3

I have a web app running on my Amazon EC2 instance. How can I integrate a Web Application Firewall with my EC2?

I have tried setting up the WAF, but it can only be associated with either a CloudFront distribution or an Elastic Load Balancer. Do I need to setup a CloudFront distribution and point it at my EC2 instance?

qwerty
  • 155
  • 3
  • 9

4 Answers4

6

I ended up setting up an elastic load balancer pointing to my single instance and then adding the web application firewall pointing to the load balancer. It works pretty well and doesn't cost too much more per month from AWS.

qwerty
  • 155
  • 3
  • 9
3

The two approaches you can connect AWS WAF to your EC2 instance through,

  • AWS CloudFront
  • Application Load Balancer (ALB)

Each approach has its own pros and cons. If your application servers more of content that can be cached, then having AWS CloudFront along with WAF. If your application cluster needs to scale but most of it is dynamic content then going for ALB is more reasonable.

Note: There is an added fixed cost for ALB (In addition to the variable cost which is not significant though) for each month while CloudFront cost is variable and consumption driven.

It is also possible to have both CloudFront and ALB together where you can add the WAF to CloudFront only.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • 1
    Note that ALB cost is fixed *Balancer-hours* plus variable *Load Balancer Capacity Unit (LCU)-hours*. LCUs are related to request rate and bandwidth. – Michael - sqlbot Feb 27 '18 at 00:37
  • I found [this question](https://stackoverflow.com/questions/33137792/cloudfront-and-ec2) about setting up CloudFront with EC2. I think that might be a better option considering my application doesn't need to scale. We cache pages on our end though (not images, but javascript charts that take a long time to load the data). How might CloudFront help caching that? Does it cache the whole page and serve it up? – qwerty Feb 27 '18 at 01:16
  • Cloudfront caches the content at edge location which is closer to the consumer which reduces the latency of retrieval compared to caching at regional level. You have some control over the files/paths that needs to be cached, TTL and etc. – Ashan Feb 27 '18 at 01:33
1

This is how you use AWS WAF, it only works in these two scenarios. For an EC2 application it is best to configure an ALB in front of it (even if you have only one instance).

BTW: You might get away with only using the Application Loadbalancer (ALB) from AWS, this is doing more content validity checks than classic AWS ELB is doing.

eckes
  • 10,103
  • 1
  • 59
  • 71
0

You need to set up at least Application layer Loadbalancer to use AWS WAF.

side note: AWS WAF has a lot of restriction. For request count based blocking you will end up having LAMBDA scripts to COUNT and update the AWS WAF ruleset. Also, they don't provide WAF logs as of my Knowledge. Try looking at cloud WAF solutions like SOPHOS.

joseph
  • 23
  • 5