForService",
"apprunner:AssociateWebAcl",
"apprunner:DisassociateWebAcl"
],
"Resource":"*"
}
]
}
```
**Note**
Though you must grant IAM permissions, the listed actions are permission-only and don't correspond to an API operation.
# Managing AWS WAF web ACLs
Manage the AWS WAF web ACLs for your App Runner service by using one of the following methods:
+ [App Runner console](#waf-manage.console)
+ [AWS CLI](#waf-manage.api)
## App Runner console
When you [create a service](manage-create.md) or [update an existing one](manage-configure.md) on the App Runner console, you can associate or disassociate an AWS WAF web ACL.
**Note**
An App Runner service can be associated with only one web ACL. However, you can associate one web ACL with more than one App Runner service in addition to other AWS resources.
Before you associate a web ACL, make sure to update your IAM permissions for AWS WAF. For more information, see [Permissions](waf.md#waf.permissions).
### Associating AWS WAF web ACL
**Important**
Source IP rules for App Runner private services that are associated with WAF web ACLs *do not adhere to IP based rules*. This is because we currently don't support forwarding request source IP data to App Runner private services associated with WAF. If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use [security group rules for private endpoints](network-pl-manage.md) instead of WAF web ACLs.
**To associate an AWS WAF web ACL**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Based on whether you're creating or updating a service, perform one of the following steps:
+ If you're creating a new service, choose **Create an App Runner service** and go to **Configure Service**.
+ If you're updating an existing service, choose the **Configuration** tab, and then choose **Edit** under **Configure service**.
1. Go to **Web application firewall** under **Security**.
1. Choose the **Activate** toggle button to view the options.
![\[The App Runner console layout, showing the Web Application Firewall options.\]](http://docs.aws.amazon.com/apprunner/latest/dg/images/console-waf.png)
1. Perform one of the following steps:
+ **To associate an existing web ACL**: Choose the required web ACL from the **Choose a web ACL** table to associate with your App Runner service.
+ **To create a new web ACL**: Choose **Create web ACL** to create a new web ACL using the AWS WAF console. For more information, see [Creating a web ACL](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html) in the *AWS WAF Developer Guide*.
1. Choose the refresh button to view the newly created web ACL in the **Choose a web ACL** table.
1. Select the required web ACL.
1. Choose **Next** if you're creating a new service or **Save changes** if you're updating an existing service. The selected web ACL is associated with your App Runner service.
1. To verify the web ACL association, choose the **Configuration** tab of your service and go to **Configure service**. Scroll to **Web application firewall** under **Security** to view the details of the web ACL associated with your service.
**Note**
When you create a web ACL, a small amount of time passes before the web ACL fully propagates and is available to App Runner. The propagation time can be from a few seconds to a number of minutes. AWS WAF returns a `WAFUnavailableEntityException` when you try to associate a web ACL before it has fully propagated.
If you refresh the browser or navigate away from the App Runner console before the web ACL is fully propagated, the association fails to occur. However, you can navigate within the App Runner console.
### Disassociating an AWS WAF web ACL
You can disassociate AWS WAF web ACl that you no longer need by [updating](manage-configure.md) your App Runner service.
**To disassociate an AWS WAF web ACl**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Go to **Configuration** tab of the service you want to update and choose **Edit** under **Configure service**.
1. Go to **Web application firewall** under **Security**.
1. Disable the **Activate** toggle button. You receive a message to confirm the deletion.
1. Choose **Confirm**. The web ACL is disassociated from your App Runner service.
**Note**
If you want to associate your service with another web ACL, select a web ACL from the **Choose a web ACL** table. App Runner disassociates the current web ACL and starts the process to associate with the selected web ACL.
If no other App Runner services or resources use a disassociated web ACL, consider deleting the web ACL. Otherwise, you will continue to incur costs. For more information about pricing, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing). For instruction on how to delete a web ACL, see [DeleteWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_DeleteWebACL.html) in the *AWS WAF API Reference*.
You can't delete a web ACL that's associated with other active App Runner services or other resources.
## AWS CLI
You can associate or disassociate an AWS WAF web ACL by using the AWS WAF public APIs. The App Runner service, with which you want to associate or disassociate a web ACL, must be in a valid state.
AWS WAF returns a `WAFNonexistentItemException` error when you call one of the following AWS WAF APIs for an App Runner service which is in an invalid state:
+ `AssociateWebACL`
+ `DisassociateWebACL`
+ `GetWebACLForResource`
The invalid states for your App Runner service include:
+ `CREATE_FAILED`
+ `DELETE_FAILED`
+ `DELETED`
+ `OPERATION_IN_PROGRESS `
**Note**
`OPERATION_IN_PROGRESS` state is invalid only if your App Runner service is being deleted.
For more information about AWS WAF public APIs, see [https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html).
**Note**
Update your IAM permissions for AWS WAF. For more information, see [Permissions](waf.md#waf.permissions).
### Associating AWS WAF web ACL using AWS CLI
**Important**
Source IP rules for App Runner private services that are associated with WAF web ACLs *do not adhere to IP based rules*. This is because we currently don't support forwarding request source IP data to App Runner private services associated with WAF. If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use [security group rules for private endpoints](network-pl-manage.md) instead of WAF web ACLs.
**To associate an AWS WAF web ACL**
1. Create an AWS WAF web ACL for your service with your preferred set of rule actions to `Allow` or `Block` the web requests to your service. For more information about AWS WAF APIs, see [CreateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_CreateWebACL.html) in the *AWS WAF API Reference Guide*.
**Example Create a web ACL - Request**
```
aws wafv2
create-web-acl
--region
--name
--scope REGIONAL
--default-action Allow={}
--visibility-config
# This is the file containing the WAF web ACL rules.
```
1. Associate the web ACL that you created with the App Runner service using the `associate-web-acl` AWS WAF public API. For more information about AWS WAF APIs, see [AssociateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html) in the *AWS WAF API Reference Guide*.
**Note**
When you create a web ACL, a small amount of time passes before the web ACL fully propagates and is available to App Runner. The propagation time can be from a few seconds to a number of minutes. AWS WAF returns a `WAFUnavailableEntityException` when you try to associate a web ACL before it has fully propagated.
If you refresh the browser or navigate away from the App Runner console before the web ACL is fully propagated, the association fails to occur. However, you can navigate within the App Runner console.
**Example Associating a web ACL - Request**
```
aws wafv2 associate-web-acl
--resource-arn
--web-acl-arn
--region
```
1. Verify that the web ACL is associated with your App Runner service using the `get-web-acl-for-resource` AWS WAF public API. For more information about AWS WAF APIs, see [GetWebACLForResource](https://docs.aws.amazon.com/waf/latest/APIReference/API_GetWebACLForResource.html) in the *AWS WAF API Reference Guide*.
**Example Verify web ACL for resource - Request**
```
aws wafv2 get-web-acl-for-resource
--resource-arn
--region
```
If there are no web ACLs associated with your service, you receive a blank response.
### Deleting an AWS WAF web ACL using AWS CLI
You can't delete an AWS WAF web ACL if it's associated with an App Runner service.
**To delete an AWS WAF web ACL**
1. Disassociate the web ACL from your App Runner service by using the `disassociate-web-acl` AWS WAF public API. For more information about AWS WAF APIs, see [DisassociateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_DisassociateWebACL.html) in the *AWS WAF API Reference Guide*.
**Example Disassociating a web ACL - Request**
```
aws wafv2 disassociate-web-acl
--resource-arn
--region
```
1. Verify that the web ACL is disassociated from your App Runner service using the `get-web-acl-for-resource` AWS WAF public API.
**Example Verify that the web ACL is disassociated - Request**
```
aws wafv2 get-web-acl-for-resource
--resource-arn
--region
```
The disassociated web ACL isn't listed for your App Runner service. If there are no web ACLs associated with your service, you receive a blank response.
1. Delete the disassociated web ACL using the `delete-web-acl` AWS WAF public API. For more information about AWS WAF APIs, see [DeleteWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_DeleteWebACL.html) in the *AWS WAF API Reference Guide*.
**Example Delete a web ACL - Request**
```
aws wafv2 delete-web-acl
--name
--scope REGIONAL
--id
--lock-token
--region
```
1. Verify that the web ACL is deleted using the `list-web-acl` AWS WAF public API. For more information about AWS WAF APIs, see [ListWebACLs](https://docs.aws.amazon.com/waf/latest/APIReference/API_ListWebACLs.html) in the *AWS WAF API Reference Guide*.
**Example Verify that the web ACL is deleted - Request**
```
aws wafv2 list-web-acls
--scope REGIONAL
--region
```
The deleted web ACL is no longer be listed.
**Note**
If a web ACL is associated with other active App Runner services or other resources, such as Amazon Cognito user pools, the web ACL can't be deleted.
### Listing App Runner services that are associated with a web ACL
A web ACL can be associated with multiple App Runner services and other resources. List the App Runner services associated with a web ACL using the `list-resources-for-web-acl` AWS WAF public API. For more information about AWS WAF APIs, see [ListResourcesForWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_ListResourcesForWebACL.html) in the *AWS WAF API Reference Guide*.
**Example List App Runner services associated with a web ACL - Request**
```
aws wafv2 list-resources-for-web-acl
--web-acl-arn
--resource-type APP_RUNNER_SERVICE
--region
```
**Example List App Runner services associated with a web ACL - Response**
The following example illustrates the response when there are no App Runner services that are associated with a web ACL.
```
{
"ResourceArns": []
}
```
**Example List App Runner services associated with a web ACL - Response**
The following example illustrates the response when there are App Runner services that are associated with a web ACL.
```
{
"ResourceArns": [
"arn:aws:apprunner:::service//"
]
}
```
## Testing and logging AWS WAF web ACLs
When you set a rule action to **Count** in your web ACL, AWS WAF adds the request to a count of requests that match the rule. To test a web ACL with your App Runner service, set rule actions to **Count** and consider the volume of requests that match each rule. For example, you set a rule for the `Block` action that matches a large number of requests that you determine to be normal user traffic. In that case, you might need to reconfigure your rule. For more information, see [Testing and tuning your AWS WAF protections](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing.html) in the *AWS WAF Developer Guide*.
You can also configure AWS WAF to log request headers to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Data Firehose. For more information, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide*.
To access logs related to the web ACL that's associated with your App Runner service, refer to the following log fields:
+ `httpSourceName`: Contains `APPRUNNER`
+ `httpSourceId`: Contains `customeraccountid-apprunnerserviceid`
For more information, see [Log Examples](https://docs.aws.amazon.com/waf/latest/developerguide/logging-examples.html) in the *AWS WAF Developer Guide*.
**Important**
Source IP rules for App Runner private services that are associated with WAF web ACLs *do not adhere to IP based rules*. This is because we currently don't support forwarding request source IP data to App Runner private services associated with WAF. If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use [security group rules for private endpoints](network-pl-manage.md) instead of WAF web ACLs.