The moment you expose a web application to the internet, two types of enemies arrive simultaneously. One is DDoS that attacks with volume — flooding traffic to paralyze servers. The other is application attacks that infiltrate with payloads — data theft via SQL injection and XSS. These two are defended at different layers. DDoS is mainly blocked at L3/L4 (network/transport), while injection is blocked at L7 (application). That's why AWS edge security separates Shield (DDoS) and WAF (L7 filtering), expands them to Firewall Manager (apply policies across multi-account), Network Firewall (protect VPC internals), and DNS Firewall (block malicious domains).