Dennis Lin
Hi Ryan,
In AWS Security Speciality chapter 7 Summary. The statement about WAF is wrong.
"So always using a WAF in conjunction, either with your Application Load Balancers or Network Load Balancers and CloudFront, so do bear that in mind."
WAF cannot be associated with NLB. NLB operates on layer 4 and it does not have visibility into application layer [1]. WAF, however, inspects layer 7 requests, operates on a different layer.
As of today, WAF work with CloudFront, the Application Load Balancer (ALB), Amazon API Gateway, and AWS AppSync [2].
Ref:
[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html