Today we're using WAF for Application Load Balancer and it's great, but WAF not support Network Load balancer. So we need a solution that will protect us behind or after the NLB. For example:
1. Firewall->NLB->App (best option for us) 2. NLB->Firewall->App
Just to be clear, we must use NLB and not ALB because we need to use TCP and not HTTP/HTTPS because we have many domains that we give them SSL on our servers (using CaddyServer) so if we'll use ALB the SSL for this domain name will not work. Thank for the help
Clarification
I don't really fully understand what you're trying to do. If this doesn't answer your question please edit it to more fully describe what you're trying to achieve, rather than how you think you might achieve it - ie describe your workload and connectivity / firewall requirements. For example, by Firewall do you mean security group, NACL, an appliance like a virtual SRX on EC2, etc?
ALB behind NLB
You can have an ALB behind an NLB. Have a look at this article for details. That article shows you how to use an NLB to supply an ALB with a static IP.
ALB can be protected by a security group. So it's like this
Internet > NACL > NLB -> Security Group > ALB > Workload
It could also be
Internet > NACL > NLB -> Security Group > ALB > NACL > Security Group > Workload
Internet > NACL > NLB -> Security Group > ALB > NACL > Security Group > EC2 Firewall Appliance -> Security Group -> Workload