Which solution will meet these requirements with the LEAST implementation effort?
Configure an AWS WAF web ACL for the Global Accelerator accelerator to block traffic by using rate-based rules
Configure an AWS Lambda function to read the ALB metrics to block attacks by updating a VPC network ACL
Configure an AWS WAF web ACL on the ALB to block traffic by using rate-based rules
Configure an Amazon CloudFront distribution in front of the Global Accelerator accelerator
Explanations:
Configuring an AWS WAF web ACL for the Global Accelerator could help block traffic, but this implementation would not directly apply WAF rules to the ALB. It also requires additional configuration and integration, which may increase effort compared to other options.
Setting up an AWS Lambda function to monitor ALB metrics and update a VPC network ACL is complex and involves custom coding, making it a higher-effort solution. It also lacks immediate DDoS mitigation capabilities as it relies on metric analysis and subsequent action.
Configuring an AWS WAF web ACL directly on the ALB allows for immediate application of rate-based rules to mitigate DDoS attacks with minimal effort, as it directly protects the entry point of the application. This is a straightforward setup within the existing AWS infrastructure.
While using Amazon CloudFront can enhance performance and provide some DDoS protection, it involves additional configuration and changes to the existing architecture. It may not be the simplest or quickest method to implement for immediate DDoS mitigation compared to applying WAF rules directly on the ALB.
I scheme that the answer is:
Configure an AWS WAF web ACL on the ALB to block traffic by using rate-based rules
In my experience, the answer is:
Configure an AWS WAF web ACL on the ALB to block traffic by using rate-based rules