How the migration works - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

How the migration works

The automated migration carries over most of your AWS WAF Classic web ACL configuration, leaving some things that you need to handle manually.

Note

Some protection configurations cannot be automatically migrated, and require manual configuration in AWS WAF (v2). See the list at Migration caveats and limitations.

The following lists the high-level steps for migrating a web ACL.

  1. The automated migration reads everything related to your existing web ACL, without modifying or deleting anything in AWS WAF Classic. It creates a representation of the web ACL and its related resources, compatible with AWS WAF. It generates an AWS CloudFormation template for the new web ACL and stores it in an Amazon S3 bucket.

  2. You deploy the template into AWS CloudFormation, in order to recreate the web ACL and related resources in AWS WAF.

  3. You review the web ACL, and manually complete the migration, making sure that your new web ACL takes full advantage of the capabilities of the latest AWS WAF.

  4. You manually switch your protected resources over to the new web ACL.