The web ACL is used to create rule sets that are then associated to either your CloudFront distributions or your ALB. A Web ACL is comprised of one or more Rules, which are read in order, and each rule has an action associated, Allow, Block, or Count.

If a rule has an Allow action the web request is considered safe and legitimate and is allowed through to the web application infrastructure to be processed. If the action is set to Block the request is dropped immediately and no further processing is carried out. Count actions simply count the number of requests that met that rule.

In this example we can see that this web ACL has two rules, both configured to Allow traffic should the request match the conditions within those rules. You will also notice that there is a default action at the bottom of the ACL. This ensures that AWS WAF can direct any web request that doesn't meet any rule within the web ACL. In this example, any web request that doesn't meet either of the two Allow rules, it will be blocked.

When a request is blocked the user will receive a 403 error to their browser indicating that access to the resource is forbidden.

As the rules are read in order, as soon as a match is found with a rule the request will take the action of that rule, even if there is another rule within the web ACL that would also be a match, so care needs to be taken when organizing your rule positioning within a Web ACL.