I want to restrict no of requests per minute from single origin.I have researched on it and got that AWS WAF can do this but i don't know how that rule can be created for this particular use case
AWS Elastic Load Balancer does not support rate based limiting. You can do this with AWS WAF but it has some limitations like 5 min time span, minimum 100 req per ip
See : https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
Related
I am deploying applications in AWS multiple regions. There are a few lambdas sitting behind API gateway. And I'd like to use route53 routing policy to route traffic to different regions.
The policy I'd like to use is Latency-based policy which means route53 routes traffic to resources based on its response time. I have read this doc https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html and https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-latency.html.
It works a little different than my thought. What I am looking for is the use the latency based on the response time in my API gateway or ALB. But based on the doc, it seems that latency is based on DNS resolve name server. Is there a way for me to use the latency based on cloudwatch metric like IntegrationLatency?
I have a web app running on my Amazon EC2 instance. How can I integrate a Web Application Firewall with my EC2?
I have tried setting up the WAF, but it can only be associated with either a CloudFront distribution or an Elastic Load Balancer. Do I need to setup a CloudFront distribution and point it at my EC2 instance?
I ended up setting up an elastic load balancer pointing to my single instance and then adding the web application firewall pointing to the load balancer. It works pretty well and doesn't cost too much more per month from AWS.
The two approaches you can connect AWS WAF to your EC2 instance through,
AWS CloudFront
Application Load Balancer (ALB)
Each approach has its own pros and cons. If your application servers more of content that can be cached, then having AWS CloudFront along with WAF. If your application cluster needs to scale but most of it is dynamic content then going for ALB is more reasonable.
Note: There is an added fixed cost for ALB (In addition to the variable cost which is not significant though) for each month while CloudFront cost is variable and consumption driven.
It is also possible to have both CloudFront and ALB together where you can add the WAF to CloudFront only.
This is how you use AWS WAF, it only works in these two scenarios. For an EC2 application it is best to configure an ALB in front of it (even if you have only one instance).
BTW: You might get away with only using the Application Loadbalancer (ALB) from AWS, this is doing more content validity checks than classic AWS ELB is doing.
You need to set up at least Application layer Loadbalancer to use AWS WAF.
side note: AWS WAF has a lot of restriction. For request count based blocking you will end up having LAMBDA scripts to COUNT and update the AWS WAF ruleset. Also, they don't provide WAF logs as of my Knowledge. Try looking at cloud WAF solutions like SOPHOS.
I have an ec2 instance under the free tier of aws and I am using route 53 hosting with it. In my bills, I am seeing charges for DNS-queries. But I don't get these on other servers I own on other accounts. Is it because I have configured it wrong? Please help
If you are using an A-record, then there is a charge ($0.40 per million queries).
However, as per the Route 53 pricing page:
Queries to Alias records that are mapped to Elastic Load Balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, and Amazon S3 website buckets are free.
To use this, select "Alias = Yes" and point to one of those resources. (But it appears an EC2 instance is not one of them, unless fronted by a Load Balancer.)
Worst case... pay the 40c!
On AWS, you can create an auto scaling policy which scales based on "Application Load Balancer Request Count Per Target".
Like this:
This has a min of 1 instance and a max of 5. It should aim to achieve 10 "Request count per target" for my ElbTargetGroup.
My question is, what is "Application Load Balancer Request Count Per Target"?
Is this:
Number of active connections to targets from the load balancer divided by number of targets?
Number of requests per 5 minutes divided by number of targets?
Number of requests per 1 minute divided by number of targets?
The documentation here just says:
The average number of requests received by each target in a target group. You must specify the target group using the TargetGroup dimension.
Also, how long does it have to be over that target for it to start creating new instances? The main reason I ask is that I have sent many requests to this load balancer, but scaling events aren't being triggered.
The answer is your first choice:
"Number of active connections to targets from the load balancer divided by number of targets"
The ELB metrics are all 1 minute, as quoted by Hagen above.
You can see all the metric definitions for load balancers in the AWS ALB doc.
Note, that there is both a RequestCount and RequestCountPerTarget where the latter is the former divided by the number of active targets.
You can see both these metrics in the CloudWatch console, but more simply in the EC2 console. Select Target Groups on the left pane and then the Monitoring tab. (Note that there is a lot of overlap between the monitoring tab of Target Groups and Monitoring in the Load Balancer screen)
Although the Load Balancer metrics are every 1 minute, if you used EC2 metrics (like CPU) they are only every 5 minutes by default unless you change your CloudWatch settings to turn on detailed monitoring to get metrics every minute. You pay extra for detailed metrics.
RequestCountPerTarget is a load balancer metric. The ELB metrics are always over 1 minute, as outlined in the documentation:
Elastic Load Balancing reports metrics to CloudWatch only when
requests are flowing through the load balancer. If there are requests
flowing through the load balancer, Elastic Load Balancing measures and
sends its metrics in 60-second intervals. If there are no requests
flowing through the load balancer or no data for a metric, the metric
is not reported.
So if you stick to this metric, there is no need to pay for detailed EC2 instance metrics. This is only relevant if you need to use something like the CPU utilization on the instances.
I have two custom hardware servers running a service for me, need to set up a load balancer. Till I can get my service provider to provide one for me, can I set up AWS ELB to load balance requests to my servers? Is there some other option? PS: Costs are an issue, so looking for cheaper alternatives