I'm setting up WAF for my Laravel application. My current flow is user request will go from CloudFront → LoadBalancer → Laravel Servers. I already set up WAF for cloudfront. Do I need to setup WAF for LoadBalancer?
Setting up a WAF on the Load Balancer is your decision, however, from a security point of view it would be advised to have some sort of protection on the ALB.
From experience I see that CloudFront Distributions normally would have an additional header with a secret value attached. Then a WAF attached to the ALB would deny any traffic that didn't have the header with the value of the secret.
Related
I would like to redirect users to a custom maintenance page at a different domain. My setup includes AWS load balancer and EC2's. If the EC2 behind the LB is not reachable, What rule I need to add at LB to check the status code and redirect to a maintenance page at different domain?
Route53 Failover with S3 is an option
I suggest that you can use Route53 to achieve this with failover approach and maybe using a static website hosted on Amazon S3 for cost optimization.
Here are the main ideas:
Create the Route 53 health check which is your main site health check. If the status is failed, it redirects your traffic to the failed-over endpoint.
Create a record set for your primary endpoint which points to your main site endpoint and (Your ALB DNS) with Failover routing policy.
Create the failover endpoint which can be a static site (S3) or your maintenance page domain.
References:
https://aws.amazon.com/premiumsupport/knowledge-center/fail-over-s3-r53/
Route53 Health-check with SNS & Lambda
You can use this feature as a standalone healh-check without affecting your domain setup as above. It will notify any status changes to a SNS topic and you can subscribe a Lambda function to help you updating your Load Balancer listener to redirect your traffic into another site.
Once setup properly, it creates an alarm for you to monitor your main site.
With Lambda function, you can use Boto3 (Python3) to update your Load Balancer based on 2 kind of events:
Unhealthy: route traffic to another domain
Healthy: route traffic to your target group
References:
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-subscribe-sns-topic-same-account/
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2.html#ElasticLoadBalancingv2.Client.modify_listener
I have configured the AWS load balancer to secure my website, i.e. to resolve through "https". But when I use(https://www.schoolnskill.com), it gives
503 Service Temporarily Unavailable.
So I have followed the below steps to configure my environment.
I created a domain name in route53 and have been issued with a SSL/TLS certificate through AWS Certificate manager.
For my load balancer I set up listener for https:443 and attached the above certificate with it.
The security group for my ec2 instances allow http and https requests (although I believe the load balancer ec2 target will communicate using http).
I have attached a screenshot with the summary of the configuration.
Then in the ROUTE 53, I edited the 'A' record of 'www.schoolnskill.com'. Below are the changes I made.
Alias:- yes
Alias target:- chosen the application LB
Routing policy:- simple
Then save the settings.
I can see that whenever I type 'http://www.schoolnskill.com', it is redirected as 'https://www.schoolnskill.com'
Health_CHK
Thank you,
The problem was the availability zones. The AZ of my load balancer was different from that of EC2 instance. I matched the AZ of ALB to my EC2, and it worked.
Thank you,
I have an Elastic Beanstalk instance serving a backend app running natively HTTP and an Angular app hosted on a S3 instance.
Now, I would like to put these on a single domain www.example.com, behind a SSL protected Load Balancer which will route the request internally by the URI, either to the backend (/api/) or angular app (/). For this I setup a Route53 DNS which I wired to the LB.
I don't see an option to route directly from LB to the S3 instance though. I've read that, I should create a CloudFront distribution for the angular app and specify the LB as the origin but after configuring CF distro, I don't see any option inside of the LB to connect it to the angular app. How should I approach it?
Routing should be handled on CloudFront not on load balancer in this case. You can create multiple behaviors in CloudFront, each pointing to a different origin. So you can choose default CloudFront behavior(*) to point to your s3 bucket and create second behavior that is used whenever URL contains /api to point to your load balancer origin.
if we try to enable WAF in Classic ELB i am unable to create may i know way to implement it so it will be help full for us to set a layer of security in the infra
To use WAF two options:
Test your application with ALB. If successfully tested, migrate your application from the current Classic ELB to ALB and deploy WAF
If you do not want to do option 1, you can look at deploying a CloudFront distribution, set your ELB as the origin of the distribution and deploy WAF in front of the CloudFront distribution
I have currently got an Elastic Beanstalk web app within a VPC which I'd like to put behind a WAF. In order to do this I've added CloudFront with the WAF looking at that. For security I've enabled access to the Elastic Beanstalk app only from the AWS CloudFront IP addresses, which I have done using security groups (auto updating when these IP addresses change).
However, what is to stop someone else adding my EB app web address to their own CloudFront instance, would this bypass my IP address limitations on the VPC security group and give them access without going through my WAF?
I think what might help here is to add some secret custom header in your CloudFront distribution (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html), and make your origin check for the presence of the header. This will ensure that only your distribution can get data from your origin server.