I am deploying an POC environment with API gateway in front of Lambda and HTTP API would be sufficient for our usage (REST API wouldn't be used). I am planning to use AWS Web application as a protection measure in front of API gateway with HTTP API to avoid unwanted inbound traffic into API gateway.
I understand that WAF shall not be supported for direct inegration with API gateway with HTTP API. ALB can enable WAF and inegrate with HTTP API gateway as per protection recommendations. But seems WAF/ALB would be behind API Gateway HTTP API and could not prevent unwanted traffic into API gateway according to reference architecture diagram.
Would that be any integration method that WAF could be in front of HTTP API gateway or alternatives to protect HTTP API gateway from unwanted traffic?
I tried to deploy ALB and target group with HTTP API gateway but seems it would be behind the gateway which is not ideal.
Yes it's true that HTTP API as of this moment does not support WAF unlike REST API.
You can use CloudFront in front of your API Gateway and then use WAF with it.
There is a well-architected lab from AWS on this which explains this in detail
Refer more for using WAF with cloudfront