Integrating AWS WAF with AWS Application Load Balancer
What is AWS WAF ? and why should it be used with an Application Load balancer?
WAF stands for web application firewall. It's an AWS service to monitor and take actions on web requests such as API requests and to block or allow those specific requests and IPs from which those requests are sent to an AWS resource such as an application load balancer or API gateways and Cloudfront URL.
Here are the steps to integrate WAF with the Application load balancer which can be an access point for a cluster of AWS EC2 virtual machines or an ECS cluster of containers where the APIs service is hosted.
We need to create a Web ACL(Access Control List) from the WAF dashboard which consists of Rules which define the conditions with which the coming requests will be scanned.
Then create a new web ACL and fill out the mentioned fields such as
We need to select the AWS resource for which this WAF will be used. For that click Add AWS resources and select a resource from the list such as the application Load balancer for this case.
Next, we need to add rules for our Web ACL
We can use Managed Rule Groups which are maintained by AWS and created by AWS and other sellers on the AWS marketplace. So those managed Rule groups can be Paid or Free. One such managed paid Rule group is “Bot Control” created by AWS.
here we will not use any managed rules or rule groups and create a custom rule for our Web ACL.
Click on “Add my own rules and rule groups”
There are two types of custom rules AWS offers.
- Rate Based rule — (Used to count or block IPs crossing a specified number of requests threshold defined in rule with or without conditions such as monitoring a specific API path or all the API routes )
- Regular rule — (use to block, allow or count the specific request which matches the given rule condition such as block request coming from postman client .. to do this you can add the condition as block request where the request header contains user-agent as “postman”)
Here are steps to create a simple Rate based rule.
we will use “Rule Builder” for creating rules with a visual editor which is easy to understand than the JSON editor.
Give any name for the Rule and select “Rate Based rule”
Then specify the rate limit for our rule which can be between 100 to 20,000,000
If the limit is 100 suppose.. it means only 100 requests are allowed in a five minutes duration for an API client's IP.
Then we have to specify the action to take on the requests which cross the given request limit also we can give a specific response code and error message to the requests which will get blocked.
Then click on “Add rule” and just go next. Select sampled request options that show the list of requests which are blocked, allowed, or counted. And click on “Create Web ACL”
This web ACL then will be listed in the web ACL dashboard
Also, you can see this WAF integration in your load balancer’s integrated services tab.
Now we test this WAF rate limiter rule for our load balancer.
Our Objective for this rate limiter is shown here.
I have used Artillary for hitting 3000 requests in one minute from single IP to the application API.
The above results are for the Application load balancer without WAF integration showing all 3000 requests got 200 response codes and no request is blocked.
The above results are for a Load balancer with WAF integration.
We have added a custom response code for blocked requests as 429 in our web ACL rule.
Points to Note: WAF takes a little time to block requests when a large number of requests come in a short amount of time.
As you can see first test logs i.e. “arti.logs” that 240 requests got blocked, here ignore the ETIMOUT Errors which are because of load on the test client's local machine.
And when tested again the “arti.logs” results show that 2207 requests got 429 error response codes and not a single request got 200. This is because WAF has blocked the IP and all further requests will get 429 as a response.
WAF unblocks the IP again after the request rate falls below the limit.
We can see the list of blocked requests and their details on the Web ACL dashboard in the sample requests section as follows.
Final Thoughts-
- WAF is an easy-to-implement powerful service provided by AWS.
- You can make different types of custom rules as per the use case to block or allow the requests or IPs.
- Also we can create Regular Rules with many types of conditions such as checking request headers containing values that match a specific regular expression or not and so on. It is just a matter of exploring all conditional combinations.
- Please consider the WAF pricing before taking any decisions on implementation.
