DDoS attacks that happen at the application layer commonly target web applications with lower traffic volumes compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a Non-AWS WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a “WAF sandwich.” Which of the following statements best describes what a “WAF sandwich" is? Choose the correct answer from the options below.

Answer options:

A.The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the Internet.
B.The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
C.The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
D.The EC2 instance running your WAF software is included in an Auto Scaling group and placed between two Elastic load balancers.

Answer – D
The below diagram shows how a WAF sandwich is created. The concept of placing the EC2 instance hosts the WAF software in between 2 elastic load balancers.
Options A, B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group.
For more information on a WAF sandwich, please refer to the below Link:
https://www.cloudaxis.com/2016/11/21/waf-sandwich/