Waf Charm

Blog

AWS WAF

How to migrate from AWS WAF Classic to AWS WAF v2

Table of Contents

  1. 1. Introduction
  2. 2. Differences between WafCharm for AWS WAF Classic and WafCharm for AWS WAF v2
  3. 3. Using a new plan
  4. 4. Notes on migration
  5. 5. Notes on migration
  6. 6. Migration process

1. Introduction

AWS announced on September 20th, 2024, that AWS WAF Classic will be deprecated.

Some of WafCharm’s specifications about provided rules and features are also different because of the specification differences between AWS WAF Classic and AWS WAF v2. AWS WAF provides a migration tool; however, due to the aforementioned differences, WafCharm cannot be migrated using this tool.

In this blog post, we will take a look at the differences between AWS WAF versions and how to migrate for WafCharm users on AWS WAF Classic.

2. Differences between WafCharm for AWS WAF Classic and WafCharm for AWS WAF v2

As stated above, the specifications of AWS WAF Classic and AWS WAF v2 differ. Due to these differences, WafCharm’s specifications differ as well.

Number of registrable rules

AWS WAF Classic had a limitation on the number of rules that can be added to a web ACL. In AWS WAF v2, the limitation has been updated to cost-based limits using WCU (WAF Capacity Unit). With this change, the number of rules that can be added to a web ACL increased drastically. WafCharm has been able to add more rules to AWS WAF v2 compared to AWS WAF Classic.

With AWS WAF Classic, WafCharm used to automatically change the rules applied to a web ACL at that specific moment because of the limitations in the number of applicable rules. However, because AWS WAF v2 allows more rules to be applied and WafCharm can apply all basic rules by default, WafCharm does not change the applied rules for AWS WAF v2.

Differences in rule structures

In WafCharm for AWS WAF Classic, signatures were applied as single rules in a web ACL instead of rule groups. In AWS WAF v2, WafCharm uses rule groups where multiple rules are included.
*Some rules may be added as a single rule instead of a rule group system.

In addition, rule priorities could change in AWS WAF Classic due to the rule-switching system mentioned above, but AWS WAF v2 has a set of rule priorities determined by WafCharm. The rule order will be maintained and periodically updated to its default order even if you change it from the AWS management console.
*The order of your own set of rules will be the same.

For more details on WafCharm rules, please refer to the help page: About WafCharm rules for AWS WAF v2

Differences in supported rules in customization service

In AWS WAF Classic, WafCharm could not support customization for geo-match rules and rate-based rules. In AWS WAF v2, WafCharm can help you add those rules from the WafCharm Console or add them via customization service, depending on the rule policy you choose.

Combination with our managed rules

Because AWS WAF v2 allows for more rules to be applied to a web ACL, all rules targeting common web attacks are available by default. Managed Rules sold by CSC (Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set- and -API Gateway/Serverless-) can be used with WafCharm for AWS WAF v2, but because both rules target the same common web attacks, rules in WafCharm and managed rule set will be very similar. Some rules may be the same, so you are not required to use both WafCharm and our managed rules simultaneously.

Unavailable feature in WafCharm for AWS WAF v2

In AWS WAF Classic, WafCharm used to provide a feature that can be used to change managed rules’ actions from WafCharm when you used both WafCharm and our managed rule (Cyber Security Cloud Managed Rules for AWS WAF Classic -OWASP Set-) at the same time. As stated above, it is not necessary or helpful to use managed rules with WafCharm in AWS WAF v2, and the feature is unavailable for AWS WAF v2.

3. Using a new plan

WafCharm was updated in June 2023 to provide new plans. The new plan includes multiple updates, such as immediate application of changes in static denylist/allowlist and updating dynamic denylist via signature re-matching feature every 5 minutes. For more information on June 2023 updates, please refer to the blog post below.
WafCharm June 2023 Updates

In addition, WafCharm was renewed on August 8th, 2024, to provide a new management console. Updates like the new rule policy called the Advanced rule policy are only available for new plan/AWS Marketplace version users. For more information about the new WafCharm Console, please see the blog post below.
We released a new WafCharm Console

If you are currently using AWS WAF Classic, you cannot switch your plan to a new plan. However, by migrating to AWS WAF v2 from AWS WAF Classic, you will be able to use a new plan. If you wish to use a new plan, please consider taking either of the methods below.

Switch to a new plan after migrating to AWS WAF v2 from AWS WAF Classic

If you choose this method, please refer to the migration steps below to complete the migration process first. You must migrate to AWS WAF v2 and delete all your AWS WAF Classic-related resources (e.g., WAF Configs) from the WafCharm Console.

After you have deleted the resources related to AWS WAF Classic, you can switch the plan to a new plan. Please contact the WafCharm Support team to switch your plan once you have completed all the steps.
help@wafcharm.com

Start using a new plan while keeping the AWS WAF Classic configurations

If you want to use the new features available for the new plan as you migrate to AWS WAF v2 while keeping AWS WAF Classic configurations, you must register a new WafCharm account and configure AWS WAF v2 on your new account. If you choose this method, you can keep the old WafCharm account with AWS WAF Classic configurations, so you can use both AWS WAF Classic and AWS WAF v2 at the same time with different plans.

To accomplish this, you will have two separate WafCharm accounts like below:
Existing WafCharm account with the old plan: WAF Config for AWS WAF Classic
New WafCharm account with the new plan: WAF Config for AWS WAF v2

In addition, you will have multiple WafCharm accounts and WAF Configs until you complete the whole migration process. Please keep in mind that the usage fees are charged per WafCharm account.

4. Notes on migration

Note 1

WafCharm cannot be migrated using AWS’s migration tool (migration wizard). Please refrain from using the migration wizard. If you accidentally migrated using the migration wizard, please redo the whole process with the steps below. If you cannot redo the migration process, please contact the WafCharm Support team.

Note 2

A new WAF Config for AWS WAF v2 must be registered if you are migrating to AWS WAF v2 from AWS WAF Classic. If you keep the WAF Config for AWS WAF Classic and add a new WAF Config for AWS WAF v2, usage fees for both WAF Configs will be included for that specific period.
*The number of configured WAF Configs is a part of the monthly fee, prorated by day or time, depending on the version you are using.

Note 3

If you have used a customization service on AWS WAF Classic, please note that the customized rules will not be automatically migrated. The WafCharm Support team must manually apply the customization. Please contact the WafCharm Support team if you want to apply the same customization to your new web ACL.

5. Migration process

When migrating, create a new web ACL in AWS WAF v2 and register new resources, such as WAF Config, in the WafCharm Console. The steps below illustrate the basic steps to complete the migration process. You can adjust when to complete the steps written below after you have created a new web ACL in AWS WAF v2. For example, if you want to delete the WAF Config for AWS WAF Classic before creating a new web ACL in AWS WAF v2, that is also possible. If you decide to delete the WAF Config for AWS WAF Classic first, please keep in mind that WafCharm rules will be deleted from the web ACL, and WafCharm will not be able to access the web ACL. If you want to keep the configuration for AWS WAF Classic until you have completed the migration process, please follow the steps below.

  1. Create a new web ACL for AWS WAF v2.
  2. Sign in to the WafCharm Console and create a new WAF Config.
    For details on how to create a new WAF Config, please refer to the pages below.
    Getting started with WafCharm (AWS WAF v2)
    How to configure WAF Config for AWS WAF v2
    If you have customized rules and wish to apply the same customized rules to AWS WAF v2, make sure to contact the WafCharm Support team before deleting the WAF Config for AWS WAF Classic. Please write the names of both WAF Configs (AWS WAF v2 and AWS WAF Classic). If there are multiple customized rules, please also write down which customization you’d like to apply to the new web ACL.
  3. Attach resources to the new web ACL for AWS WAF v2 in the AWS management console.
  4. Delete the WAF Config for AWS WAF Classic in the WafCharm Console.
    If you delete the WAF Config, Web Site Configs will be automatically deleted at the same time.
  5. Delete any resources you no longer need, such as web ACL for AWS WAF Classic, on the AWS management console.