**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# How AWS WAF works
<a name="how-aws-waf-works"></a>

You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (web ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the web ACL. 

The **new console** simplifies the web ACL configuration process. It introduces protection packs to streamline setup while maintaining full control over your security rules. 

Protection packs are the new location for web ACLs and simplify web ACL management in the console, but they don't change the underlying web ACL functionality. When using the standard console or the API, you'll still work directly with web ACLs.

In your protection pack (web ACL), you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following: 
+ Allow the requests to go to the protected resource for processing and response. 
+ Block the requests. 
+ Count the requests. 
+ Run CAPTCHA or challenge checks against requests to verify human users and standard browser use. 

**AWS WAF components**  
The following are the central components of AWS WAF:
+ **web ACLs** – You use a web access control list (web ACL) to protect a set of AWS resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about web ACLs, see [Configuring protection in AWS WAF](web-acl.md).

  A web ACL is an AWS WAF resource.
+ **Protection pack (Web ACL)s** – In the new console, protection packs are the new location for your web ACLs. During setup, you provide information about your apps and resources. AWS WAF reccomends a protection pack tailored to your scenario, and then creates a web ACL that contains rules, rule groups, and actions defined by the protection pack (web ACL) you choose. For more information about protection packs (web ACLs), see [Configuring protection in AWS WAF](web-acl.md).

  A protection pack (web ACL) is an AWS WAF resource.
+ **Rules** – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges. For more information about rules, see [AWS WAF rules](waf-rules.md). 

  A rule is not an AWS WAF resource. It only exists in the context of a protection pack (web ACL) or rule group.
+ **Rule groups** – You can define rules directly inside a protection pack (web ACL) or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see [AWS WAF rule groups](waf-rule-groups.md). 

  A rule group is an AWS WAF resource.
+ **web ACL capacity units (WCUs)** – AWS WAF uses WCUs to calculate and control the operating resources that are required to run your rules, rule groups, protection packs (web ACLs), or web ACLs. 

  A WCU is not an AWS WAF resource. It only exists in the context of a protection pack (web ACL), rule, or rule group.

# Resources that you can protect with AWS WAF
<a name="how-aws-waf-works-resources"></a>

You can use an AWS WAF protection pack (web ACL) to protect global or regional resource types. You do this by associating the protection pack (web ACL) with the resources that you want to protect. The protection pack (web ACL) and any AWS WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia).

**Amazon CloudFront distributions**  
You can associate an AWS WAF protection pack (web ACL) with a CloudFront distribution using the AWS WAF console or APIs. You can also associate a protection pack (web ACL) with a CloudFront distribution when you create or update the distribution itself. To configure an association in AWS CloudFormation, you must use the CloudFront distribution configuration. For information about Amazon CloudFront, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the *Amazon CloudFront Developer Guide*.

AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your protection pack (web ACL) and any resources used in the protection pack (web ACL), such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".

**Regional resources**  
You can protect regional resources in all Regions where AWS WAF is available. You can see the list at [AWS WAF endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/waf.html) in the *Amazon Web Services General Reference*. 

You can use AWS WAF to protect the following regional resource types: 
+ Amazon API Gateway REST API
+ Application Load Balancer
+ AWS AppSync GraphQL API
+ Amazon Cognito user pool
+ AWS App Runner service
+ AWS Verified Access instance
+ AWS Amplify

You can only associate a protection pack (web ACL) to an Application Load Balancer that's within AWS Regions. For example, you cannot associate a protection pack (web ACL) to an Application Load Balancer that's on AWS Outposts.

You must create any protection pack (web ACL) that you want to associate with an Amplify app in the Global CloudFront Region. You might already have a Regional protection pack (web ACL) in your AWS account, but they are not compatible with Amplify.

The protection pack (web ACL) and any other AWS WAF resources that it uses must be located in the same Region as the protected resources. When monitoring and managing web requests for a protected regional resource, AWS WAF keeps all data in the same Region as the protected resource. 

**Restrictions on multiple resource associations**  
You can associate a single protection pack (web ACL) with one or more AWS resources, with the following restrictions:
+ You can associate each AWS resource with only one protection pack (web ACL). The relationship between protection pack (web ACL) and AWS resources is one-to-many. 
+ You can associate a protection pack (web ACL) with one or more CloudFront distributions. You cannot associate a protection pack (web ACL) that you have associated with a CloudFront distribution with any other AWS resource type.

# Working with the updated console experience
<a name="working-with-console"></a>

 AWS WAF offers two options for using the console:

 The **new console** aims to simplify web ACL configuration process required by standard console workflows. You can use guided workflows to simplify the web ACL creation and management process through a protection pack (web ACL). A protection pack (web ACL) makes it easier to use and manage web ACLs in the console, but is not functionally different from a web ACL. In addition to the improved protection configuration process, the new console offers enhanced visibility into your protections through security dashboards, making it easier to monitor your security posture within the AWS WAF console. 

 The **standard AWS WAF console** provides a traditional approach to configuring web application firewall protections using web ACLs. It offers granular control over individual rules and rule groups and is familiar to existing AWS WAF users. With this console, you have detailed control over your protection configurations, allowing for precise customization of your security settings. 

**Tip**  
 Choose the console experience that best fits your needs. If you're new to AWS WAF or want to begin configuring protections based on AWS recommendations, we recommend starting with the new console experience. However, the standard experience is always available to open from the navigation pane in the console. 

## Feature parity between the new and standard console experience
<a name="feature-parity"></a>

The new console experience maintains complete feature parity with the existing console while introducing new capabilities:
+ All existing AWS WAF functionality remains available
+ Enhanced visibility through unified dashboards
+ Simplified configuration workflows
+ New protection pack (web ACL) templates

**Important**  
The new console experience uses the same WAFv2 APIs as the existing console. This means that protection packs created in the new console are implemented as standard WAFv2 web ACLs at the API level.

## Key differences
<a name="key-differences"></a>


**Comparison of Console Experiences**  

| Feature | Previous AWS WAF console experience | Updated console experience | 
| --- | --- | --- | 
| Configuration process | Multi-page workflow | Single-page interface | 
| Rule configuration | Individual rule creation | Option for pre-configured protection packs | 
| Monitoring | Separate dashboards | Unified visibility including AI Traffic Analysis | 

## Understanding the new dashboards
<a name="understanding-new-dashboard"></a>

Dashboards available through new provide unified visibility into your security posture through these visualizations:

**Traffic insight recommendations** – AWS Threat Intelligence monitors your previous 2 weeks of allowed traffic, analyzes vulnerabilities, and provides the following:  
+ Traffic-based rule suggestions
+ Application-specific security recommendations
+ Protection optimization guidance

**Summary** – Shows request counts for all traffic during a specified time range. You can use the following criteria to filter traffic data:  
+ **Rule** – Filter by the individual rules in the protection pack.
+ **Actions** – Show counts for specific actions taken on traffic like Allow, Block, Captcha, and Challenge.
+ **Traffic type** – Only show counts for specific traffic types like anti-DDoS or bots.
+ **Time range ** – Choose from a selection of predefined time ranges, or set a custom range. 
+ **Local or UTC time** – You can set your preferred time format.

**AI Traffic Analysis** – Provides comprehensive visibility into AI bot and agent activity:  
+ **Bot identification** – Bot names, organizations, and verification status.
+ **Intent analysis** – Purpose and behavior patterns of AI agents.
+ **Access patterns** – Most frequently accessed URLs and endpoints.
+ **Temporal trends** – Activity patterns by time of day and historical trends (0-14 days).
+ **Traffic characteristics** – Volume, distribution, and anomaly detection for AI traffic.

**Protection activity** – Visualizes your protection rules and how their order contributes to terminating actions.  
+ **Traffic flow through your rules** – Show the traffic flow through your rules. Switch from **Sequential rules view** to **Non-sequential rules view** to see how rule order affects outcomes.
+ **Rule actions and their outcomes** – Shows the terminating actions that a rule took on traffic in the specified time period. 

**Action totals ** – A chart that visualizes the total number of actions taken on requests during a specified time range. Use the **Overlay last 3 hours** option to compare the current time range with the previous 3 hour time window. You can filter data by:   
+ **Allow action**
+ **Total actions**
+ **Captcha actions**
+ **Challenge actions**
+ **Block actions**

**All rules** – A chart that visualizes metrics for all rules in the protection pack.  
+  Use the **Overlay last 3 hours** option to compare the current time range with the previous 3 hour time window.

**Overview Dashboard** – Provides a comprehensive, graphical view of your security status, including the following:  
+ **Traffic characteristics** – See an overview of traffic by origin, attack types, or by the device type of the clients that sent requests.
+ **Rule characteristics** – A breakdown of attacks by the 10 most common rules and termnating actions.
+ **Bots** – Visualize bot activity, detection, categories, and bot-related signal labels.
+ **Anti-DDoS** – An overview of detected and mitigated layer 7 DDoS activity.