Devcasters, what's the simplest and cheapest way to protect an AWS Fargate-hosted public API server from DDoS attacks?

Is the basic AWS shield enough or would you recommend setting up AWS web application firewall?

co-founder stelo.com. theoretical cs phd dropout. into math, music, ml, macro, markets, surfing, writing amandhesi.net

If trying to remain on AWS for all infra, Shield will be your only option, but the pricing ain't cheap.

If willing to delegate your DNS to Cloudflare, you can get pretty awesome (IMO) built-in DDoS protection for free, and optional analytics for $25/mth on their Business plan.

Building @warpcast and @farcaster. Previously Coinbase, Brigade, Causes.

Sorry, I should have been more explicit: if willing to delegate your DNS to [and proxy all traffic via] Cloudflare is what you need if you want Cloudflare's DDoS protection to work. That may add some latency depending on your your use case.

I’m less familiar with AWS WAF. I do recall we didn’t really use it much at Coinbase when I was there. Cloudflare was seen as the better tool (at the time). YMMV.

Do you think cloudfront's free ddos protection is significantly better than well-configured AWS WAF (which is much cheaper than Shield Advanced)? https://aws.amazon.com/waf/