if we try to enable WAF in Classic ELB i am unable to create may i know way to implement it so it will be help full for us to set a layer of security in the infra
To use WAF two options:
Test your application with ALB. If successfully tested, migrate your application from the current Classic ELB to ALB and deploy WAF
If you do not want to do option 1, you can look at deploying a CloudFront distribution, set your ELB as the origin of the distribution and deploy WAF in front of the CloudFront distribution
Related
Is it possible to link more than 1 SSL certificate to an Elastic Beanstalk ALB?
I understand that one can create a bundle domain certificate in Certificate Manager, but I would ultimately want to give my clients the ability to add their own domain pointers pointing to the EB environment.
Yes, you can do this. Probably not from EB console, but you can deploy multiple SSL certs on ALB as explained in:
Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI
You would have to go to EC2 console -> Load balancers, and work with the ALB there. Obviously you could do the same things using AWS CLI or SDK if you want to automate things.
I'm setting up WAF for my Laravel application. My current flow is user request will go from CloudFront → LoadBalancer → Laravel Servers. I already set up WAF for cloudfront. Do I need to setup WAF for LoadBalancer?
Setting up a WAF on the Load Balancer is your decision, however, from a security point of view it would be advised to have some sort of protection on the ALB.
From experience I see that CloudFront Distributions normally would have an additional header with a secret value attached. Then a WAF attached to the ALB would deny any traffic that didn't have the header with the value of the secret.
I'm setting up new two servers in different EC2 instances, and want to run two different applications, one on each EC2 instance:
3.14.23.108:8080/clients
18.23.34.23:8080/products
I need that those endpoints run under the same domain Route53:
www.mydomain.com
And I expect some like this:
www.mydomian.com/clients
www.mydomian.com/products
I know some services of AWS like ELB, Api Gateway, and CloudFront but don't find a good example or tutorial por that.
You can use API Gateway with proxies to specific EC2 instances. See https://aws.amazon.com/blogs/aws/api-gateway-update-new-features-simplify-api-development/ in the bottom search for "Use HTTP Proxy integration" and specify HTTP. Then set Route53 alias to the API Gateway.
You can setup AWS application load balancer with path base routing .
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/tutorial-load-balancer-routing.html
I have a web app running on my Amazon EC2 instance. How can I integrate a Web Application Firewall with my EC2?
I have tried setting up the WAF, but it can only be associated with either a CloudFront distribution or an Elastic Load Balancer. Do I need to setup a CloudFront distribution and point it at my EC2 instance?
I ended up setting up an elastic load balancer pointing to my single instance and then adding the web application firewall pointing to the load balancer. It works pretty well and doesn't cost too much more per month from AWS.
The two approaches you can connect AWS WAF to your EC2 instance through,
AWS CloudFront
Application Load Balancer (ALB)
Each approach has its own pros and cons. If your application servers more of content that can be cached, then having AWS CloudFront along with WAF. If your application cluster needs to scale but most of it is dynamic content then going for ALB is more reasonable.
Note: There is an added fixed cost for ALB (In addition to the variable cost which is not significant though) for each month while CloudFront cost is variable and consumption driven.
It is also possible to have both CloudFront and ALB together where you can add the WAF to CloudFront only.
This is how you use AWS WAF, it only works in these two scenarios. For an EC2 application it is best to configure an ALB in front of it (even if you have only one instance).
BTW: You might get away with only using the Application Loadbalancer (ALB) from AWS, this is doing more content validity checks than classic AWS ELB is doing.
You need to set up at least Application layer Loadbalancer to use AWS WAF.
side note: AWS WAF has a lot of restriction. For request count based blocking you will end up having LAMBDA scripts to COUNT and update the AWS WAF ruleset. Also, they don't provide WAF logs as of my Knowledge. Try looking at cloud WAF solutions like SOPHOS.
Our app has independent clusters of boxes running on Amazon Web Services. I need to send http requests to different clusters based on the URL. For example, http://api.mydomain.com/foo should go to the "foo" cluster, and http://api.mydomain.com/bar should go to the "bar" cluster.
I don't see anything in the elastic load balancer or Route 53 that will do it.
(The obvious thing is to have separate subdomains, but that's difficult for this app. We want to stick with just the "api" subdomain because the cluster configuration may change in the future.)
What's the best approach?
That is not supported by the load balancer. Using subdomains does work if you want to use the existing load balancer.
If you need more features, you could configure your own using a software load balancer running on top of an ec2 instance. Not likely to be as cost effective however.
It is not possible using ELB. Use Netscaler EC2 or HAProxy EC2 in your AWS environment to achieve this. NetScaler is available in AWS marketplace.