# Protect a Web Tier in a Public Subnet

* **WAF** gives you **control over how traffic reaches your applications** by enabling you to **create security rules that block common attack patterns, such as SQL injection or cross-site scripting**, and rules that filter out specific traffic patterns you define.

* **WAF is tightly integrated with CloudFront and the ALB**, services that AWS customers commonly use to deliver content for their websites and applications.

* **When you use WAF on CloudFront, your rules run in all AWS Edge Locations, located around the world close to your end-users**.

* **Blocked requests are stopped before they reach your web servers**.

* **When you use WAF on an ALB, your rules run in region and can be used to protect internet-facing as well as internal load balancers**.

* If the **web servers are hosted in public subnets behind a public-facing ALB while the application servers are hosted in private subnets**, you can **migrate your servers to private subnets** and then **remove any attached public IP or Elastic IP addresses**.

* The **public-facing ALB can route the traffic to these web servers hosted in private subnets**.<br>

* So, to **protect a Web Tier in a Public Subnet:**
  * **Migrate the web servers to private subnets without any public IP or Elastic IP addresses.**
  * **Integrate WAF to the ALB to provide SQL injection or cross-site scripting attack protection to the online application.**
  * **Launch a new CloudFront distribution and configure it to use WAF.**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karansingh.gitbook.io/tutorialsdojo-wrong-answers-aws-sec-spec/infrastructure-security-70/protect-a-web-tier-in-a-public-subnet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.